stunnel-users June 2005

stunnel-users@stunnel.org

36 participants
51 discussions

Re: [stunnel-users] Passphrase validation
by Paul Jones 26 Jun '05

26 Jun '05

That's all well and good for a Unix environment, but what about on Windows? No chown or chmod on there! I believe that it is sometimes useful for the passphrase to be requested by Stunnel on startup (on the client side), but you all make valid points. Paul. --- Vasil Dimov <vd(a)datamax.bg> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Wed, Jun 22, 2005 at 04:30:56PM -0700, Joseph >Mocker wrote: > > > It depends on how the machine were broken. >Presumably if you > > were that hell-bent on using passprhases on >private keys, you'd > > likely isolate stunnel to run as an unpriviledged >user in a chrooted >That is a good idea anyway :) > > > environment, and you may very well set the >coredump size to zero > > and remove a debugger all together. So unless the >user was able > > to break root, the effects of the break-in might >be minimized. > >Private key stealing table: >* the key and the plain text file, holding the >password (if any) > should always be chown root and chmod 400 >* stunnel is the (unprivileged) user stunnel is >running as >* we assume that stunnel is running at the time of >breakage, because > this is the worst case. > > key storage \ break as root stunnel other user >- >--------------------------------------------------------------------------- >1. unencrypted key YES YES NO > >2. crypted key/password in text file YES YES NO > >3. crypted key/password entered at startup YES YES NO >- >--------------------------------------------------------------------------- > >As we see there is no difference if the private key >will be kept >crypted or unencrypted with or without text file >holding the passphrase. > >What happens if the stunnel daemon is not running >during the breakage? >Note that this is an optimistic suggestion and we >should not rely on it. > > key storage \ break as root stunnel other user >- >--------------------------------------------------------------------------- >1. unencrypted key YES NO NO > >2. crypted key/password in text file YES NO NO > >3. crypted key/password entered at startup NO > NO NO >- >--------------------------------------------------------------------------- > >So the only difference in all cases is if stunnel is >not running and the >hacker gets root on the machine and the key is >crypted and the password >is entered at startup - then it will not be possible >to steal the >private key. > >As a conclusion, it is obviously - that there is >really no sense to >keep the password in a text file and it makes a >LITTLE sense if the >password is entered at startup - in just one, rare, >case this setup >will save the private key. > >-----BEGIN PGP SIGNATURE----- > >iD8DBQFCunHRFw6SP/bBpCARAtN4AJ0TBfANXVyyLNKojIaFzb1E/7WBqQCeIcop >rAqsbhJmK9oBYg/Rb9iJzSE= >=rFAJ >-----END PGP SIGNATURE----- >_______________________________________________ >stunnel-users mailing list >stunnel-users(a)mirt.net >http://stunnel.mirt.net/mailman/listinfo/stunnel-users > _________________________________________________________________ Sell your car for $9 on carpoint.com.au http://www.carpoint.com.au/sellyourcar

2 2

4.10 runtime crash (alignment error?) in Solaris 7
by Old Wolf 24 Jun '05

24 Jun '05

When I run stunnel 4.10 with openssl 0.9.8 beta4 in Solaris 7, it crashes just after a connection is established. Nothing appears in the stunnel log. If I run it in foreground mode, "Bus Error" appears on the console. Running with 'truss -f', I see the output that follows. Gdb reveals nothing (it's not compiled for debug and I"m not sure how to change that). so_socket(2, 2, 0, "", 1) = 9 fcntl(9, F_GETFL, 0x00000000) = 2 fstat64(9, 0x001686B8) = 0 getsockopt(9, 65535, 8192, 0x001687B8, 0x001687B0, 0) = 0 fstat64(9, 0x001686B8) = 0 getsockopt(9, 65535, 8192, 0x001687B8, 0x001687B4, 0) = 0 setsockopt(9, 65535, 8192, 0x001687B8, 4, 0) = 0 fcntl(9, F_SETFL, 0x00000082) = 0 time() = 1118632479 getpid() = 25472 [25471] write(3, " 2 0 0 5 . 0 6 . 1 3 1".., 61) = 61 time() = 1118632479 getpid() = 25472 [25471] write(3, " 2 0 0 5 . 0 6 . 1 3 1".., 78) = 78 connect(9, 0x00168998, 16, 1) = 0 time() = 1118632479 getpid() = 25472 [25471] write(3, " 2 0 0 5 . 0 6 . 1 3 1".., 59) = 59 Incurred fault #5, FLTACCESS %pc = 0x00031720 siginfo: SIGBUS BUS_ADRALN addr=0x0002CDE9 Received signal #10, SIGBUS [default] siginfo: SIGBUS BUS_ADRALN addr=0x0002CDE9 *** process killed *** The stunnel options are: stunnel 4.10 on sparc-sun-solaris2.7 UCONTEXT+POLL+IPv4 with OpenSSL 0.9.8-beta4 06 Jun 2005 Global options cert = /u/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /u/etc/stunnel/stunnel.pem pid = /u/var/run/stunnel.pid RNDbytes = 64 RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds Also, I had some warnings errors during compilation , which should be fixed (compiling with gcc 3.4.1 in pedantic mode). (None of them are the cause of the crash though, as I hacked up some fixes and the crash still happened). log.c: In function `s_log': log.c:134: warning: implicit declaration of function `localtime_r' log.c:134: warning: assignment makes pointer from integer without a cast The culprit here is that config.h defines HAVE_LOCALTIME_R, but when the system header with that function is included, the #defines are set up so that localtime_r is NOT defined. (I guess this is an autoconf problem). The code links successfully but I'm not sure how reliable it will be, since localtime_r was not declared properly. options.c and network: there were many uses of isspace() with a (signed) char value, this is incorrect (isspace requires an unsigned char value -- it could fail if it gets a negative number). However many C libraries (eg. glibc) work with negative values anyway, although I have used compilers that don't. resolver.c has some cases of potential alignment errors, but I guess they aren't a problem in this case.

1 0

Compile stunnel 4.10 using VC7(aka Visual Studio 2003)
by Han Jun Li 23 Jun '05

23 Jun '05

Stunnel 4.10 does not compile with Visual Studio 7. After spending the past few days to get it to compile, I thought someone might find this useful. There is a change to the common.h that you need to hack. Basically, you need to include <winsock2.h> and <ws2tcpip.h> before <windows.h> to make it compile without any warning. The content of the make file(stunnel.mak) is below: !IF "$(CFG)" == "" CFG=stunnel - Release !MESSAGE No configuration specified. Defaulting to "stunnel - Release" !ENDIF !IF "$(CFG)" != "stunnel - Release" !MESSAGE Invalid configuration "$(CFG)" specified. !MESSAGE You can specify a configuration when running NMAKE !MESSAGE by defining the macro CFG on the command line. For example: !MESSAGE !MESSAGE NMAKE /f "stunnel.mak" CFG="stunnel - Release" !MESSAGE !MESSAGE Possible choices for configuration are: !MESSAGE !MESSAGE "stunnel Release" (based on "Win32 (x86) Console Application") !MESSAGE !ERROR An invalid configuration is specified. !ENDIF !IF "$(OS)" == "Windows_NT" NULL= !ELSE NULL=nul !ENDIF CPP=cl.exe RSC=rc.exe !IF "$(CFG)" == "stunnel - Release" OPENSSL=c:\openssl-0.9.7g !MESSAGE === OpenSSL is configured to be at $(OPENSSL) === OUTDIR=.\Release INTDIR=.\Release # Begin Custom Macros OutDir=.\Release # End Custom Macros ALL : "$(OUTDIR)\stunnel.exe" CLEAN : -@erase "$(INTDIR)\client.obj" -@erase "$(INTDIR)\gui.obj" -@erase "$(INTDIR)\log.obj" -@erase "$(INTDIR)\network.obj" -@erase "$(INTDIR)\options.obj" -@erase "$(INTDIR)\protocol.obj" -@erase "$(INTDIR)\resources.res" -@erase "$(INTDIR)\resolver.obj" -@erase "$(INTDIR)\ssl.obj" -@erase "$(INTDIR)\sthreads.obj" -@erase "$(INTDIR)\stunnel.obj" -@erase "$(INTDIR)\vc60.idb" -@erase "$(OUTDIR)\stunnel.exe" "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" CPP_PROJ=/nologo /MT /W3 /G5 /O2 /I "$(OPENSSL)\inc32" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "USE_WIN32" /D "HAVE_OPENSSL" /D "HAVE_GETADDRINFO" /D "HAVE_GETNAMEINFO" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c RSC_PROJ=/l 0x409 /fo"$(INTDIR)\resources.res" /d "NDEBUG" .c{$(INTDIR)}.obj:: $(CPP) @<< $(CPP_PROJ) $< << .cpp{$(INTDIR)}.obj:: $(CPP) @<< $(CPP_PROJ) $< << .cxx{$(INTDIR)}.obj:: $(CPP) @<< $(CPP_PROJ) $< << .c{$(INTDIR)}.sbr:: $(CPP) @<< $(CPP_PROJ) $< << .cpp{$(INTDIR)}.sbr:: $(CPP) @<< $(CPP_PROJ) $< << .cxx{$(INTDIR)}.sbr:: $(CPP) @<< $(CPP_PROJ) $< << BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\stunnel.bsc" BSC32_SBRS= \ LINK32=link.exe LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib wsock32.lib $(OPENSSL)\out32dll\ssleay32.lib $(OPENSSL)\out32dll\libeay32.lib /nologo /subsystem:windows /incremental:no /pdb:"$(OUTDIR)\stunnel.pdb" /machine:I386 /out:"$(OUTDIR)\stunnel.exe" LINK32_OBJS= \ "$(INTDIR)\stunnel.obj" \ "$(INTDIR)\client.obj" \ "$(INTDIR)\gui.obj" \ "$(INTDIR)\log.obj" \ "$(INTDIR)\network.obj" \ "$(INTDIR)\options.obj" \ "$(INTDIR)\protocol.obj" \ "$(INTDIR)\resources.res" \ "$(INTDIR)\resolver.obj" \ "$(INTDIR)\ssl.obj" \ "$(INTDIR)\sthreads.obj" "$(OUTDIR)\stunnel.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS) $(LINK32) @<< $(LINK32_FLAGS) $(LINK32_OBJS) << !ENDIF !IF "$(CFG)" == "stunnel - Release" || "$(CFG)" == "stunnel - Debug" SOURCE=.\client.c "$(INTDIR)\client.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\gui.c "$(INTDIR)\gui.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\log.c "$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\network.c "$(INTDIR)\network.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\options.c "$(INTDIR)\options.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\protocol.c "$(INTDIR)\protocol.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\resources.rc "$(INTDIR)\resources.res" : $(SOURCE) "$(INTDIR)" $(RSC) $(RSC_PROJ) $(SOURCE) SOURCE=.\resolver.c "$(INTDIR)\resolver.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\ssl.c "$(INTDIR)\ssl.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\sthreads.c "$(INTDIR)\sthreads.obj" : $(SOURCE) "$(INTDIR)" SOURCE=.\stunnel.c "$(INTDIR)\stunnel.obj" : $(SOURCE) "$(INTDIR)" !ENDIF

1 0

Certificate integrration
by Nadeem Mohiudeen 23 Jun '05

23 Jun '05

Dear Members, I need to know the procedures to install a *.cer file into the format we using in stunnel.conf.actually lately we renewed a certificate from Verisign and they send a file which we save as test.cer .now I need to put this file into my format in stunnel.conf as follows key = /pbx_u01/apps/tomcat/current/conf/mnet-priv_nbk.pfx.pem cert = /pbx_u01/apps/tomcat/current/conf/mnet-priv_nbk.pfx.x509 since we are using tomcat as application server which is using stunnel as https port forwarder so advice the steps would be thanks at the earliest. Regards Nadeem

2 1

Help
by Nadeem Mohiudeen 23 Jun '05

23 Jun '05

1 0

Re: [stunnel-users] Passphrase validation
by Vasil Dimov 23 Jun '05

23 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 22, 2005 at 04:30:56PM -0700, Joseph Mocker wrote: > > It depends on how the machine were broken. Presumably if you > were that hell-bent on using passprhases on private keys, you'd > likely isolate stunnel to run as an unpriviledged user in a chrooted That is a good idea anyway :) > environment, and you may very well set the coredump size to zero > and remove a debugger all together. So unless the user was able > to break root, the effects of the break-in might be minimized. Private key stealing table: * the key and the plain text file, holding the password (if any) should always be chown root and chmod 400 * stunnel is the (unprivileged) user stunnel is running as * we assume that stunnel is running at the time of breakage, because this is the worst case. key storage \ break as root stunnel other user - --------------------------------------------------------------------------- 1. unencrypted key YES YES NO 2. crypted key/password in text file YES YES NO 3. crypted key/password entered at startup YES YES NO - --------------------------------------------------------------------------- As we see there is no difference if the private key will be kept crypted or unencrypted with or without text file holding the passphrase. What happens if the stunnel daemon is not running during the breakage? Note that this is an optimistic suggestion and we should not rely on it. key storage \ break as root stunnel other user - --------------------------------------------------------------------------- 1. unencrypted key YES NO NO 2. crypted key/password in text file YES NO NO 3. crypted key/password entered at startup NO NO NO - --------------------------------------------------------------------------- So the only difference in all cases is if stunnel is not running and the hacker gets root on the machine and the key is crypted and the password is entered at startup - then it will not be possible to steal the private key. As a conclusion, it is obviously - that there is really no sense to keep the password in a text file and it makes a LITTLE sense if the password is entered at startup - in just one, rare, case this setup will save the private key. -----BEGIN PGP SIGNATURE----- iD8DBQFCunHRFw6SP/bBpCARAtN4AJ0TBfANXVyyLNKojIaFzb1E/7WBqQCeIcop rAqsbhJmK9oBYg/Rb9iJzSE= =rFAJ -----END PGP SIGNATURE-----

1 0

Re: [stunnel-users] Passphrase validation
by Vasil Dimov 23 Jun '05

23 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 22, 2005 at 01:20:10PM +0100, Colin McKinnon wrote: > On Wednesday 22 June 2005 13:12, Vasil Dimov wrote: > > On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter Pentes wrote: > > > Sorry, what I am referring to here is actually the > > > passphrase for the private keys, and how Stunnel does > > > not support encrypted private keys. > > > > This would be useless. How do you expect the passphrase for the > > encrypted private key to be obtained at stunnel startup? > > Apache manages it. > Encrypted private keys will prevent stunnel from automatic startup, after a power failure or some other accidential machine reboot. And even being crypted on the filesystem once decrypted the private key will stay in memory unencrypted all the time. If someone breaks in the machine while it is running he/she will get the key from memory not from the filesystem. The only use of crypted private keys (for deamon-services) I can think of is that you can prevent someone from stealing your private key if he/she steals physically the harddisk or the whole machine from your server-room. And even this has the major disadvantage that the service will not start without human intervention (the private key's passphrase input) after unexpected reboots. -----BEGIN PGP SIGNATURE----- iD8DBQFCuVvWFw6SP/bBpCARAuTEAJ0bdKAURvMh4VZA7QEXplNYySrxTQCgoOBH XY4ftFyPqY36xDdZww6kSFU= =2/nK -----END PGP SIGNATURE-----

2 1

Re: [stunnel-users] Passphrase validation
by Vasil Dimov 23 Jun '05

23 Jun '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 22, 2005 at 07:39:54PM +0200, Sergio Gelato wrote: > ... > operation, there is little (if any) actual security benefit from using a > non-null passphrase and storing it in a separate file; however, some > software (e.g., Java) does work that way, and I don't see any harm in ... Having encrypted private_key.pem and a plain text file private_key.pem.passphrase which contains the encryption password really does not make any sense. Ofcourse both files should be chown root and chmod 400. -----BEGIN PGP SIGNATURE----- iD8DBQFCumGtFw6SP/bBpCARAp52AJ9cOGOgwTqnuDN82ubkU5Vk3uieWgCdHQSS tBmrJ3voYiHwD9hJOwtwocM= =+cCS -----END PGP SIGNATURE-----

1 0

RE: [stunnel-users] GUI for openssl certificate generation
by Paul Jones 22 Jun '05

22 Jun '05

Hi, Yes, I do have a batch file for this purpose, though I would prefer a GUI. Could you please mail me your batch file anyway? I would like to compare. Cheers. Paul >From: "Aditya Deshmukh" <aditya.deshmukh(a)online.gateway.strangled.net> >Reply-To: <ald2003(a)users.sourceforge.net> >To: "'Paul Jones'" <jonesy_boy10(a)hotmail.com>,<stunnel-users(a)mirt.net> >Subject: RE: [stunnel-users] GUI for openssl certificate generation >Date: Wed, 22 Jun 2005 23:41:49 +0530 > >May be the best thing to do is to use a batch file for this purpose - >please >mail me if you want my batch file used for creating these certs > > > -----Original Message----- > > From: stunnel-users-bounces(a)mirt.net > > [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Paul Jones > > Sent: Wednesday, June 22, 2005 7:34 AM > > To: stunnel-users(a)mirt.net > > Subject: [stunnel-users] GUI for openssl certificate generation > > > > Hi all, > > > > I'm looking at building a small GUI app (possibly in VB6) on > > a Windows > > platform for generating certificates using OpenSSL. How can > > I do this? The > > command-line call to the openssl EXE does not seem to take > > things such as > > the Common Name, Organizational Unit, etc as parameters. > > > > Any help would be appreciated. > > > > Thanks in advance. > > > > Paul > > > > _________________________________________________________________ > > SEEK: Over 80,000 jobs across all industries at Australia's > > #1 job site. > > http://ninemsn.seek.com.au?hotmail > > > > _______________________________________________ > > stunnel-users mailing list > > stunnel-users(a)mirt.net > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > > >________________________________________________________________________ >Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _________________________________________________________________ REALESTATE: biggest buy/rent/share listings http://ninemsn.realestate.com.au

1 0

Re: [stunnel-users] Passphrase validation
by Peter Pentes 22 Jun '05

22 Jun '05

I agree. It would be useful on the client side. PP --- Sergio Gelato <Sergio.Gelato(a)astro.su.se> wrote: > Vasil Dimov wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On Tue, Jun 21, 2005 at 10:29:37PM -0700, Peter > Pentes wrote: > > > > > >>Sorry, what I am referring to here is actually the > >>passphrase for the private keys, and how Stunnel > does > >>not support encrypted private keys. > >> > >> > > > >This would be useless. How do you expect the > passphrase for the > >encrypted private key to be obtained at stunnel > startup? > > > > > By prompting the user, or by reading it from a > configuration file. > > On the client side, prompting the user isn't > necessarily bad or even > difficult. > > I'll grant you that on the server side, or for > unattended client-side > operation, there is little (if any) actual security > benefit from using a > non-null passphrase and storing it in a separate > file; however, some > software (e.g., Java) does work that way, and I > don't see any harm in > having that possibility. There may also be some > non-security benefits: > I've seen at least one CA policy that requires > private keys to be stored > encrypted while not active, and if you want to > comply with the letter > of such a policy you may have to use a non-null > passphrase. > ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users June 2005