stunnel-users January 2007

stunnel-users@stunnel.org

19 participants
27 discussions

Error I am receiving in stunnel logfile
by Eric S. Eberhard 18 Jan '07

18 Jan '07

Hello Everyone, remote socket: Addr family not supported by protocol (66) I have been using this for a while but I had to transfer to a new machine (AIX 4.3 to 5.3) and had to recompile my software and get a newer stunnel. My version is stunnel-3.8p4: My .conf file is: output = /tmp/stunnel.log debug = 5 RNDfile = /visanet/ssl/stunnel.rnd RNDoverwrite = yes client = yes connect = ssllab.pgs.wcom.net:443 sslVersion = SSLv2 cert = /visanet/ssl/stunnel.pem EGD = /etc/egd-pool My guess is that this is something really stupid I am doing, but it is not obvious. Any help would be appreciated. Thanks, Eric This email sent by: Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax 928-301-7537 -- you may call any time day or night, I turn it off when I sleep :-) Please try to use a land line first (reception often poor). Note the change in the domain from vicspdi.com to vicsmba.com !!!! For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com Completely updated web site of personal pictures with many new pictures! Includes horses, dogs, Corvairs, and more. http://www.vicsmba.com/ourpics/index.html Corvair pictures including the Judson setup on our 62 Sedan and lots of pictures of Cheryl's 62 Monza Wagon and our 62 Spyder convertible. http://www.vicsmba.com/ourpics/corvairs.html My younger brother Martin has started a very serious car company. A hot rod (very fast) electric roadster is the first offering. The chassis is built by Lotus to their specs. Check it out: http://www.teslamotors.com

1 0

RE: [stunnel-users] Does editing *.conf file require restart of stunnel ?
by Stunnel 15 Jan '07

15 Jan '07

Hi, As far as I know the service needs to be restarted to load the new configuration. Regards Craig -----Original Message----- From: stunnel-users-bounces(a)mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Ben Stover Sent: 15 January 2007 01:16 PM To: stunnel-users(a)mirt.net Subject: [stunnel-users] Does editing *.conf file require restart of stunnel ? Hello, sorry for this newbie question. I did not found the answer in the FAQ. Assume I edit the *.conf file. Is it required to restrat stunnel (service) to enable the changes ? Or is the *.conf file read at ever new stunnel call? If explicit restart is required: would it be possible to add a context menu entry to the Windows systray-Stunnel-icon "restart". This would make handling much more comfortable than always opening a command line window and entering all the commands manually. Thank you Ben ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" - The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0

re: Problem with certificates using smtp/pop
by Klaas 12 Jan '07

12 Jan '07

> cert = /path/to/certnew.cer > key = /path/to/stunnel.pem > Or concatenate them into one file and use cert = ... only > (no key = ...). > Also take care that the CN is the server FQDN to which the client > connects. Thanks, it works now perfect!

1 0

Re: [stunnel-users] re: Problem with certificates using smtp/pop
by Hans Werner Strube 11 Jan '07

11 Jan '07

"Klaas" wrote: > I have a part I sent to CA created whit openssl req -new -days > 365 -nodes -config stunnel.cnf -out certreq.pem -keyout stunnel.pem > > I have get return a file certnew.cer and I have the file stunnel.pem. And > now I don't know what I have to do next to get this certificate. I have > tried several options but no one works. cert = /path/to/certnew.cer key = /path/to/stunnel.pem Or concatenate them into one file and use cert = ... only (no key = ...). Also take care that the CN is the server FQDN to which the client connects.

1 0

re: Problem with certificates using smtp/pop
by Klaas 11 Jan '07

11 Jan '07

Sorry David that I have misted you e-mail. I'm using stunnel on a Windows server and I have working it all. I use outlook express as mail client and when I pres OK on the message of the certificate it works. But I want to install a real certificate. Only I don't exactly where I have place which part of the certificate and what I place into the stunnel.conf I have a part I sent to CA created whit openssl req -new -days 365 -nodes -config stunnel.cnf -out certreq.pem -keyout stunnel.pem I have get return a file certnew.cer and I have the file stunnel.pem. And now I don't know what I have to do next to get this certificate. I have tried several options but no one works.

1 0

Problems with Powerposter?
by Roger Stevens 10 Jan '07

10 Jan '07

I'm curious if anyone else has tried Stunnel with Powerposter on the Giganews Usenet network. I (and many other users) have reported problems whereby the post does not complete and just hangs. Per Giganews, this is a software problem and not their servers. Non-SSL posting in Powerposter works fine. but hangs when Stunnel is used usually after a couple of files are successfully uploaded. Any else run into this? TIA! Roger

1 0

re: Problem with certificates using smtp/pop
by David Chase 10 Jan '07

10 Jan '07

I tried sending directly to you, I must have looked like a spammer. I am ever so slightly pleased to see that I have some company in my frustration with this software. I'll try to help, since the experts seem to be too busy. I've only used it twice, and it was painful both times. Have you gotten it to work at all? That is, what do you see? Do you get a running stunnel process? Do you have (with permissions) ls -l /usr/local/etc/stunnel/mail.pem -rw------- 1 root staff 2233 Jan 5 17:25 /usr/local/etc/stunnel/ mail.pem I created it by running this command in that directory: sudo openssl req -new -out mail.pem -keyout mail.pem -nodes -x509 - days 365 I created a stupid certificate, because at some point it looked like it was asking me for my name (David Chase) when what they wanted was my fully qualified domain name (dr2chase.org), so that part of the certificate is wrong. The certificate creation in the makefile asked for this in a slightly more sensible way, using the abbreviation "FQDN", though you have to wonder how busy the authors of some of this security software are, that they cannot take the time to type in "Fully qualified domain name", and instead expect us to figure it out. It can be whiny about permissions, in a non-specific way (as if the software ran a one-way-hash on the permissions, didn't get a match, and expected you to just guess till it worked.) sudo chmod 600 /usr/local/etc/stunnel/mail.pem sudo chmod 755 /usr/local/etc/stunnel/ sudo chown root /usr/local/etc/stunnel/stunnel.conf You'll need to copy the sample stunnel.conf file into the real one: sudo cp /usr/local/etc/stunnel/stunnel.conf-sample /usr/local/etc/ stunnel/stunnel.conf You might want to look it over, though I don't recall changing much in mine. You might want to turn on debug logging there; mine seemed to spew in the invoking terminal, instead of any file that I could find, but that was good enough for a start: debug = 7 output = stunnel.log Some part of stunnel created its chroot directory with incorrect (for MacOS, at least) permissions: % ls -ld /usr/local/var/lib/stunnel/ 948 drwxrwx--T 2 root wheel 68 Jan 5 16:55 /usr/local/var/lib/ stunnel/ That's the one that didn't work, and clearly someone thought carefully about giving it the wrong permissions -- that "T" didn't get there accidentally. This caused silent failure for me. What worked, but might not be secure, is drwxrwxrwx 2 root wheel 68 Jan 6 00:16 /usr/local/var/lib/stunnel/ My guess is that it would be better if it were owned by nobody/nogroup, but this is clearly something that trained experts should GET RIGHT, instead of leaving it busted for novices to tinker with. What mail reader are you using? For example, Apple Mail's "connection doctor" will treat an unofficial certificate as a connection failure; only when you actually try to receive or send mail, will you get a chance to trust the certificate. Perhaps my sarcastic remarks will cause someone to actually fix something. Who knows. yours, David Chase

1 0

STunnel not creating connections.
by Paul Morrison 09 Jan '07

09 Jan '07

I have a problem perhaps someone can help me with. I have setup Stunnel and OpenSSL on a Windows 2003 server. It is configured to accept data on TCP port 2000, decrypt it, then pass it on to TCP port 8014. I have placed the certificates provided for this in a directory and I have told STunnel where these certificates are. The problem I am having is I can see the connection from port 2000 coming in to the system, but STunnel then does nothing before finally dropping the connection. The version of STunnel and OpenSSL are (stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005) I have the same setup at a different site on a different server and it works fine. In the debug.log the following is output: 2007.01.09 13:41:02 LOG7[684:352]: MATSU_GPRS started 2007.01.09 13:41:02 LOG7[684:352]: FD 196 in non-blocking mode 2007.01.09 13:41:02 LOG5[684:352]: MATSU_GPRS connected from 212.183.136.192:57511 2007.01.09 13:41:02 LOG7[684:352]: SSL state (accept): before/accept initialization 2007.01.09 13:41:22 LOG3[684:352]: SSL_accept: Peer suddenly disconnected 2007.01.09 13:41:22 LOG5[684:352]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.01.09 13:41:22 LOG7[684:352]: MATSU_GPRS finished (0 left) I would normally expect to see details of the SSL connection and the certificates being checked after the line 2007.01.09 13:41:02 LOG7[684:352]: SSL state (accept): before/accept initialization, but as you can see it does nothing before dropping the connection after 20 seconds. Does anyone know why this installation of STunnel does not seem to be attempting to use the certificates provided? I would be very grateful for any advice. P.S. Do I need to have a Certifcate Authority server setup at the site in order for STunnel to work? Paul Morrison IT Support Specialist TS3 Services Ltd Castle Court, Carnegie Campus Dunfermline KY11 8PB TEL: 01383 629900 Mob: 07918078864 EMAIL: Paul.Morrison(a)ts3services.co.uk <BLOCKED::mailto:Paul.Morrison@ts3services.co.uk>

1 0

Problem with certificates using smtp /pop
by Klaas 09 Jan '07

09 Jan '07

Isn't there no one who knows how do deal with certificate? > Is there no one who can tell me exactly which part of the > certificate I have to place where and how I must configure > stunnel.conf for the certificate >> I have installed stunnel 4.20 on Windows2003 server and have >> created my private key as follow: >> openssl req -new -days 365 -nodes -config stunnel.cnf -out >> certreq.pem -keyout stunnel.pem >> >> After that I have send certreq.pem to my own CA and have >> received a certnew.cer file. But what I have to do next because >> I still receive the message that the CN-name of the certificate >> is not the same with the given name. >> >> I append this certificate (certnew.cer) to my stunnel.pem file like: >> -----BEGIN RSA PRIVATE KEY----- >> data here >> -----END RSA PRIVATE KEY----- >> -----BEGIN CERTIFICATE----- >> data here >> -----END CERTIFICATE----- >> >> But this doesn't work. Still receive the message that I also read >> on the stunnel.conf must I config something here? >> cert = stunnel.pem >> key = stunnel.pem >> >> ; Authentication stuff >> ;verify = 2 >> ; Don't forget to c_rehash CApath >> ;CApath = certs >> ; It's often easier to use CAfile >> ;CAfile = certs.pem >> ; Don't forget to c_rehash CRLpath >> ;CRLpath = crls >> ; Alternatively you can use CRLfile >> ;CRLfile = crls.pem >> >> Can anyone tell me please what certificate I place where and how config >> the stunnel.conf so I get this working?

1 0

RE: [stunnel-users] URL changes in browser to http from https
by Casey Rayman 08 Jan '07

08 Jan '07

I figured it out. The webserver was redirecting me to the index.html page so that is where the protocol was getting changed. So now the question changes. Is there a function in stunnel for URL rewriting? In otherwords the webserver sends back "redirect yourself to http:// but stunnel intercepts that before it gets back to your browser to keep the connection secure? Thanks, Casey -----Original Message----- From: stunnel-users-bounces(a)mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Casey Rayman Sent: Monday, January 08, 2007 10:10 AM To: stunnel-users(a)mirt.net Subject: [stunnel-users] URL changes in browser to http from https I am just starting to experiment with stunnel on Debian Linux, using the standard debian packages. I've got it working so far accepting requests on the local port 443 and connecting on 80, but when the page loads the URL changes back to a non-secure address. To illustrate: https://192.168.1.10 loads a simple static web page and you get the normal warning for the certificate, but after the page loads the URL changes to http://192/168.1.10 . I thought this might just be IE or something but Firefox does it too. Could I be missing a setting in stunnel? Any ideas? Thank you, Casey _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users January 2007