December 2007 - stunnel-users

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 31 Jul '11

31 Jul '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

Bugs
by Jan.Haering＠rz-kiru.de 28 Feb '08

28 Feb '08

Hallo, I have found 2 Bugs. 1. In Version 4.21: No Taskbar Icon is displayed when the service starts. Although the taskbar ist set in config file (taskbar = yes). 2. In probably all Versions (I have testet 4.18, 4.20 and 4.21) If i started the service over Start -> Programm Files -> stunnel -> Service Start (stunnel -start) no log files are written. If i start the service over services.msc from Windows or "sc start stunnel" log files are written. The icon log displayed the following message in version 4.18 and 4.20 2007.11.09 09:41:03 LOG3[2396:2400]: stunnel.log: Broken pipe (32) 2007.11.09 09:41:03 LOG3[2396:2400]: Unable to open output file: stunnel.log Best Regards Jan

5 9

Missing Something Basic on Config
by Steve 28 Dec '07

28 Dec '07

Using stunnel for NNTPS. Stunnel starts without any apparent problems (log looks normal), but simply doesn't intercept packets from my news reader. There is no activity in the log and sniffing the packets shows everything happening on 119. My understanding of the concept is that there are no configuration changes needed in the newsreader; IOW, I leave it pointing to the unsecured NNTP server with the port set to 119. I fear I'm missing something very obvious. BTW, I've confirmed the ability to use NNTPS with this particular server by using Outlook Express, which is compatible with NNTPS. Version: 4.20; I used the Windows binary. Running XP. Config: ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [nntps] accept = 192.168.1.101:119 connect = secure.news.easynews.com:563 Log: 2007.12.28 22:24:46 LOG5[6640:6644]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006 2007.12.28 22:24:46 LOG5[6640:6644]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2007.12.28 22:24:46 LOG5[6640:5936]: No limit detected for the number of clients 2007.12.28 22:24:46 LOG7[6640:5936]: FD 196 in non-blocking mode 2007.12.28 22:24:46 LOG7[6640:5936]: SO_REUSEADDR option set on accept socket 2007.12.28 22:24:46 LOG7[6640:5936]: nntps bound to 192.168.1.101:119

1 0

Avoiding outlook express warning...
by fg 28 Dec '07

28 Dec '07

Hello all I use stunnel on a server with a stunnel.pem file generated with openSSL,( this file is not certified with verisign or others...) Each time i launch outlook express on a client a have a warning saying that the server is using a certificate who can't be verified.... I have to close this warning and after all is ok... Question Is it possible to skip this warning? perhaps with a public key approuved in outlook express??? thanks for help --------------------------------- Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail

3 2

stunnel
by peter griep 27 Dec '07

27 Dec '07

hello i'm using stunnel with download2day,but it's not working wih grabit can you tell what i must do to work stunnel with grabit. peter

3 2

1 tunnel client to few different servers
by Shalvi Ziv 26 Dec '07

26 Dec '07

All, As my PROXY server gets requests from end-users to be proxied to several different content providers (SMS servers), I was wondering how can encrypt the traffic between the PROXY to the SMS using stunnel, but still handle the differentiation to the various content providers. Meaning, my PROXY listens on port 9090 for all incoming SMS requests and each request should be addressed to different SMS server (i.e. different content provider) based on the number the message was sent to. See following example: Client = yes [SMPP] accept = 9090 (should always be this port) connect = <SMS IP>:442 Now, how can I do it with stunnel configuration (having the <SMS IP> flexibly assigned according to other parameters in the packet)? Thanks! zivs

2 1

Can stunnel be configured to listen for multiple IP addresses and access different email hosts?
by David Goldstein 20 Dec '07

20 Dec '07

2 1

Using stunnel as a non-root user
by T. S. Ferreira 20 Dec '07

20 Dec '07

I have a small web application running as a regular (non root) user on my port 6666. I would like to make it accessible through SSL on port 7777. In order to test it I used (as the same non root user) the following command: stunnel -D 7 -p mypemfile.pem -d 7777 -r localhost:6666 but it does not work. When I check with "ps aux | fgrep stunnel", no such program is running. However if I run it as root, it does work. I did not find in the documentation any restriction with this regard. Since my final application will run on a machine to whose root I do not have access, I would like to find a way to solve this problem. Any hint will be appreciated. -- tsf ----------------------------------------- My system data are: (1) Linux/Ubuntu 7.10, kernel 2.6.22-14-generic, (2) Output of "/usr/bin/stunnel4 -version": stunnel 4.20 on i486-pc-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none (3) Output due to '-D 7' option: 2007.12.20 10:00:45 LOG7[14820:3082589872]: Snagged 64 random bytes from /home/tomasz/.rnd 2007.12.20 10:00:45 LOG7[14820:3082589872]: Wrote 1024 new random bytes to /home/tomasz/.rnd 2007.12.20 10:00:45 LOG7[14820:3082589872]: RAND_status claims sufficient entropy for the PRNG 2007.12.20 10:00:45 LOG7[14820:3082589872]: PRNG seeded successfully 2007.12.20 10:00:45 LOG7[14820:3082589872]: Certificate: jai_ssl.pem 2007.12.20 10:00:45 LOG7[14820:3082589872]: Certificate loaded 2007.12.20 10:00:45 LOG7[14820:3082589872]: Key file: jai_ssl.pem 2007.12.20 10:00:45 LOG7[14820:3082589872]: Private key loaded 2007.12.20 10:00:45 LOG7[14820:3082589872]: SSL context initialized for service stunnel3 (4)"/usr/bin/stunnel" is a Perl script whose comments say " ... wrapper to use stunnel 3.x syntax in stunnel >=4.05 ..."; it is version 2.00 (2005.04.2).

1 1

Stunnel never really connects
by Pat Riehecky 20 Dec '07

20 Dec '07

I am trying to send email over stunnel from a client that doesn't support encryption to a server that does. The local socket opens just fine, but it never really seems to connect to the remote server. A tcpdump shows only three packets exchanged between the two systems (Syn, Syn/Ack, Ack). The behavior is the same regardless of which tls enabled port I point stunnel at. I am able to connect to these ports via telnet and send email so I know the connection can be negotiated. I am using the 4.21 build for windows (XP SP2) found on the main webpage. Help! --- stunnel.conf --- ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ; my email client isn't eudora, but given how ; it doesn't support standards like encrypted ; transport..... options = DONT_INSERT_EMPTY_FRAGMENTS ; Some debugging stuff useful for troubleshooting debug = 7 ; Use it for client mode client = yes [smtp] accept = 127.0.0.1:25 connect = mailserver.mydomain.tld:587 ;connect = mailserver.mydomain.tld:465 ;connect = mailserver.mydomain.tld:25 protocol = smtp

2 1