December 2007 - stunnel-users

SSL session caching with multiple clients through stunnel to an https server
by Paul McGarry 05 Dec '07

05 Dec '07

Hi there, I have an application where apache/php processes make SOAP requests over https to a single remote server (which is IIS I think). I am trying to cut down the time each request takes. In it's current configuration I think some time will be wasted as the php client and IIS server handshake to set up a new SSL connection for each request, thereby adding (at least) twice the network latency between the two servers to each request. (As far as I can tell there is no way to make php SOAP use some kind of persistant connection or SSL cache when talking to the server) I am wondering if I pushed the soap requests as http through stunnel whether stunnel would be more efficient with SSL connections or whether it will just create a new tunnel with a new ssl session for each request it receives? Does anyone have any advice? Paul

1 0

MS Outlook verify = 2 using problem
by FFT` 05 Dec '07

05 Dec '07

Good Day! I'm using Stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 with OpenSSL 0.9.8g 19 Oct 2007 on Fedora-like Linux server. stunnel.conf consists: _______________________________________________________________________________ cert = /usr/local/etc/stunnel/server.crt key = /usr/local/etc/stunnel/server.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/stunnel/ setuid = nobody setgid = nobody ; PID is created inside chroot jail pid = /stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath =/usr/local/etc/stunnel/certs ; It's often easier to use CAfile CAfile = /usr/local/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/etc/stunnel/crl.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Service-level configuration [pop3s] accept = 995 connect = 110 ________________________________________________________________________ PKI consists: ROOT_CA CA MAIL_CON_CA SERVER CLIENT server.crt - Server certificate in PEM Format; server.pem - Server key in PEM Format with nopassword ca.pem - ROOT_CA, CA, MAIL_CON_CA certificates in PEM format. When I am using MS Outlook mail Client , there are some PROBLEM with connections to SERVER:995 stunnel.log consists: ______________________________________________ 2007.12.05 14:57:39 LOG5[16668:1074107776]: stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2007.12.05 14:57:39 LOG5[16668:1074107776]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 2007.12.05 14:57:39 LOG6[16668:1074107776]: file ulimit = 1024 (can be changed with 'ulimit -n') 2007.12.05 14:57:39 LOG6[16668:1074107776]: poll() used - no FD_SETSIZE limit for file descriptors 2007.12.05 14:57:39 LOG5[16668:1074107776]: 500 clients allowed 2007.12.05 14:57:39 LOG7[16668:1074107776]: FD 6 in non-blocking mode 2007.12.05 14:57:39 LOG7[16668:1074107776]: FD 8 in non-blocking mode 2007.12.05 14:57:39 LOG7[16668:1074107776]: FD 9 in non-blocking mode 2007.12.05 14:57:39 LOG7[16668:1074107776]: SO_REUSEADDR option set on accept socket 2007.12.05 14:57:39 LOG7[16668:1074107776]: pop3s bound to 0.0.0.0:995 2007.12.05 14:57:39 LOG7[16669:1074107776]: Created pid file /stunnel.pid 2007.12.05 14:57:48 LOG7[16669:1074107776]: pop3s accepted FD=10 from 192.168.1.205:2129 2007.12.05 14:57:48 LOG7[16669:1074228016]: pop3s started 2007.12.05 14:57:48 LOG7[16669:1074228016]: FD 10 in non-blocking mode 2007.12.05 14:57:48 LOG7[16669:1074228016]: TCP_NODELAY option set on local socket 2007.12.05 14:57:48 LOG5[16669:1074228016]: pop3s accepted connection from 192.168.1.205:2129 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): before/accept initialization 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): SSLv3 read client hello A 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): SSLv3 write server hello A 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): SSLv3 write certificate A 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): SSLv3 write certificate request A 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL state (accept): SSLv3 flush data 2007.12.05 14:57:48 LOG7[16669:1074228016]: SSL alert (write): fatal: handshake failure 2007.12.05 14:57:48 LOG3[16669:1074228016]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 2007.12.05 14:57:48 LOG5[16669:1074228016]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.12.05 14:57:48 LOG7[16669:1074228016]: pop3s finished (0 left) ______________________________________________ I load all Server, CA , and client certificate in SYSTEM, but there is NO Connection. Please help Me with Stunnel and Outlook using.

1 0

(no subject)
by Harmon, Paul 01 Dec '07

01 Dec '07

Ok Guys, I hate to be a nuisance. But I encountered an error coming out o the Stunnel configuration in LINUX. First what does it mean when Stunnel is in INETD mode? Does this imply certain configuration restrictions and why? Thanks, Paul Harmon

2 1