stunnel-users March 2007

stunnel-users@stunnel.org

13 participants
16 discussions

User nobody logging in
by Dimitri Yioulos 29 Mar '07

29 Mar '07

Hi, folks. I've been using stunnel on our mail server (sendmail, spamassassin, clamav, mailscanner, mailwatch). I note the following being written to syslog, and wonder if stunnel is causing it: Mar 29 14:07:31 mail1 su(pam_unix)[29493]: session closed for user nobody Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1723 Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33540 Mar 29 14:08:00 … [View More]mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session opened for user nobody by (uid=0) Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session closed for user nobody Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1724 Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33544 Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1725 Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33546 Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session opened for user nobody by (uid=0) Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session closed for user nobody Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session opened for user nobody by (uid=0) Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session closed for user nobody Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1726 Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33559 Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session opened for user nobody by (uid=0) Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session closed for user nobody Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session opened for user nobody by (uid=0) Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session closed for user nobody It's the sessions opened and closed for the user nobody that has me concerned. stunnel appears to be the only process being run by the user nobody. If, in fact, this is caused by stunnel, do I keep these (and only these) session opened/closed instances from being logged? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. [View Less]

1 0

trouble shooting Pan issue
by eph man 29 Mar '07

29 Mar '07

hi, i'm trying to trouble shoot a problem with a newsreader called pan that i might be having. here's my setup: ubuntu 6.10 kernel 2.6.17 pan 0.14.2 stunnel4 4.150 i created a snntp.conf file with only: client = yes foreground = yes debug = 7 [nntps] accept = localhost:2000 connect = inetnews.worldnet.att.net:563 then i run stunnel4 and this is the output: ephman@wintermute:~$ sudo stunnel4 /etc/stunnel/snntp.conf 2007.03.29 13:54:47 LOG7[13414:3083015856]: RAND_status claims sufficient … [View More]entropy for the PRNG 2007.03.29 13:54:47 LOG6[13414:3083015856]: PRNG seeded successfully 2007.03.29 13:54:47 LOG7[13414:3083015856]: SSL context initialized for service nntps 2007.03.29 13:54:47 LOG5[13414:3083015856]: stunnel 4.15 on i486-pc-linux-gnu with OpenSSL 0.9.8b 04 May 2006 2007.03.29 13:54:47 LOG5[13414:3083015856]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2007.03.29 13:54:47 LOG6[13414:3083015856]: file ulimit = 1024 (can be changed with 'ulimit -n') 2007.03.29 13:54:47 LOG6[13414:3083015856]: poll() used - no FD_SETSIZE limit for file descriptors 2007.03.29 13:54:47 LOG5[13414:3083015856]: 500 clients allowed 2007.03.29 13:54:47 LOG7[13414:3083015856]: FD 3 in non-blocking mode 2007.03.29 13:54:47 LOG7[13414:3083015856]: FD 4 in non-blocking mode 2007.03.29 13:54:47 LOG7[13414:3083015856]: FD 5 in non-blocking mode 2007.03.29 13:54:47 LOG7[13414:3083015856]: SO_REUSEADDR option set on accept socket 2007.03.29 13:54:47 LOG7[13414:3083015856]: nntps bound to 127.0.0.1:2000 2007.03.29 13:54:47 LOG7[13414:3083015856]: Created pid file /var/run/stunnel4.pid i then startup pan and it won't connect to the server the log file says: Thu, 29 Mar 2007 13:58:15 - Pan 0.14.2.91 Started Thu, 29 Mar 2007 13:58:15 - Directory "/home/ephman/.pan/messages/cache" contains 0.0 MB in 0 files Thu, 29 Mar 2007 13:58:15 - Directory "/home/ephman/.pan/messages/folders/pan.sent" contains 0.0 MB in 0 files Thu, 29 Mar 2007 13:58:15 - Directory "/home/ephman/.pan/messages/folders/pan.sendlater" contains 0.0 MB in 0 files Thu, 29 Mar 2007 13:58:15 - News server connection count: 0 Thu, 29 Mar 2007 13:58:19 - New connection 0x846da08 for inetnews.worldnet.att.net, port 563 Thu, 29 Mar 2007 13:59:21 - NNTP handshake failed: Error reading from socket. Thu, 29 Mar 2007 13:59:21 - Handshake failed: Error reading from socket. Thu, 29 Mar 2007 13:59:26 - New connection 0x84a5850 for inetnews.worldnet.att.net, port 563 any help or hints would be really helpful. thanks. be well, ephman [View Less]

1 0

Simple Stunnel Question
by mdpeters 28 Mar '07

28 Mar '07

My goal is to have a web server transfer MySQL data via an AES tunnel to a MySQL database server with an added encryption card. Both systems have the same SSL and Stunnel software installed. My web servers database seems to be functioning as normal. I would like to verify that what I have is complete and effective. It is not apparent to me if I have finished construction or how to verify this works like I want it to. I'm not sure how I would verify that Stunnel is being used? Do I need … [View More]to run Stunnel as a background service full time? Is there something I am missing here? Comments and advice is appreciated! ++++++ # /usr/local/sbin/stunnel -version stunnel 4.20 on sparc-sun-solaris2.10 with OpenSSL 0.9.8e 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Global options debug = 5 pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH key = /usr/local/etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none # gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.10/3.3.2/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.3.2 # uname -a SunOS slinky 5.10 Generic_118833-17 sun4u sparc SUNW,Ultra-80 # /usr/local/sbin/stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 65535 SO_SNDBUF -- -- -- 65535 SO_RCVLOWAT -- -- -- -- SO_SNDLOWAT -- -- -- -- SO_RCVTIMEO -- -- -- -- SO_SNDTIMEO -- -- -- -- SO_REUSEADDR 1 -- -- 0 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 # openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export ++++++ [View Less]

1 0

Stunnel support or OpenSSL in FIPS mode
by George Henson 26 Mar '07

26 Mar '07

All, Are there any current plans to include FIPS complaint mode in stunnel? I have asked some of my peers on other US Government projects and they indicated this would be a help to them as well. Looking at the users guide from the OpenSSL site (http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf) it would not appear to be a great amount of effort to make a stunnel that functions in a FIPS complaint mode. Attached I have included the patch I have created (with some help from friends). … [View More]It does not do the final linking correctly as I am not very good with autmake. Please let me know what you think. Thank you George diff -u -r @stunnel-4.20/configure.ac stunnel-4.20/configure.ac --- @stunnel-4.20/configure.ac 2006-11-11 09:58:01.000000000 -0500 +++ stunnel-4.20/configure.ac 2007-03-26 18:35:09.000000000 -0400 @@ -260,6 +260,51 @@ CFLAGS="$CFLAGS -I$ssldir/include" LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" +AC_ARG_WITH(fips, + [ --with-fips Enable OpenSSL FIPS mode], + [ + if test "x$withval" != "xno" ; then + INCLUDES="=l$ssldir/include" + AC_CACHE_CHECK([for FIPS mode], ac_cv_fips, [ + AC_TRY_COMPILE( + [ #include <openssl/fips.h> ], + [ FIPS_mode_set(1); ], + [ ac_cv_fips="yes" ], + [ ac_cv_fips="no" ] + ) + ]) + fi + ] +) +if test "x$ac_cv_fips" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_FIPS" + FIPS_MODE=yes + AC_SUBST(FIPS_MODE) +fi + +AC_ARG_WITH(fips, + [ --with-fips Enable OpenSSL FIPS mode], + [ + if test "x$withval" != "xno" ; then + INCLUDES="=l$ssldir/include" + AC_CACHE_CHECK([for FIPS mode], ac_cv_fips, [ + AC_TRY_COMPILE( + [ #include <openssl/fips.h> ], + [ FIPS_mode_set(1); ], + [ ac_cv_fips="yes" ], + [ ac_cv_fips="no" ] + ) + ]) + fi + ] +) +if test "x$ac_cv_fips" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_FIPS" + FIPS_MODE=yes + AC_SUBST(FIPS_MODE) +fi +AM_CONDITIONAL(FIPS_MODE, test x$ac_cv_fips = xyes) + # Check for obsolete RSAref library AC_MSG_CHECKING([for obsolete RSAref library]) saved_LIBS="$LIBS" Only in stunnel-4.20: configure.ac.orig diff -u -r @stunnel-4.20/src/common.h stunnel-4.20/src/common.h --- @stunnel-4.20/src/common.h 2006-11-17 04:03:18.000000000 -0500 +++ stunnel-4.20/src/common.h 2007-03-26 18:35:03.000000000 -0400 @@ -321,6 +321,9 @@ #if SSLEAY_VERSION_NUMBER >= 0x00907000L #include <openssl/ocsp.h> #endif /* OpenSSL-0.9.7 */ +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif #else /* HAVE_OPENSSL */ #include <lhash.h> #include <ssl.h> diff -u -r @stunnel-4.20/src/options.c stunnel-4.20/src/options.c --- @stunnel-4.20/src/options.c 2006-11-05 08:04:37.000000000 -0500 +++ stunnel-4.20/src/options.c 2007-03-26 18:35:03.000000000 -0400 @@ -556,7 +556,11 @@ /* ciphers */ switch(cmd) { case CMD_INIT: +#ifndef OPENSSL_FIPS section->cipher_list=SSL_DEFAULT_CIPHER_LIST; +#else + section->cipher_list="!ADH:!RC4:!RC2:!IDEA:!MD5:!NULL:TLSv1"; +#endif break; case CMD_EXEC: if(strcasecmp(opt, "ciphers")) @@ -564,7 +568,11 @@ section->cipher_list=stralloc(arg); return NULL; /* OK */ case CMD_DEFAULT: +#ifndef OPENSSL_FIPS log_raw("%-15s = %s", "ciphers", SSL_DEFAULT_CIPHER_LIST); +#else + log_raw("%-15s = %s", "ciphers", "!ADH:!RC4:!RC2:!IDEA:!MD5:!NULL:TLSv1"); +#endif break; case CMD_HELP: log_raw("%-15s = list of permitted SSL ciphers", "ciphers"); @@ -726,6 +734,31 @@ } #endif + /* fips mode */ +#ifndef USE_WIN32 + switch(cmd) { + case CMD_INIT: + options.option.fips_mode=0; + break; + case CMD_EXEC: + if(strcasecmp(opt, "fips")) + break; + if(!strcasecmp(arg, "yes")) + options.option.fips_mode = 1; + else if(!strcasecmp(arg, "no")) + options.option.fips_mode = 0; + else + return "argument should be either 'yes' or 'no'"; + return NULL; /* OK */ + case CMD_DEFAULT: + break; + case CMD_HELP: + log_raw("%-15s = yes|no FIPS mode", + "fips"); + break; + } +#endif + /* execargs */ #ifndef USE_WIN32 switch(cmd) { diff -u -r @stunnel-4.20/src/prototypes.h stunnel-4.20/src/prototypes.h --- @stunnel-4.20/src/prototypes.h 2006-11-11 08:03:05.000000000 -0500 +++ stunnel-4.20/src/prototypes.h 2007-03-26 18:35:03.000000000 -0400 @@ -142,6 +142,7 @@ unsigned int foreground:1; unsigned int syslog:1; /* log to syslog */ unsigned int rand_write:1; /* overwrite rand_file */ + unsigned int fips_mode:1; #ifdef USE_WIN32 unsigned int taskbar:1; /* enable the taskbar icon */ #endif diff -u -r @stunnel-4.20/src/stunnel.c stunnel-4.20/src/stunnel.c --- @stunnel-4.20/src/stunnel.c 2006-11-30 15:47:45.000000000 -0500 +++ stunnel-4.20/src/stunnel.c 2007-03-26 18:35:03.000000000 -0400 @@ -59,6 +59,7 @@ #ifndef USE_WIN32 int main(int argc, char* argv[]) { /* execution begins here 8-) */ +unsigned long e; main_initialize(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL); signal(SIGPIPE, SIG_IGN); /* avoid 'broken pipe' signal */ @@ -72,6 +73,21 @@ signal(SIGHUP, signal_handler); /* signal(SIGSEGV, signal_handler); */ +#ifdef OPENSSL_FIPS + if(options.option.fips_mode) { + if (!FIPS_mode_set(1)) { + log_raw("Failed to enter FIPS mode"); + ERR_load_crypto_strings(); + while((e = ERR_get_error())) { + log_raw(ERR_error_string(e,NULL)); + } + return 1; /* failure */ + } else { + log_raw("FIPS mode enabled"); + } + } +#endif + main_execute(); return 0; /* success */ [View Less]

1 0

using an ocsp
by Samuel Landau 26 Mar '07

26 Mar '07

Hello, I am using stunnel 4.18 and openca-ocspd 1.5.1. The OCSPd uses a delegate certificate and the setup works when tested with openssl: $ openssl ocsp -issuer /home/landau/ssl/cacert.pem -serial 3 -url http://localhost:2560 -CAfile /home/landau/ssl/cacert.pem Response verify OK 3: good This Update: Mar 23 18:27:37 2007 GMT Next Update: Mar 26 10:56:33 2007 GMT But when it comes to using stunnel, I cannot figure out how to make it use properly the OCSP. I could see that … [View More]stunnel 4.19 had more options for ocsp, but I am unsure this is related to my current issue. Besides, is there a way to have stunnel fall back on local cert/crl files if the ocsp server is not available ? Regards, -- Samuel Landau ____________________________________________________________________________ This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Archos does not accept responsibility for any changes made to this message after it was sent. 2007.03.26 12:59:05 LOG5[29250:3083020512]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006 2007.03.26 12:59:05 LOG5[29250:3083020512]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2007.03.26 12:59:05 LOG6[29250:3083020512]: file ulimit = 1024 (can be changed with 'ulimit -n') 2007.03.26 12:59:05 LOG6[29250:3083020512]: poll() used - no FD_SETSIZE limit for file descriptors 2007.03.26 12:59:05 LOG5[29250:3083020512]: 500 clients allowed 2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 4 in non-blocking mode 2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 5 in non-blocking mode 2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 6 in non-blocking mode 2007.03.26 12:59:05 LOG7[29250:3083020512]: SO_REUSEADDR option set on accept socket 2007.03.26 12:59:05 LOG7[29250:3083020512]: server bound to 127.0.0.1:12345 2007.03.26 12:59:05 LOG7[29250:3083020512]: Created pid file /home/landau/stunnel4.pid 2007.03.26 12:59:12 LOG7[29250:3083020512]: server accepted FD=7 from 127.0.0.1:36200 2007.03.26 12:59:12 LOG7[29250:3082972080]: server started 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 7 in non-blocking mode 2007.03.26 12:59:12 LOG7[29250:3082972080]: TCP_NODELAY option set on local socket 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 9 in non-blocking mode 2007.03.26 12:59:12 LOG7[29250:3083020512]: Cleaning up the signal pipe 2007.03.26 12:59:12 LOG6[29250:3083020512]: Child process 29252 finished with code 0 2007.03.26 12:59:12 LOG7[29250:3082972080]: Connection from 127.0.0.1:36200 permitted by libwrap 2007.03.26 12:59:12 LOG5[29250:3082972080]: server connected from 127.0.0.1:36200 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): before/accept initialization 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 read client hello A 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write server hello A 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate A 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate request A 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 flush data 2007.03.26 12:59:12 LOG6[29250:3082972080]: *** starting OCSP verification *** 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode 2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: waiting 10 seconds 2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: connected 2007.03.26 12:59:12 LOG7[29250:3082972080]: OCSP server connected 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in blocking mode 2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode 2007.03.26 12:59:12 LOG6[29250:3082972080]: OCSP response received 2007.03.26 12:59:12 LOG3[29250:3082972080]: OCSP_basic_verify: 27069076: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found 2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL alert (write): fatal: certificate unknown 2007.03.26 12:59:12 LOG3[29250:3082972080]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2007.03.26 12:59:12 LOG5[29250:3082972080]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.03.26 12:59:12 LOG7[29250:3082972080]: server finished (0 left) 2007.03.26 12:59:16 LOG3[29250:3083020512]: Received signal 2; terminating 2007.03.26 12:59:16 LOG7[29250:3083020512]: removing pid file /home/landau/stunnel4.pid cert = landau.pem key = landau.key sslVersion = SSLv3 pid =/home/landau/ssl/stunnel4.pid socket =l:TCP_NODELAY=1 socket =r:TCP_NODELAY=1 compression =zlib foreground =yes verify =3 CApath =/home/landau/ssl/ CAfile =/home/landau/ssl/cacert.pem debug =7 output =/home/landau/ssl/stunnel4.log client =no [server] accept =localhost:12345 ocsp =http://localhost:2560 pty =no exec =/bin/bash execargs =bash [View Less]

1 0

[win32] stunnel/OpenSSL/Synergy howto
by P. Jansen 25 Mar '07

25 Mar '07

Hi stunnel users and especially newbies, on http://stunnel.mirt.net/docs.html you can find a link to a stunnel/OpenSSL/Synergy howto for the Win32 platform. It is a short but hopefully useful doc how to install, configure and use stunnel. Feedback and comments are welcome. - Patrick

1 0

Solaris 10 and MySQL questions
by mdpeters 25 Mar '07

25 Mar '07

My goal is to have a web server transfer MySQL data via an AES tunnel to a MySQL database server with an added encryption card. Both systems have the same SSL and Stunnel software installed. My web servers database seems to be functioning as normal. I would like to verify that what I have is complete and effective. It is not apparent to me if I have finished construction or how to verify this works like I want it to. I'm not sure how I would verify that Stunnel is being used. Do I need … [View More]to run Stunnel as a background service full time? Is there something I am missing here? ++++++ # /usr/local/sbin/stunnel -version stunnel 4.20 on sparc-sun-solaris2.10 with OpenSSL 0.9.8e 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Global options debug = 5 pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH key = /usr/local/etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none # gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.10/3.3.2/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.3.2 # uname -a SunOS slinky 5.10 Generic_118833-17 sun4u sparc SUNW,Ultra-80 # /usr/local/sbin/stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 65535 SO_SNDBUF -- -- -- 65535 SO_RCVLOWAT -- -- -- -- SO_SNDLOWAT -- -- -- -- SO_RCVTIMEO -- -- -- -- SO_SNDTIMEO -- -- -- -- SO_REUSEADDR 1 -- -- 0 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 # openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export ++++++ [View Less]

1 0

How to surf the web over proxy?
by P. Jansen 25 Mar '07

25 Mar '07

Hi, I know there is a way to do the following with SSH+PuTTY, with stunnel too? Do I need further software? Windows office computer --> (HTTP) --> Corporate firewall/proxy --> (HTTP) --> Home computer --> WWW Regards, Patrick

1 0

Stunnel 4.20 with TCP Wrappers 7.6 problem in configure.ac
by lists＠d-ra.ath.cx 18 Mar '07

18 Mar '07

Hi, the following patch makes stunnel 4.20 to operate with TCP wrappers 7.6. I had not tried other versions of stunnel nor TCP wrappers. The problem is the missing libnsl, so TCP wrappers will never be activated in ./configure Regards Dieter --- configure.ac.orig 2007-03-17 12:57:32.000000000 +0100 +++ configure.ac 2007-03-17 12:55:19.000000000 +0100 @@ -310,7 +310,7 @@ AC_MSG_RESULT([no (autodetecting)]) AC_MSG_CHECKING([for hosts_access in -lwrap]) … [View More]

2 9

Getting a "Peer suddenly disconnected" error
by David Goodwin 09 Mar '07

09 Mar '07

Hey all, I'm getting this in the /var/adm/messages log on the server side when attempting to connect from the client: Mar 8 22:23:33 SERVERNAME stunnel: [ID 821868 daemon.error] LOG3[27429:4]: SSL_connect: Peer suddenly disconnected I have the server configured as follows: cat /etc/stunnel/stunnel.test.conf client=yes debug=debug cert=/etc/stunnel/stunnel.pem [sunrpc] accept=112 connect=127.0.0.1:111 TIMEOUTclose=10 This is started just by running stunnel with the config file and then … [View More]

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users March 2007