stunnel-users October 2008

stunnel-users@stunnel.org

10 participants
9 discussions

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

stunnel and expiring CRLs
by Jason Haar 19 Nov '08

19 Nov '08

Hi there Is stunnel capable of re-reading updated CRLs on the fly? Without needing to be restarted? I have tried both CRLfile and CRLpath (with the hashes) with no luck. It appear stunnel only reads them on startup and never refers to them again? There also seems to be no option to send a HUP or the like to force a re-read - only a full restart will make stunnel re-read the CRLs. i.e. our system works after a fresh restart until the original CRL expires, and then stunnel starts rejecting new connections with "Found CRL is expired - revoking all certificates until you get updated CRL" - even though there have been several CRL file (and hash) updates in between. Restarting stunnel makes it start working again. I've googled around and see several other people have asked similar questions over the years, and there are references by Michal Trojnara that it should work? This is stunnel-4.14-2 under CentOS5 with openssl-0.9.8b-8.3.el5_0.2. No chroot jail Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

4 5

Spawning a shell
by Tobias Dussa 29 Oct '08

29 Oct '08

Hi everybody, maybe I'm missing something real obvious here, but I can't figure out what's going wrong. I'm trying to make stunnel spawn a regular shell when it gets a connect. As far as I understand, the pty option should allocate a virtual tty, so I ought to be able to just exec() a shell. However, this won't work; apparently some more magic is required. I do get the basic interactive functionality to work (i. e., I can enter, say, ls and get back a directory listing), but the terminal won't work properly: Unwanted echoes (stty -echo doesn't help). Furthermore, for some reason stderr is not connected to the new pty but sticks to stunnel's original pty. I have tried spawning a shell directly from stunnel (with exec), spawning a script which redirects stdin/-out/-err to the proper pty, then execs a shell, spawning a script which execs login, spawning a script which execs getty. (The latter being closest to what I want, but not good enough.) I'm running out of ideas. Anyone ever did this? Any comments? (Incidentally, if anyone has a better idea how to create the possibility to log in with an X.509 certificate without using stunnel, I'm all ears.) I'm running stunnel4 on Debian etch: --- stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none --- Cheers, Toby. -- The nine most terrifying words in the English language are: I'm from the government and I'm here to help. ---Ronald Reagan

3 2

Thanks for solving my problem!
by editor 20 Oct '08

20 Oct '08

Hi: Thanks! I commented out the "Verify" option within the configuration file and restarted the application. I can use it POP3S & HTTPS with the Nokia & Sony-Ericsson mobiles fine now as well as Thunderbird. I will check with Outlook next. Window's mobile is complaining it can not create a SSL session however. I think it has to do with the public certificate I use in the mail host. Godaddy uses this two part public certificate and the Network Solutions is a single file. I am hoping in a new release of Stunnel, it can support a two part public certificate. Thanks again!!! Kevin > > > > > > ------------------------------ > > > > Message: 2 > > Date: Sun, 19 Oct 2008 21:17:29 -0700 (PDT) > > From: Algol Tradent <tradent(a)yahoo.com> > > Subject: Re: [stunnel-users] Version 4.26 and using to secure IMAPS & > > POP3 > > To: stunnel-users(a)mirt.net > > Message-ID: <710279.38955.qm(a)web62003.mail.re1.yahoo.com> > > Content-Type: text/plain; charset=us-ascii > > > > Hello, > > > > I think your problem is on your config file for the server. On your config file you have the following option > > > > # Authentication stuff > > verify = 3 > > > > You probably don't want this option set. Because you are asking the client and the server to authenticate each other based on certificates... which I don;t think is the case here. > > > > On your log file there is this line which is a good indicator of your problem. > > > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > > > I hope this helps > >

1 0

Version 4.26 and using to secure IMAPS & POP3
by Editor (Kevin) 20 Oct '08

20 Oct '08

Hi: I upgraded to the current 4.26 as I was having an issue with 4.15. The idea is to secure IMAP traffic as well as inbound SMTP. The email client is the latest Thunderbird and seems to be very stable. The mail Host is a Sun E-250 with current patches for Solaris 9. Note: I am using a public certificate and as it from "godaddy.com", it is this unusual two part certificate. This may be where the problem is as I had to combine the two public certificate files together (maybe the next version of STUNNEL could do this automatically so the risk of errors is reduced!). However, using STUNNEL, I am having an issue connecting as I get a strange error message and the connection dies. Error Log: 2008.10.19 13:10:41 LOG7[2104:1]: imaps accepted FD=0 from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: imaps started 2008.10.19 13:10:41 LOG7[2104:3]: FD 0 in non-blocking mode 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: TCP_NODELAY option set on local socket 2008.10.19 13:10:41 LOG7[2104:3]: Waiting for a libwrap process 2008.10.19 13:10:41 LOG7[2104:3]: Acquired libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: Releasing libwrap process #0 2008.10.19 13:10:41 LOG7[2104:3]: Released libwrap process #0 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: imaps permitted by libwrap from 80.38.96.194:4129 2008.10.19 13:10:41 LOG5[2104:3]: imaps accepted connection from 80.38.96.194:4129 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): before/accept initialization 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 read client hello A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write server hello A 2008.10.19 13:10:41 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 write certificate request A 2008.10.19 13:10:41 LOG7[2104:3]: SSL state (accept): SSLv3 flush data 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (read): warning: no certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: SSL alert (write): fatal: handshake failure 2008.10.19 13:10:42 LOG3[2104:3]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG5[2104:3]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.10.19 13:10:42 LOG7[2104:1]: Cleaning up the signal pipe 2008.10.19 13:10:42 LOG7[2104:3]: imaps finished (0 left) See the weird no client peer handshake???? The configuration file: # more /usr/local/etc/stunnel/stunnel.conf # stunnel configuration file # Use to provide ssl protection for https, pop3 and imap # # Setting up the root jail chroot = /usr/local/var/stunnel # # The PID is created inside chroot jail pid = /stunnel.pid setuid = nobody setgid = nogroup ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 # Authentication stuff verify = 3 # Certicates to use # cert = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/_.cellmail.com.crt # SSLCertificateChainFile = /usr/local/etc/stunnel/gd_intermediate_bundle.crt # Some debugging stuff debug = 7 output = /var/log/stunnel.log # Use it for client mode #client = yes # Service-level configuration [pop3s] accept = 199.4.110.39:995 connect = 110 [imaps] accept = 199.4.110.39:993 connect = 143 [ssmtp] accept = 199.4.110.39:465 connect = frog.cellmail.com:25 # TIMEOUTclose = 0 The startup log: 2008.10.19 13:02:50 LOG7[2077:1]: Snagged 64 random bytes from /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: Wrote 1024 new random bytes to /export/home/kgreene/.rnd 2008.10.19 13:02:50 LOG7[2077:1]: RAND_status claims sufficient entropy for the PRNG 2008.10.19 13:02:50 LOG7[2077:1]: PRNG seeded successfully 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service pop3s 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service imaps 2008.10.19 13:02:50 LOG7[2077:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Certificate loaded 2008.10.19 13:02:50 LOG7[2077:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2008.10.19 13:02:50 LOG7[2077:1]: Private key loaded 2008.10.19 13:02:50 LOG7[2077:1]: Loaded verify certificates from /usr/local/etc/stunnel/_.cellmail.com.crt 2008.10.19 13:02:50 LOG7[2077:1]: Loaded /usr/local/etc/stunnel/_.cellmail.com.crt revocation lookup file 2008.10.19 13:02:50 LOG7[2077:1]: SSL context initialized for service ssmtp 2008.10.19 13:02:50 LOG5[2077:1]: stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8h 28 May 2008 2008.10.19 13:02:50 LOG5[2077:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.10.19 13:02:50 LOG6[2077:1]: file ulimit = 256 (can be changed with 'ulimit -n') 2008.10.19 13:02:50 LOG6[2077:1]: poll() used - no FD_SETSIZE limit for file descriptors 2008.10.19 13:02:50 LOG5[2077:1]: 125 clients allowed 2008.10.19 13:02:50 LOG7[2077:1]: FD 11 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 12 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: FD 13 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: pop3s bound to 199.4.110.39:995 2008.10.19 13:02:50 LOG7[2077:1]: FD 14 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: imaps bound to 199.4.110.39:993 2008.10.19 13:02:50 LOG7[2077:1]: FD 15 in non-blocking mode 2008.10.19 13:02:50 LOG7[2077:1]: SO_REUSEADDR option set on accept socket 2008.10.19 13:02:50 LOG7[2077:1]: ssmtp bound to 199.4.110.39:465 2008.10.19 13:02:50 LOG7[2083:1]: Created pid file /stunnel.pid 2008.10.19 13:02:50 LOG7[2083:1]: Cleaning up the signal pipe

2 1

forgeground=no with pppd and pty=yes?
by Sandeep Kumar 16 Oct '08

16 Oct '08

Hi, I want to encrypt pppd, but stunnel should start in background mode. But as soon as I set foreground=no, ppp is unable to connect. Is this not possible ? -- Sandeep Kumar http://students.iiit.ac.in/~sandeep_kr

1 0

Setting up a POP3 connection through stunnel?
by Ben Stover 13 Oct '08

13 Oct '08

Assume currently I retrieve my emails from my mailbox unencrypted with the following info: pop3.mydomain.com port=110 Now I want to switch to an encrypted POP3 mail connection. with the following information pop3.mydomain.com port=777 Can I simply write now in the conf file: [myownsetup] accept = 127.0.0.1:110 connect = pop3.mydomain.com:777 Is this sufficient? Ben

2 1

Question (new user!) how to get it to work? - SQL
by Reinier van der Gugten 10 Oct '08

10 Oct '08

Hi, I read most of the messages and tutorials, but still I do not seem to get it to work. I want to achieve the following: Client side: VB application communicating to a SQL server over port 1433. Server side: Lisning on port 1433 that is lisned to by SQL 2005. However this is not allowed evrywhere, so stunnel comes into play. Client side: VB application communicating to localhost on port 1433 Stunnel installed lisning on port 1433 and passing it on to port 80 (Note for later: I would like to use SSL, so it will pass through routers, But for the test it will suffice to keep it unencrypted. Also the server is still local and could be reached directly. But it should work fine for testing.) Server: Stunnel installed as service lisning on port 80 and transmitting it to port 1433 (later to be moved to 443, as I also run a HTTP server) The config file looks like this: ------------------------------------------------- Client: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [SQLServer] accept = 127.0.0.1:1433 connect = 10.12.18.10:80 ------------------------------------------------- Server: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration [SQL] accept = 80 connect = localhost:1433 ------------------------------------------------- As you can see, I tried to keep as close to the example file as I could. Looking forward to getting this to work and then to including ssl... Kind regards, Reinier.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users October 2008