November 2008 - stunnel-users

Connection rejected: too many clients (>=500)?
by Chris Charman 18 Nov '08

18 Nov '08

Hey folks -- Can anyone tell me where the max number of clients is configured in 4.21? I'm running okay for a while, but then I end up with repeated messages as below in the logs: 2008.11.18 19:13:33 LOG7[26491:46912520933328]: https accepted FD=512 from xx.xx.xx.xx:xxxxx 2008.11.18 19:13:33 LOG4[26491:46912520933328]: Connection rejected: too many clients (>=500) 2008.11.18 19:13:33 LOG7[26491:46912520933328]: https accepted FD=512 from xx.xx.xx.xx:xxxxx 2008.11.18 19:13:33 LOG4[26491:46912520933328]: Connection rejected: too many clients (>=500) 2008.11.18 19:13:33 LOG7[26491:46912520933328]: https accepted FD=512 from xx.xx.xx.xx:xxxxx 2008.11.18 19:13:33 LOG4[26491:46912520933328]: Connection rejected: too many clients (>=500) [...] I've only seen reports of this problem, but no solution. Anyone out there who can help? Thanks in advance! -Chris ------------- Config below ----------------- ulimit unlimited stunnel -version stunnel 4.21 on x86_64-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none uname -a Linux domU-12-31-39-01-61-B2 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 GNU/Linux stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 gcc -v Using built-in specs. Target: x86_64-linux-gnu Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7) openssl version OpenSSL 0.9.8g 19 Oct 2007

2 2

Re: [stunnel-users] Cannot connect to SBC/yahoo to send (or telnet)
by James Moe 18 Nov '08

18 Nov '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/18/08 10:17 am, James Moe wrote: > Hello, > Stunnel v4.20. > When connecting to SBC/Yahoo, the session is terminated > with a "bad certificate" message. See the log below. The tech folks claim > all is well at their end. > Is there something I am missing here? > Here is the conf file: > My apologies. I lost control of the email program and it sent this message here instead of to a local host. - -- jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2) iD8DBQFJIvmqzTcr8Prq0ZMRAsb2AJ9ROwt9FH4GpfyNWQ020rpGmC7K/wCdGhdW Bs96qyJjjXSA9d+AwVktAac= =+UNT -----END PGP SIGNATURE-----

1 0

Proxy support
by Reinier van der Gugten 18 Nov '08

18 Nov '08

Oops.. That's exactly what I meant... However What is the correct configuration in that case? E.g. I want to connect to an external location at: Myserver.com:443 The proxy is at: CustomerProxy:8080 And my application runs at the customer talking to: localhost:1433 The proxy does not require authentication. Looking at the docuemtation you linked me I found this example: CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 Proxy-Authorization: basic aGVsbG86d29ybGQ= Using my addresses, where goes what? CONNECT CustomerProxy:8080 HTTP/1.1 Host: Myserver.com:443 // Proxy-Authorization: basic aGVsbG86d29ybGQ= Kind regards, Reinier -----Original Message----- From: stunnel-users-bounces(a)mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara Sent: vrijdag 14 november 2008 15:04 To: stunnel-users(a)mirt.net Subject: Re: [stunnel-users] Proxy support On Fri, 14 Nov 2008 14:53:20 +0100, "Reinier van der Gugten" <info(a)rgit.eu> wrote: > Has someone got a working version of STunnel that can handle a proxy? Do you mean client mode CONNECT protocol support (RFC 2817 section 5.2)? http://www.ietf.org/rfc/rfc2817.txt It's supported in stunnel since version 4.15 (released 2006.03.11). Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 1

Re: [stunnel-users] Help - Getting stunnel compiled on windows and using a patch
by Reinier van der Gugten 14 Nov '08

14 Nov '08

Thanks so mucht for this information! I had to make the folowing changes as well: Set the Compile with common language runtime to: No common language runtime support for each .h file If I do that, the error: Command line error D8045: cannot compile C file 'src\client.c' with the /clr option disappears (Next I got an error in the resouce.rc file with the LTEXT VERSION... So I // that out) Next I get about 121 errors, like: Error LNK2001: unresolved external symbol _main ... symbol _num_clients etc. Any ideas? Kind regards, Reinier ________________________________ From: DMILE525 [mailto:dmile525@gmail.com] Sent: donderdag 13 november 2008 23:23 To: Reinier van der Gugten Subject: Re: [stunnel-users] Help - Getting stunnel compiled on windows and using a patch on Windows: install Win32 OpenSSL http://www.slproweb.com/products/Win32OpenSSL.html <wlmailhtml:{86BCE398-B6B8-40AD-8A3D-BE759753A203}mid://00000009/!x-usc: http://www.slproweb.com/products/Win32OpenSSL.html> install VS2008 (I'm using free VS2008 C++ Express Edition http://www.microsoft.com/express/download/ <wlmailhtml:{86BCE398-B6B8-40AD-8A3D-BE759753A203}mid://00000009/!x-usc: http://www.microsoft.com/express/download/> ) The first thing to do (assuming a default installation of 'C:\OpenSSL') is to go to 'C:\OpenSSL\lib\VC' and copy all of the files to your Visual C++ 'lib' directory. This directory is sometimes located in a somewhat cryptic location such as 'C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\lib' or 'C:\Program Files\Microsoft Visual Studio 9.0\VC\lib'. Next, copy everything in the 'C:\OpenSSL\include' directory to your Visual C++ 'include' directory. create new empty project add to project: stunnel.c ssl.c ctx.c verify.c file.c client.c protocol.c sthreads.c log.c options.c network.c resolver.c gui.c common.h prototypes.h resources.h stunnel.ico resources.rc "Configuration properties -> Linker -> input -> additional properties" add wsock32.lib ssleay32.lib libeay32.lib "Configuration properties -> General -> character set" set "Use Multi-Byte Character Set" in common.h after #ifndef COMMON_H #define COMMON_H add #define USE_WIN32 #define _CRT_SECURE_NO_DEPRECATE #define _CRT_NONSTDC_NO_DEPRECATE //#define HAVE_GETADDRINFO //#define HAVE_GETNAMEINFO #ifndef _MBCS #define _MBCS #endif #define VERSION "4.26" #if defined _M_IX86 #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"") #elif defined _M_IA64 #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='ia64' publicKeyToken='6595b64144ccf1df' language='*'\"") #elif defined _M_X64 #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"") #else #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") #endif On Wed, Nov 12, 2008 at 6:50 PM, Reinier van der Gugten <info(a)rgit.eu> wrote: Hello, I am trying to compile STunnel. I'd rather not, but the pre-compiled version does not support a proxy server. So I hop you will be able to help me, or point me to a good howto on how to compile stunnel using windows and a patch from the patch-list. Or does someone have a compiled (windows) version with proxy support? If so, please mail it to me. Or tell me where to find more detailed information pls. - Next thing I will try is to install linux on a computer in order to try it that way... Greetings, Reinier. _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

2 2

Strange CRL verification behaviour
by Christophe Nanteuil 03 Nov '08

03 Nov '08

With stunnel 4.26 (or ealier), in order to verify revocation of clients' certificates, I use this configuration file : -------------------8<------------------ CAfile=/etc/ssl/stunnel/ca_certs.pem CRLfile=/etc/ssl/stunnel/crl.pem cert=/etc/ssl/stunnel/server.pem key=/etc/ssl/stunnel/server.key sslVersion=TLSv1 verify=2 [WEB] accept=8080 connect=127.0.0.1:3128 ------------------->8------------------ 1/ If there is no CRLfile when stunnel starts, stunnel dies and logs show "Failed to load /etc/ssl/stunnel/crl.pem revocation lookup file" -> ok. 2/ If the CRLfile is correct, stunnel starts. When the CRL expires, stunnel rejects any new connection. Logs then show : " Found CRL is expired - revoking all certificates until you get updated CRL" -> ok 3/ If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile. Then, for any new connection, logs show "CRL: verification passed". -> NOT ok, IMO. examples of wrong CRLs : a CRL issued by an unknown CA or a certificate in the PEM format. This can happen when the CRL expires (soon) and the administrator puts a "new one" but misfits files. He then restarts stunnel, which works. This behaviour can be annoying because the logs of CRL are now in level 6 (INFO) and not any more in level 5 (NOTICE). My configuration was in debug=5 and logs showed only "CRL: verification passed", I could not determine what CRL was really used. I propose the attached patch to modify behaviour in case 3/, ie if no CRL corresponding to the issuer of each certificate of the chain is found : - reject connection if CRLdir or CRLfile was specified in the config file - accept connection but warn in logs if the use of CRL was not explicitly set in the config file. NB : the source code of function "crl_check" shows "/* based on BSD-style licensed code of mod_ssl */". I looked into the code of "mod_ssl-2.8.31-1.3.41" (file pkg.sslmod/ssl_engine_kernel.c, line 1601-1769) and there is actually the same behaviour. -- Christophe Nanteuil

1 0