April 2008 - stunnel-users

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 31 Jul '11

31 Jul '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

Verify=3 restart needed ?
by Edouard Dessioux 29 Apr '08

29 Apr '08

Hi everyone, Sorry for the repost, but in the web mailing list, my previous message appears weird, so I thought I could re-post it. I'm using stunnel v4.16 on a Windows 2003 Server, and I'm working with stunnel in verify=3 mode. I wanted to know if the stunnel needs to be restarted after a certificates has been removed ? If not, how long is the certificate considered valid after the file has been removed ? Regards, Edouard DESSIOUX Directeur de Projets Tibco Mobile 3, rue Danton - 92240 Malakoff Tél : +33 (0)1 55 58 04 59 - Fax : +33 (0)1 55 58 03 89 - Mob. +33 (0)6 34 02 61 54 E-mail : edessioux(a)tibco.fr - www.tibcomobile.fr Faites un geste pour la planète, n'imprimez ce message que si nécessaire.

3 3

to use certificate and key file in another machine
by Xiaoming Dong 29 Apr '08

29 Apr '08

Stunnel Version 4.2.1 Run in windows 2k3 When I configured stunnel to use cert from another windows machine (I already mapped the drive to this machine). Restarting stunnel got following error: 2008.04.29 10:01:32 LOG7[3568:1792]: Snagged 64 random bytes from C:/.rnd 2008.04.29 10:01:32 LOG7[3568:1792]: Wrote 1024 new random bytes to C:/.rnd 2008.04.29 10:01:32 LOG7[3568:1792]: RAND_status claims sufficient entropy for the PRNG 2008.04.29 10:01:32 LOG7[3568:1792]: PRNG seeded successfully 2008.04.29 10:01:32 LOG3[3568:1792]: V:\Program Files\client_cert\private\client_key.pem: No such process (3) 2008.04.29 10:01:32 LOG3[3568:1792]: Server is down Does anybody have any clue? Thanks, -Xiaoming ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Will fwknop work?
by richard.woodman＠cox.net 29 Apr '08

29 Apr '08

If I understand the question correctly, isn't this what "port knocking" or single packet authorization (e.g. fwknop) is supposed to do? I have used fwknop and SSH in our lab, but only with Linux and iptables. However, I think fwknop is supposed to interface with more than just iptables on the local box (meaning you would not have to use a Linux box to replace your current firewall). I think you can use fwknop to monitor syslog and parse for specific events and then open the port. In other words, your current firewall reports to your syslog server and fwknop parses the log file for the security event associated with the reception of a SPA packet on your outside interface. Fwknop then sends your firewall (through a script?) whatever command is required to open the port you want and redirect it to the appropriate inside machine (or you could simply enable / disable a preconfigured rule). I am not a scripting guru so I may be WAY off base here and if I am, I apologize for leading you astray. Anyway, you might want to check out the following: http://cipherdyne.org/fwknop/ --> FireWall KNock Operator home page http://fwknop.darwinports.com/ --> OS X fwknop client There is also a Windows UI version that is supposed to create SPA packets without using fwknop / PERL or running under Cygwin but I have not used that. Richard On 4/29/08 7:50 PM, "jz(a)ellingtongeologic.com" <jz(a)ellingtongeologic.com> wrote: > > Good Morning Mike: > > I had a question and sent to the list (it might have not gone thru) The > question was that: is it possible for stunnel to go to the router, for > example, 10.10.1.1, to scan for a port of interest and see whether there is a > request thru that port? so the nat router would not have to forward the port > to the stunnel of my local machine, e.g. 10.10.1.188, on which stunnel is > listening for port 8888 and will relay it to 5631 of the local program. > > Thanks

1 0

how to enable TLS?
by Zhang Weiwu 25 Apr '08

25 Apr '08

Dear all I just configured stunnel for pop+ssl which works fine. What I want is actually smtp+tls. Is there a way to do so? I tried to configure thunderbird to access the port stunnel is listening to, with TLS. Then I got "Connectioin to xxx.xxx.xxx timed out". Best regards -- Real Softservice Huateng Tower, Unit 1788 Jia 302 3rd area of Jinsong, Chao Yang Tel: +86 (10) 8773 0650 ext 603 Mobile: 135 9950 2413 http://www.realss.com

1 0

Query regarding stunnel performance
by Arati.Kumar＠ubs.com 25 Apr '08

25 Apr '08

Hi, Does anyone know if there are any known issue with stunnel 4.05 and oracle 10g (especially in retrieving blobs) ? . Our application uses stunnel to communicate with oracle database. We are currently experiencing massive performance degradation after upgrading oracle from 9i to 10g (almost 6 times slower from what it was in 9i). Our application stores some data in blobs this seems to be the root cause of slower performance. Pls can someone let me know if there are any known issues with stunnel and 10g blob retrieving ? Also If an upgrade is recommended, which is the stable version we must be switching to? Thanks, Ararti Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS Limited is a company registered in England & Wales under company number 2035362, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS AG (London Branch) is registered as a branch of a foreign company under number BR004507, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS Clearing and Execution Services Limited is a company registered in England & Wales under company number 03123037, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.

1 0

Linux FIPS compile libary question
by Joe Kemp 23 Apr '08

23 Apr '08

I am compiling stunnel on Centos 5 that has a regular Openssl 0.9.8b rpm installed. I have put my FIPS openssl in /usr/local/sslfips112. Configure with: ./configure --with-ssl=/usr/local/sslfips112 --enable-fips --disable-libwrap Make's linker line: /bin/sh ../libtool --tag=CC --mode=link FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include -lldap -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o -lz -ldl -lutil -lnsl -lpthread -L/usr/local/sslfips112/lib -lssl -lcrypto FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o -lldap -lz -ldl -lutil -lnsl -lpthread -L/usr/local/sslfips112/lib -lssl -lcrypto This builds a stunnel that seems to run fine. During startup it says "stunnel is in FIPS mode." But if I run "ldd stunnel" it shows it needs /lib/libssl.so.6. While stunnel is running lsof shows it has that library open also. Why does my FIPS stunnel build still use the 0.9.8b shared library? Shouldn't all of the ssl dependencies been handled by the static FIPS openssl library during linking? The same issue exists for libcrypt.

4 6

stunnel wildcard question
by neve_capricorn＠gmx.de 17 Apr '08

17 Apr '08

hi, iam pulling my hair out with an wildcard ssl certificate / stunnel configuration. i use stunnel 4.2.2 and latest openSSL release. i have a signed wildcard certificate from comodo. when i add the .crt, .key and .ca-bundle file into an apache configuration, everything work fine in firefox and ie. when i try to use stunnel with the same certificates i got problems in firefox when i disable ; Authentication stuff ; verify =1 and when i set verify=1 i got problems in IE .7 (a dialog box pops and ask for identification the certificates). can someone maybe help me out,please? a demo is here: https://ssl1.medialib.de (works fine in firefox) https://ssl1.medialib.de (problem in IE7) thank you very much & best gary

1 0

Verify=3 cache expiration
by Edouard Dessioux 15 Apr '08

15 Apr '08

Hi everyone, I'm using stunnel v4.16 on a Windows 2003 Server, and I'm working with stunnel in verify=3 mode. I wanted to know if the stunnel needs to be restarted after a certificates has been removed ? If not, how long is the cache expiration delay before being taken into account ? Regards, Edouard DESSIOUX Directeur de Projets Tibco Mobile 3, rue Danton - 92240 Malakoff Tél : +33 (0)1 55 58 04 59 - Fax : +33 (0)1 55 58 03 89 - Mob. +33 (0)6 34 02 61 54 E-mail : edessioux(a)tibco.fr - www.tibcomobile.fr Faites un geste pour la planète, n'imprimez ce message que si nécessaire.

1 0