May 2008 - stunnel-users

stunnel and OCSP verification: strange behaviour
by Andreas Ntaflos 19 May '08

19 May '08

Hi list, [My apologies, I accidentally tried to send this message to stunnel-announce earlier.] I have a quick question regarding the use of stunnel with verification against an OCSP responder. I am using stunnel 4.20 and (for testing) 4.23 but I don't see any difference in the behaviour of both. The main problem is that stunnel accepts and establishes connections from clients even if those clients had their certificates revoked and the OCSP responder correctly informs stunnel about it. Consider the following configuration: foreground = yes CAfile = /path/to/cacert.pem cert = /path/to/stunnel_cert.pem key = /path/to/stunnel_key.pem debug = 7 [clientauth] accept = localhost:43434 connect = localhost:43433 verify = 2 OCSP = http://localhost:43435 The OCSP responder runs on localhost:43435 as you can see. Client verification is enabled. Using openssl to manually check against the responder works fine: openssl ocsp -issuer cacert.pem -CAfile cacert.pem -url \ http://localhost:43435 -cert revoked_cert.pem Response verify OK /path/to/revoked_cert.pem: revoked This Update: May 15 15:38:46 2008 GMT Next Update: May 15 17:04:32 2008 GMT Revocation Time: May 15 15:38:26 2008 GMT The relevant portion of stunnel's debug output looks like this: [...] Starting OCSP verification FD 8 in non-blocking mode connect_wait: waiting 10 seconds connect_wait: connected OCSP server connected FD 8 in blocking mode FD 8 in non-blocking mode OCSP response received OCSP verification passed: status=0, reason=-1208427072 VERIFY OK: depth=1, /CN=The CA/C=AT/ST=SomeState/L=SomeCity/O=The \ Organisation/emailAddress=camaster(a)the-organisation.invalid Starting OCSP verification FD 8 in non-blocking mode connect_wait: waiting 10 seconds connect_wait: connected OCSP server connected FD 8 in blocking mode FD 8 in non-blocking mode OCSP response received OCSP verification passed: status=1, reason=-1 VERIFY OK: depth=0, /C=AT/ST=SomeState/O=The Organisation/CN=this is a \ revoked cert SSL state (accept): SSLv3 read client certificate A [...] As far as I can see the OCSP verification works fine here, too, and at depth 0 stunnel finds the certificate to have been revoked (status=1 indicates that, I believe). The connection, however, is not rejected. Is there any way to have stunnel reject the connection when the client certificate has been revoked? Where would I configure this? The only way I have found yet was to patch src/verify.c but surely there must be a more convenient approach to this? On a related matter: if stunnel cannot and will not reject the connection upon a negative response from the OCSP, what would be the best way to script stunnel so that it rejects such a connection? I am asking because I am in the process of writing a few Python scripts that incorporate stunnel to aid in testing of some SSL-speaking components. Such a client component without a valid, non-revoked certificate must not be able to connect. I mean what good is OCSP verification if the result of the process, i.e. the responders answer "the certificate is valid" or "the certificate is no longer valid" doesn't matter to stunnel? Am I missing the point somewhere? I'd appreciate any insights on this. Kind regards, Andreas -- Andreas "daff" Ntaflos Vienna, Austria GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4

2 2

Reg:IPV6 support on stunnel
by Sandhya 14 May '08

14 May '08

> Stunnel version: > stunnel 4.09 on armv5tejl-unknown-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with > OpenSSL 0.9.7e 25 Oct 2004 > > My conf file Information: > cert = /usr/local/www/certs/server.pem > key = /usr/local/www/certs/privkey-server.pem > pid = /var/run/stunnel_kvm.pid > client = no > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > socket = a:TCP_NODELAY=1 > [ms] > accept = 1234 > connect = 1236 > > Please find the Config.log file attached. > > Please let me know if any other information is needed or you want me try > some commands on stunnel. > > Thanks for the help > > Sandhya R > > ----- Original Message ----- > From: "Michal Trojnara" <Michal.Trojnara(a)mobi-com.net> > To: <stunnel-users(a)mirt.net> > Sent: Wednesday, May 14, 2008 7:06 PM > Subject: Re: [stunnel-users] Reg:IPV6 support on stunnel > > >> >> Sandhya wrote: >> >>> I have enabled IPV6 ip When my client tries to connect to my ipv6 ip and >>> the port(stunnel listens) where my it is listening...Its failed to >>> connect. >> >> Please send us: >> - the output of "stunnel -version", >> - your stunnel.conf file, >> - your debug level logs. >> >> Best regards, >> Mike >> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users(a)mirt.net >> http://stunnel.mirt.net/mailman/listinfo/stunnel-users >> >

1 1

Fw: Reg:IPV6 support on stunnel
by Sandhya 14 May '08

14 May '08

----- Original Message ----- From: Sandhya To: stunnel-users(a)mirt.net Sent: Wednesday, May 14, 2008 6:43 PM Subject: [stunnel-users] Reg:IPV6 support on stunnel Hi, I am newbie to stunnel.As mentioned in some of your posts i just gone through ..how to enable ipv6 support. While configuring i did the same by giving the following command. ./configure --enable-ipv6 make make install and i ran stunnel which listens at some port and i have my own server which listens for stunnel. I have enabled IPV6 ip When my client tries to connect to my ipv6 ip and the port(stunnel listens) where my it is listening...Its failed to connect. Could you please throw some light on how to enable IPV6 support for stunnel apart from what i tried. Thanks in advance Sandhya -------------------------------------------------------------------------------- _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0

Reg:IPV6 support on stunnel
by Sandhya 14 May '08

14 May '08

Hi, I am newbie to stunnel.As mentioned in some of your posts i just gone through ..how to enable ipv6 support. While configuring i did the same by giving the following command. ./configure --enable-ipv6 make make install and i ran stunnel which listens at some port and i have my own server which listens for stunnel. I have enabled IPV6 ip When my client tries to connect to my ipv6 ip and the port(stunnel listens) where my it is listening...Its failed to connect. Could you please throw some light on how to enable IPV6 support for stunnel apart from what i tried. Thanks in advance Sandhya

1 0

Reg:IPV6 support on stunnel
by Sandhya 13 May '08

13 May '08

Hi, I am newbie to stunnel.As mentioned in some of your posts i just gone through ..how to enable ipv6 support. While configuring i did the same by giving the following command. ./configure --enable-ipv6 make make install and i ran stunnel which listens at some port and i have my own server which listens for stunnel. I have enabled IPV6 ip When my client tries to connect to my ipv6 ip and the port(stunnel listens) where my it is listening...Its failed to connect. Could you please throw some light on how to enable IPV6 support for stunnel apart from what i tried. Thanks in advance Sandhya

1 0

Re: [stunnel-users] HTTPS connections aborted
by Matthias Kellermann 08 May '08

08 May '08

Hi Aleksandar, Aleksandar Lazic wrote: > The timing events at 6st position. > > http://haproxy.1wt.eu/download/1.3/doc/haproxy-en.txt > > > --- > 4.2.3) Timing events > -------------------- > . > . > . > > Other cases ('xx' means any value to be ignored) : > -1/xx/xx/xx/Tt: the client was not able to send its complete request > in time, > or that it aborted it too early. > Tq/-1/xx/xx/Tt: it was not possible to process the request, maybe because > servers were out of order. > Tq/Tw/-1/xx/Tt: the connection could not establish on the server. > Either it > refused it or it timed out after Tt-(Tq+Tw) ms. > Tq/Tw/Tc/-1/Tt: the server has accepted the connection but did not > return a > complete response in time, or it closed its connexion > unexpectedly, after Tt-(Tq+Tw+Tc) ms. thanks, I'll have a look at it. -Matthias

1 0

Feature request - verify fall-back
by Sudhaker Raj 08 May '08

08 May '08

Hi Team, I wish to use stunnel for following use-case (to create a highly-protected website which can be accessed only using a valid client-cert). gateway.example.com:443 -> public.example.com:80 (when client-cert verification fails) gateway.example.com:443 -> intranet.example.com:80 (when client-cert verification ok - normally hidden from public) As of now stunnel simply drops the connection when service is configured to verify the client certificate and verification fails. Is it possible to add a fall-back connect when verification fails. [protected-web] verify=3 accept=443 connect=intranet.example.com:80 noverify=public.example.com:80 I guess it will be a nice addition to stunnel's feature list. Thanks, Sudhaker

3 3

launch stunnel server daemon from php?
by Wesley Kenzie 05 May '08

05 May '08

I am having problems launching stunnel from a php "exec" command. I would like to have it launch as a server daemon and then have the exec command return control to the php script. The best I have been able to do is launch it in foreground with a command like "/usr/local/bin/stunnel /etc/stunnel/test.conf &" but control never returns to the php script. I do not want to use inetd mode, and would prefer to specify command line arguments, but I see they are no longer available in version 4. Any ideas? . . . . . Wesley Kenzie wkenzie(a)gmail.com

2 2

HTTPS connections aborted
by Matthias Kellermann 05 May '08

05 May '08

Hi list, I've set up a loadbalancer with haproxy and I'm using stunnel to have HTTPS on the loadbalancer. Every connection on port 443 is forwarded by stunnel to port 80 where haproxy listens. Some facts: FreeBSD 6.2 i386 stunnel 4.22 OpenSSL 0.9.7e-p1 gcc version 3.4.6 [FreeBSD] 20060305 Here is my stunnel.conf: sslVersion = all chroot = /var/tmp/stunnel setuid = stunnel setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 3 [https] cert = /usr/local/etc/stunnel/ssl/mycert.pem accept=localip:443 connect=localip:80 Some of my customers using HTTPS are claiming about aborted connections with MS Internet Explorer. They get a message about "secure and unsecure objects on this site, proceed?". When clicking yes they get a IE error message: "site not found". (Sorry, I don't know the exact english error message because customers use german version of IE). Of course there are only HTTPS objects on the page. In my logs I've lot of these entries: SSL_accept: Peer suddenly disconnected From time to time I'll get this error: SSL_read: Connection reset by peer (54) or: SSL_read: Operation timed out (60) or: SSL_write: Broken pipe (32) At the moment I have no idea where these errors come from and if they really belong to the error the customer gets with his IE browser. Any ideas what could cause these error messages? Thanks in advance, Matthias

2 1

Stunnel <=> p2p
by mluft 05 May '08

05 May '08

Hi, i just started working with stunnel, and i'm really impressed! But i've got 2 questions: * How is it realized, that a setup like this: accept = 15000 connect = 16000 also encrypts the reply of the app which listens on port 16000? Is there a kind of masquerading? * I think of a tool like tsocks or socksify: "tsocks application" redirects all traffic from application over an socks proxy. Is it possible to realize such a redirection with stunnel? So that all outgoing traffic of an application gets encrypted? I know that i can build point-to-point tunnels, but that's not possible for my scenario... Thanks & Cheers, Matthias

1 0