July 2008 - stunnel-users

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 31 Jul '11

31 Jul '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

Yahoo SSL
by Bernie Murciano 29 Jul '08

29 Jul '08

1 0

Re: [stunnel-users] help with stunnell
by Ludolf Holzheid 28 Jul '08

28 Jul '08

On Thu, 2008-07-24 23:37:22 -0700, vinodsreehari(a)yahoo.com wrote: > [..] > > I configured stnnel in one server as server mode ,for accepting > connection on 8070 ,and connect to 80 . It works only if i specify > https://ipaddress:8070 This is because the default port for https is 443. If you'd configure stunnel to accept on port 443, `https://ipaddress' would work. > I have configured one client server also to accept connection on 80 > and redirect to teh 8070 of server. I want to know that is that teh > way its working . If there is a stunnel instance on the client machine accepting connections on port 80 and connecting to the web server at the https port (default or not), a user could specify `http://localhost' to connect to the web server (and the traffic between the client machine and the server would be secured). > And is it possible to implement the same in a live enviroment ,in > which teh webserver will run on different port ,but users dont need > to specify the port number . Yes. As soon as the destination port for the 'first hop' of a redirected/tunneled connection is the default port for the protocol in question, there is no need to specify the port number. The port numbers of 'intermediate hops' are configuration options for the two stunnel instances (in this case), so the user dosn't have to care about them. HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Re: [stunnel-users] Wrong documentation
by Sandeep Kumar 24 Jul '08

24 Jul '08

On Thu, Jul 24, 2008 at 9:39 PM, Brian Hatch <bri(a)stunnel.org> wrote: > In the neigborhood of 2008-07-24 09:40 +0530, Sandeep Kumar mentioned: > > > Look at this page > http://www.stunnel.org/faq/stunnel.html#configuration_file > > In service level options section, under the explanation of "CRLpath" it > is > > said that all files in it should be of the form XXXXXXXX.0. But my > stunnnel > > setup worked only when i names as XXXXXXXX.r0 instead of XXXXXXXX.0. > > What version of openssl are you running? stunnel 4.15 with OpenSSL 0.9.8b > > > > -- > Brian Hatch "Have you asked Kirk if > Systems and he'd like the job?" > Security Engineer "You can't hide from me! > http://www.ifokr.org/bri/ I will find you. > > Every message PGP signed > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQFIiKlFVkMj8/ymYEsRAmKxAJ9CTLp0Xi8n1VxdFup/kBUuZe6scwCfcvyu > WQG8BlfrUV8RcP31/ZUEbJk= > =EBgc > -----END PGP SIGNATURE----- > > -- Sandeep Kumar http://students.iiit.ac.in/~sandeep_kr

1 0

Help on configuring Stunnel
by Patel Dippen-CDP054 24 Jul '08

24 Jul '08

I downloaded the pre-compiled Windows version of Stunnel (stunnel-4.25-installer.exe). We need to deploy this on 2 machines A and B. The way it works is: - B connects to A - then A connects to B How should I configure Stunnel on machine A, since, in the first case A is the Server and in the 2nd scenario A becomes the Client. Questions on deploying Stunnel on machine A: - Can I run just 1 instance of Stunnel on machine A? It seems I cannot since I have to set the "client = yes" in the 2nd scenario - Do I need to run multiple instances, 1 running as the Server and the 2nd as the Client? Here is the config file I used on the machine A: **************************** cert = stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [iPerfS] accept = 5010 connect = 127.0.0.1:5001 [iPerfS] accept = 5002 connect = 12.50.0.25:5020 **************************** Here is the config file I used on the machine B: **************************** cert = stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [iPerfC] accept = 5001 connect = 12.50.0.26:5010 [iPerfS] accept = 5020 connect = 127.0.0.1:5002 **************************** Regards, Dippen

1 0

Stunnel 4.24 patch to allow stunnel to search for the OCSP responder within an X.509 certificate's AIA extension.
by Bruce Keats 24 Jul '08

24 Jul '08

Hi all, This patch also fixes a problem with stunnel accepting an "unknown" response as "good" and allows the connection to be setup. An OCSP responder can return one of three responses (good, revoked, unknown), however the code would accept "unknown" as good. This patch fixes that problem and treats an "unknown" response as a failure. Stunnel can query an OCSP responder to determine the revocation status of a certificate when stunnel is verifying the certificate. The code works great, however it is uses a preconfigured OCSP responder. The OCSP responder's IP/hostname is specified in the stunnel configuration file as a URI. I found this rather restrictive, so I added code to extract the OCSP responder's URI from the certificate. As per RFC 3280, one of the valid extensions for X.509 certificate is the Authority Information Access (AIA) where the "accessMethod" can be "is-ad-ocsp" to identify the OCSP responders location as per RFC2560. There can be more than one OCSP responder listed in the AIA because it is a sequence. Each location is queried in the order they appear within the certificate until either a "good" or "revoked" response is received. If an "known" response or a failure then the next OCSP responder is checked. If all OCSP responder queries result in failure then the validation also fails.. A new configuration option "OCSPaia" was added. If the "OCSPaia=yes" then the stunnel will look for the OCSP responder(s) within the certificate's AIA. The locally configured "OCSP=<url>" overrides the OCSPaia option. Bruce

1 0

Wrong documentation
by Sandeep Kumar 23 Jul '08

23 Jul '08

Look at this page http://www.stunnel.org/faq/stunnel.html#configuration_file In service level options section, under the explanation of "CRLpath" it is said that all files in it should be of the form XXXXXXXX.0. But my stunnnel setup worked only when i names as XXXXXXXX.r0 instead of XXXXXXXX.0. -- Sandeep Kumar http://students.iiit.ac.in/~sandeep_kr

1 0

help with stunnel port forwarding
by vinod bhasi 23 Jul '08

23 Jul '08

Hi, Please help me with stunnel port forwarding . My apache is running at port 8000 .I want this to be forwarded to 80 so that normal users dont need to specify the port number . Can anyone help me with the configuration in both client and server side .Im confused as stunnel wont run with same port used by apache. Any help will be appreciated Thanks in advancve Vinod Bhasi Did you know? You can CHAT without downloading messenger. Go to http://in.webmessenger.yahoo.com/

2 1

Re: [stunnel-users] stunnel-users Digest, Vol 48, Issue 13
by Patrick Dung 21 Jul '08

21 Jul '08

Message: 3 Date: Mon, 21 Jul 2008 11:34:22 +0200 From: Micha? Trojnara <Michal.Trojnara(a)mobi-com.net> Subject: Re: [stunnel-users] Problem with Solaris 10u5 x86 and Stunnel 4.25 To: stunnel-users(a)mirt.net Message-ID: <2a3f79f5f6dd65f2ced02b2e9929368b(a)mirt.net> Content-Type: text/plain; charset="UTF-8" http://stunnel.mirt.net/pipermail/stunnel-users/2008-June/002021.html Mike On Sat, 19 Jul 2008 01:53:17 -0700 (PDT), Patrick Dung <patrick_dkt(a)yahoo.com.hk> wrote: > Hi > > I use this to compile stunnel: > The gcc and openssl is from Solaris SFW. > > # export CC=/usr/sfw/bin/gcc > # ./configure --with-threads=pthread --with-ssl=/usr/sfw > --localstatedir=/var > > After installing and starting stunnel, I found there are mutiple stunnel > processes. > There is a PID file which store one of the stunnel process. > I have tried to kill that PID, stunnel is bring down. > But there other stunnel processes running. > > Any ideas? > > Regards > Patrick > > > > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users I see. Thanks for reply. Yesterday, I have tried to compile stunnel with Sun Studio. It got problem linking with libwrap, so I turned off libwrap support. And it compile (without knowing there is a libwrap patch) and there is only one single running stunnel process. Regards Patrick

1 0