stunnel-users August 2008

stunnel-users@stunnel.org

11 participants
17 discussions

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

Starting stunnel automatically on OS X system startup
by Allen 02 Sep '08

02 Sep '08

Does anybody have a solution that will start up stunnel on OS X bootup? I've installed stunnel on a Leopard server (OS 10.4.5.4) to make a smtp SSL relay work (and it works fine). The problem is, we'd have to type in /opt/local/bin/stunnel on the command line every time the server is rebooted. Rather than having to create a /Library/ SystemStartup/diretory_structure_with_plist_etc., has somebody done this, and can lead me in the right direction, in the interest of time? I've just run out of time, and I kinda think that somebody must have done this already. Thanks! Allen

1 1

Re: [stunnel-users] failed to build stunnel 4.25 under VS 2005
by Michal Trojnara 29 Aug '08

29 Aug '08

On Fri, 29 Aug 2008 00:00:56 +0800, "Ericdai" <pcix133(a)hotmail.com> wrote: > I try to build Stunnel 4.25 under VS2005 ,but failed Today I updated stunnel, so it can be built with Visual C++ 2008 (known also as Visual C++ 9.0). My plan is to release stunnel 4.26 next week. > prototypes.h(428) : error C2081: 'socklen_t' : name in formal > parameter list illegal I had no problem with socklen_t. Maybe it's specific to the old version of Visual C++. > I also suggest build a windows client only version > n It only can be running on windows > n It only can act as a client > n I think it can reduce the code size and runtime footprice smaller Not really. The difference would be negligible. Best regards, Mike

1 0

failed to build stunnel 4.25 under VS 2005
by Ericdai 28 Aug '08

28 Aug '08

I try to build Stunnel 4.25 under VS2005 ,but failed cl -MD -W3 -Ox -O2 -Ob2 -Gs0 -GF -Gy -GL -nologo -I"..\..\ssl\inc32" -DUSE_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DHAVE_GETADDRINFO -DHAVE_GETNAMEINFO -D_MBCS /c stunnel.c stunnel.c prototypes.h(428) : error C2081: 'socklen_t' : name in formal parameter list illegal stunnel.c(206) : error C2065: 'socklen_t' : undeclared identifier stunnel.c(206) : error C2146: syntax error : missing ';' before identifier 'addrlen' stunnel.c(206) : error C2065: 'addrlen' : undeclared identifier I use nmake -f vc.mak to do it Anyone has build it successfully ,pls help me ! Another way ,is there a stunnel solution or project file ? I also suggest build a windows client only version n It only can be running on windows n It only can act as a client n I think it can reduce the code size and runtime footprice smaller Thanks and best regards Eric dai

1 0

Re: [stunnel-users] In chrooted environment system times defaults to UTC
by Ivan Lezhnjov Jr. 22 Aug '08

22 Aug '08

Friday 22 August 2008 you wrote: > I noticed that when running stunnel from within the jail it logs its > messages with syslong using UTC. > > My question is how would one reconcile timezone of chrooted stunnel with a > system one? > > The issue illustrated: > > Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: stunnel 4.17 on > i686-pc-linux-gnu with OpenSSL 0.9.8h 28 May 2008 > Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: Threading:PTHREAD > SSL:ENGINE Sockets:POLL,IPv4 > Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: 500 clients > allowed Aug 22 12:29:40 xerxes stunnel: LOG5[26570:3086773168]: 5101 > connected from 127.0.0.1:1469 > Aug 22 09:29:40 xerxes stunnel: LOG5[26570:3086773168]: VERIFY OK: > depth=0, /C=UA/ST=ARC/L=Simferopol/O=HOMELAB/CN=sega.localnet > > xerxes' localtime is GMT+3 and sega's too, but stunnel runs on sega in > chrooted environment and thus uses UTC (if it's not chrooted it reports > localtime to syslog facility). > > Any ideas? Jee that was simple! cp /etc/localtime /var/lib/stunnel/etc/ (on each machine where stunnel runs) and you're done :^) -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol Running Source Mage GNU/Linux, kernel version 2.6.24 build #5 +----------------------------------------------------------------------+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy

1 0

In chrooted environment system times defaults to UTC
by Ivan Lezhnjov Jr. 22 Aug '08

22 Aug '08

I noticed that when running stunnel from within the jail it logs its messages with syslong using UTC. My question is how would one reconcile timezone of chrooted stunnel with a system one? The issue illustrated: Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8h 28 May 2008 Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Aug 22 12:29:40 xerxes stunnel: LOG5[26569:3083679424]: 500 clients allowed Aug 22 12:29:40 xerxes stunnel: LOG5[26570:3086773168]: 5101 connected from 127.0.0.1:1469 Aug 22 09:29:40 xerxes stunnel: LOG5[26570:3086773168]: VERIFY OK: depth=0, /C=UA/ST=ARC/L=Simferopol/O=HOMELAB/CN=sega.localnet xerxes' localtime is GMT+3 and sega's too, but stunnel runs on sega in chrooted environment and thus uses UTC (if it's not chrooted it reports localtime to syslog facility). Any ideas? -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol Running Source Mage GNU/Linux, kernel version 2.6.24 build #5 +----------------------------------------------------------------------+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy

1 0

Certificates, Servers & Clients. Clarify this please.
by Ivan Lezhnjov Jr. 22 Aug '08

22 Aug '08

Now that I've read a bunch of articles and have seen a pile of examples of how pairs of a certificate and a private key can be created I must say they all suggest different approaches and techniques to creating certificates and ultimately bewildered me. Could anyone please explain as simply as possible, in layman's terms what exactly must be done? Let's talk about simple scenario with two hosts (A & B) involved, both running stunnel. Let us assume host A is the server and host B is the client. cert = CAfile = must be created. And we use verify level 3 (verify = 3) So, what exactly do we do now? And what happens in the dialog between these two machines? -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol Running Source Mage GNU/Linux, kernel version 2.6.24 build #5 +----------------------------------------------------------------------+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy

1 0

Can't start stunnel (dies mysteriously)
by Ivan Lezhnjov Jr. 19 Aug '08

19 Aug '08

Hello there I run stunnel version 4.21 and openssl version 0.9.8h. In my setup I aim to create a tunnel to send log files through to a centralized loghost. Host A (loghost) runs Source Mage GNU/Linux (with stunnel 4.21, openssl 0.9.8h) and host B runs Slackware 11 system (with stunnel 4.17, openssl 0.9.8h). The problem is that stunnel starts on host B but won't start on host A. Here's the snippet of /var/log/messages that records stunnel start-up event: root@sega:/home/users/ilj % stunnel && tail /var/log/messages -n 3 Aug 19 16:17:37 sega stunnel: LOG5[29146:3082634944]: stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8h 28 May 2008 Aug 19 16:17:37 sega stunnel: LOG5[29146:3082634944]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Aug 19 16:17:37 sega stunnel: LOG5[29146:3082634944]: 500 clients allowed I've actually been trying to run stunnel for the first time ever so I don't really know if this output confirms that everything is alright but judging solely from what is put in log file it seems stunnel has started successfully. Unfortunately, this isn't quite true root@sega:/home/users/ilj % ps ax | grep stun 29618 pts/4 R+ 0:00 grep stun So, this is the problem I have. It doesn't start on host A. Host A has the following stunnel configuration: root@sega:/home/users/ilj % cat /etc/stunnel/stunnel.conf cert = /etc/stunnel/syslog-ng-server.pem CAfile = /etc/stunnel/syslog-ng-client.pem verify = 3 [5101] accept = 217.117.75.2:5101 connect = 127.0.0.1:1999 Host B sports a little bit different configuration file: root@xerxes:~ % cat /etc/stunnel/stunnel.conf client = yes cert = /etc/stunnel/syslog-ng-client.pem CAfile = /etc/stunnel/syslog-ng-server.pem verify = 3 [5101] accept = 127.0.0.1:1999 connect = 217.117.75.2:5101 On both hosts (A & B) I run stunnel standalone as root. > 4. Output of "stunnel -f -D 7 <your-parameters>". Erm.. it doesn't seem to work for me. There's no -D parameter according to man stunnel. The following information below is about host A only: root@sega:/home/users/ilj % stunnel -version stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8h 28 May 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /usr/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none root@sega:/home/users/ilj % uname -a Linux sega 2.6.24 #5 SMP PREEMPT Wed May 7 18:22:29 EEST 2008 i686 GNU/Linux root@sega:/home/users/ilj % gaze from /usr/lib/libc.a glibc-2.7:/usr/lib/libc.a root@sega:/home/users/ilj % gcc -v Reading specs from /usr/lib/gcc/i686-pc-linux-gnu/4.2.3/specs Target: i686-pc-linux-gnu Configured with: /usr/src/gcc-4.2.3/configure --host=i686-pc-linux-gnu --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --enable-threads=posix --with-system-zlib Thread model: posix gcc version 4.2.3 root@sega:/home/users/ilj % gaze installed | grep openssl openssl:20080615:installed:0.9.8h -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol Running Source Mage GNU/Linux, kernel version 2.6.24 build #5 +----------------------------------------------------------------------+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy

1 0

Disable libwrap at runtime?
by Jans, Kert 16 Aug '08

16 Aug '08

Hi, Is it possible to disable libwrap support at runtime? I've reviewed the archives and documentation and cannot determine if this is possible. I know it is possible to compile-out support for libwrap by using: configure --disable-libwrap Is compiling-out support the only way? I'd like to disable support in a pre-build version of stunnel. Regards, Kert

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users August 2008