stunnel-users July 2009

stunnel-users@stunnel.org

8 participants
10 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

[patch] Redirect to a fake destination if client's certificate couldn't be verified
by Jeremie Le Hen 29 Jul '09

29 Jul '09

Hi list, I've written a patch to bring in the following directives: - evilconnect - evilexec/evilexecargs The idea is when stunnel works in server mode and is asked to verify the client's certificate, it normally shuts the connection down when the latter is invalid. With these options, when the certificate can't be verified, stunnel redirects the "evil" connection to another destination. What is the purpose of this new feature ? For instance, if your company does not allow SSH connections out, you may use the following configuation: % connect = yourdomain.com:22 % evilconnect = www.yourdomain.com:80 So you will access your SSH server with your valid user certificate. On the other hand, if an over-zealous sneaky admin looks at the proxy logs and tries to connect to your stunnel, it will be redirected to an uninteresting website ;). Here is the documentation: % evilconnect = [host:]port % connect to a remote host:port when the client's certificate cannot % be verified % % This is only meaningful in server mode when connect and verify are % used. Otherwise it has the same properties as the connect option. % % evilexec = executable_path (Unix only) % execute local inetd-type program when the client's certificate can- % not be verified % % This is only meaningful in server mode when exec and verify are % used. Otherwise it has the same properties as the exec option. % % execargs = $0 $1 $2 ... (Unix only) % arguments for evilexec including program name ($0) % % Quoting is currently not supported. Arguments are separated with % arbitrary number of whitespaces. I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very good idea and implemented a proof of concept code with GnuTLS. Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and verified that it works. Looking forward for your remarks... thanks! Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >

1 1

Stunnel listen on different ports
by Noel Sanchez 21 Jul '09

21 Jul '09

I have had a working stunnel conf for much time, very happy with it. [stunnel] accept = 0.0.0.0:30000 connect = 192.168.27.102:8000 I have stunnel listening on port 30000 and then sending to 192.168.27.102 on port 8000. Works good. I now want to add more listening ports to stunnel, like so: [stunnel] accept = 0.0.0.0:30000 connect = 192.168.27.102:8000 accept = 0.0.0.0:30006 connect = 192.168.27.102:8006 When I do this, stunnel only binds to 30006, per my log file: stunnel bound to 0.0.0.0:30006 And when I do a netstat -vatn: tcp 0 0 0.0.0.0:30006 0.0.0.0:* LISTEN It is not listening on port 30000 anymore. I'd like to accepts connections on many different ports, then send accordingly. Can I do this? Why does stunnel only listen to one port when I add more accept lines in its config? Noel

2 2

Re: [stunnel-users] using webdav: YES IT WORKS WITH NET USE
by delaage.pierre＠free.fr 18 Jul '09

18 Jul '09

Well after some more tests I achieve net use to work: UseBasicAuth is VITAL on the xp client (reboot) Accordingly configure apache with basic plain text auth stunnel routing localhost:80 to remote:443 (as you did) to pass your credentials use EXACTLY this command line : net use y: \\localhost\davfolder (with no extra \) YOURPASSWORD /USER:YOURUSERNAME (this in the only way to have hhtp credentials sent to the server). tested on client: xpsp2 + kb892211 + kb911927 (IMPORTANT ALSO, needs reboot) + stunnel 427 and server apache 2.2.6/Mandriva 2008. kb907306 replaces 892211, but I have not tested with it (I think it should work). If you cannot achieve it to work please let me know the exact error message you receive from windows. Again your problem is only related to windows issue, not stunnel. Pierre Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > yes, i am the admin. have pulled it back to basic auth. > okay i have installed Webfldrs-KB907306-ENU.exe and checked for its listing > in systemcontrol -> software (show updates) - it does not appear there! :-( > add network location: > it is running directly to the server and through stunnel, too :-) > > wtf? i have to install office2003 for such a problem? mh okay, i did so - no > change in behaviour - mh the failures of net use are changing - now it is a > systemfailure 67. networkname not found > syntax: net use x: \\127.0.0.1\user /user:user > > thank you - flo > > > 2009/7/18 <delaage.pierre(a)free.fr> > > > A question : > > Are you the administrator of your web server ? > > if yes : set up apache with "basic authentication", not digest (this will > > not be > > a problem later with ssl) and setup the registry key usebasicauth to 1 on > > your > > client. > > SP3 does NOT contain kb907306 : so install it (you will not damage your > > system > > if this patch is already in it). > > Forget net use for the moment : "add network location" should work first. > > > > IMPORTANT : "add network location" supports SSL WITHOUT the need of > > stunnel, so > > try to setup directly a "location" pointing to " > > https://yourserver/yourfolder". > > of course you will need to install first your own certificate with > > "internet > > explorer", so that windows can use it to connect to your ssl server. > > > > Something else : check this http://support.microsoft.com/KB/942392 > > ...ie be sure that your server allow browsing dav space FROM the root url. > > Moreover, always according to kb942392, to have net use working one must > > have > > ...MS office installed! > > > > Pierre > > > > > > Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > ok, i thought that i've sp3 in my virtualbox... but it is installed now - > > > and all other updates too! > > > i've tested with digest authentification now - but it isn't running. > > > the remote server is a debian lenny with apache2.2. > > > the ssl certificate is validated by Equifax Secure Inc. > > > ie7: sure :) and i am confused in the moment the mapping in networkarea > > as > > > addition web ressource isn't running. tried it with ssl in the past (was > > > running) and now without ssl, there appears this log in apache: > > > [Sat Jul 18 00:30:33 2009] [error] [client ip] user > > > subdomain.example.de\user > > > not found: / > > > for the digest method the same with "realm" > > > however there is no preview for the files with this method, and that is > > what > > > i need :( > > > > > > i think i haven't installed kb907306 in the moment(mh ok maybe it is in > > > servicepack 3 ?), but i don't know what you mean with dbl click feature > > :-( > > > > > > i'm really pleased for your help :-) > > > > > > 2009/7/17 <delaage.pierre(a)free.fr> > > > > > > > Next step : > > > > be sure to have kb892211 (preferred) or more recent kb907306 (suppress > > dbl > > > > click > > > > feature!) installed on your system and retry. > > > > Yes you have to create the registry key by hand on your client system, > > > > but you really have to know more about your server authentication > > process. > > > > About ie7 : have you been able to browse in your webfolders, via a > > folder > > > > view? > > > > > > > > Try also adding your web folder to windows explorer by using "Add > > Network > > > > location", which is another mechanism than mapping a drive letter, and > > more > > > > often works. > > > > > > > > See you soon, > > > > Pierre Delaage > > > > > > > > > > > > > > > > Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > > > > > wow thank you, some really good tips :) > > > > > i tested it with ie 7 and it is running fine. > > > > > then i've set the regkey, is it right that i have to create it by > > myself? > > > > > rebooted - and no, there is the same error :-( > > > > > the gui for the net use command ( explorer/tools/ map networkdrive) > > isn't > > > > > running, too! > > > > > > > > > > i really hope, that any body could help me > > > > > thank you > > > > > > > > > > > > > > > 2009/7/17 <delaage.pierre(a)free.fr> > > > > > > > > > > > Hello, > > > > > > There are many things to check on Windows configuration before > > > > > > checking potential issues in stunnel. > > > > > > > > > > > > At first you should check what is the HTTP authentication mechanism > > > > used by > > > > > > your > > > > > > webdav server : > > > > > > if this server is using "basic plain text authentication", this > > WILL > > > > NOT BE > > > > > > supported by the windows "webdav redirector" (the system component > > that > > > > > > allows > > > > > > you to map a webdav folder to a virtual system drive)...unless you > > set > > > > up > > > > > > this > > > > > > registry key : > > > > > > > > > > > > > > > > [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebClientParameters] > > > > > > "UseBasicAuth"=dword:00000001 > > > > > > > > > > > > Check this page for some MS explanations: > > > > > > > > http://technet.microsoft.com/en-us/library/cc787023%28WS.10%29.aspx > > > > > > > > > > > > Something else to check : try to open your webdav location by using > > > > > > "internet > > > > > > explorer 6 or 7"/file-open/check "web folder" checkbox. let us know > > > > whether > > > > > > it > > > > > > works. > > > > > > Try also by "Explorer/Tools/Map network drive", but it is very > > painful > > > > by > > > > > > asking > > > > > > many times for credentials. > > > > > > > > > > > > Yours sincerely, > > > > > > Pierre Delaage > > > > > > > > > > > > Selon Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > > > > > > > > > > > > > > > hi - i want to use webdav through stunnel to provide a > > drive(letter). > > > > > > > system: winxp sp3 > > > > > > > net use http://127.0.0.1/dirname /user:someuser > > > > > > > offers a systemfailure 64... stunnel log said SSL_connect: > > 1408F06B: > > > > > > > error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression > > > > > > > but a connection with firefox is running fine. > > > > > > > i am doing try&error for about a week and i am sick now :( > > > > > > > i hope you can help me - thank you > > > > > > > > > > > > > > client=yes > > > > > > > verify=0 > > > > > > > [psuedo-https] > > > > > > > accept = 80 > > > > > > > connect = ssl.studenten-wg-halle.de:443 > > > > > > > TIMEOUTclose = > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >

1 0

using webdav
by Jan-Florian Hilgenberg 17 Jul '09

17 Jul '09

hi - i want to use webdav through stunnel to provide a drive(letter). system: winxp sp3 net use http://127.0.0.1/dirname /user:someuser offers a systemfailure 64... stunnel log said SSL_connect: 1408F06B: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression but a connection with firefox is running fine. i am doing try&error for about a week and i am sick now :( i hope you can help me - thank you client=yes verify=0 [psuedo-https] accept = 80 connect = ssl.studenten-wg-halle.de:443 TIMEOUTclose =

2 1

Common Name checking
by Mark Bolton 15 Jul '09

15 Jul '09

Hi, I believe this has been discussed before on the list but I wanted to get a better understanding and confirm the current situation. Is it still correct that when using verify=2, the peer's hostname is not checked (via a name service lookup) to match the Common Name in the presented certificate? With the main reason being that you cannot necessarily trust the name service? I am asking because we have a closed network in which we do trust our dns servers, and Common Name checking would be advantageous to us given the following scenario: We have is that a single (central) host that connects to multiple 'client' hosts via stunnel. The central host presents a certificate signed by our own CA. Each client has a copy of our CA's certificate and has verify=2. So when the central server connects, the client checks that the certificate presented has really been signed by our own CA. So using this mechanism, only servers (i.e. the central server) with a signed certificate are allowed to connect. All good so far, however the problem is if the signed certificate is copied (stolen) to another server. This 'other' server can connect to all the clients also. With Common Name checking, the clients could as well as checking the signature, check the presenting host has the same hostname as in the certificate. Is there anyway we can use stunnel to help us guard against this 'stolen cert' situation or if not what else could we do? Thanks, Mark

2 3

[patch] add new option send_client_info
by Henrik Riomar 14 Jul '09

14 Jul '09

Hi, The attached patch adds a new option that allows stunnel to pass on some client information to for instance a web service that uses stunnel for it's encryption. The first line of data contains the client info and if the new option is not enabled the patch does nothing. Regards, Henrik Riomar P.S. public domain.

1 0

stunnel throttling and statistics
by Laurens Van Houtven 10 Jul '09

10 Jul '09

Hi! I'm using stunnel to secure an AMQP message broker (RabbitMQ, specifically) using pre-shared certificates. This means that my backends never get to see the SSL certificate that the client used to connect -- unfortunately, it's that very backend that's the first who can decide if a message is malicious or not. In order to sort-of fix this problem, I'm using UUIDs so that the keyspace is so absurdly huge that the odds that someone will guess a key are second to none. Still, if someone is misbehaving (trying a large number of bogus keys) it would be nice to know who it is so I could stop wasting CPU time and bandwidth on them. So, I was wondering if anyone has used stunnel (vanilla or modified) to keep statistical data about who connects (which certificates). Additionally, does anyone know of a decent way to throttle per-certificate (or limit the amount of tunnels that can be opened per certificate). If all else fails I could just do normal throttling on a per-IP basis, which should get me roughly the same thing. The reason I want this is because I want to prevent users from even *trying* a large number of such keys (even though it's statistically unlikely that they'll get one) since it still takes me CPU time to process that junk. Thanks in advance Laurens

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users July 2009