stunnel-users July 2009

stunnel-users@stunnel.org

8 participants
10 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: … [View More]

5 9

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-… [View More]

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to … [View More]

3 2

[patch] Redirect to a fake destination if client's certificate couldn't be verified
by Jeremie Le Hen 29 Jul '09

29 Jul '09

Hi list, I've written a patch to bring in the following directives: - evilconnect - evilexec/evilexecargs The idea is when stunnel works in server mode and is asked to verify the client's certificate, it normally shuts the connection down when the latter is invalid. With these options, when the certificate can't be verified, stunnel redirects the "evil" connection to another destination. What is the purpose of this new feature ? For instance, if your company does not allow SSH … [View More]

1 1

Stunnel listen on different ports
by Noel Sanchez 21 Jul '09

21 Jul '09

I have had a working stunnel conf for much time, very happy with it. [stunnel] accept = 0.0.0.0:30000 connect = 192.168.27.102:8000 I have stunnel listening on port 30000 and then sending to 192.168.27.102 on port 8000. Works good. I now want to add more listening ports to stunnel, like so: [stunnel] accept = 0.0.0.0:30000 connect = 192.168.27.102:8000 accept = 0.0.0.0:30006 connect = 192.168.27.102:8006 When I do this, stunnel only binds to 30006, per my log file: stunnel bound to 0.0.0.0:… [View More]

2 2

Re: [stunnel-users] using webdav: YES IT WORKS WITH NET USE
by delaage.pierre＠free.fr 18 Jul '09

18 Jul '09

Well after some more tests I achieve net use to work: UseBasicAuth is VITAL on the xp client (reboot) Accordingly configure apache with basic plain text auth stunnel routing localhost:80 to remote:443 (as you did) to pass your credentials use EXACTLY this command line : net use y: \\localhost\davfolder (with no extra \) YOURPASSWORD /USER:YOURUSERNAME (this in the only way to have hhtp credentials sent to the server). tested on client: xpsp2 + kb892211 + kb911927 (IMPORTANT ALSO, needs … [View More]reboot) + stunnel 427 and server apache 2.2.6/Mandriva 2008. kb907306 replaces 892211, but I have not tested with it (I think it should work). If you cannot achieve it to work please let me know the exact error message you receive from windows. Again your problem is only related to windows issue, not stunnel. Pierre Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > yes, i am the admin. have pulled it back to basic auth. > okay i have installed Webfldrs-KB907306-ENU.exe and checked for its listing > in systemcontrol -> software (show updates) - it does not appear there! :-( > add network location: > it is running directly to the server and through stunnel, too :-) > > wtf? i have to install office2003 for such a problem? mh okay, i did so - no > change in behaviour - mh the failures of net use are changing - now it is a > systemfailure 67. networkname not found > syntax: net use x: \\127.0.0.1\user /user:user > > thank you - flo > > > 2009/7/18 <delaage.pierre(a)free.fr> > > > A question : > > Are you the administrator of your web server ? > > if yes : set up apache with "basic authentication", not digest (this will > > not be > > a problem later with ssl) and setup the registry key usebasicauth to 1 on > > your > > client. > > SP3 does NOT contain kb907306 : so install it (you will not damage your > > system > > if this patch is already in it). > > Forget net use for the moment : "add network location" should work first. > > > > IMPORTANT : "add network location" supports SSL WITHOUT the need of > > stunnel, so > > try to setup directly a "location" pointing to " > > https://yourserver/yourfolder". > > of course you will need to install first your own certificate with > > "internet > > explorer", so that windows can use it to connect to your ssl server. > > > > Something else : check this http://support.microsoft.com/KB/942392 > > ...ie be sure that your server allow browsing dav space FROM the root url. > > Moreover, always according to kb942392, to have net use working one must > > have > > ...MS office installed! > > > > Pierre > > > > > > Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > ok, i thought that i've sp3 in my virtualbox... but it is installed now - > > > and all other updates too! > > > i've tested with digest authentification now - but it isn't running. > > > the remote server is a debian lenny with apache2.2. > > > the ssl certificate is validated by Equifax Secure Inc. > > > ie7: sure :) and i am confused in the moment the mapping in networkarea > > as > > > addition web ressource isn't running. tried it with ssl in the past (was > > > running) and now without ssl, there appears this log in apache: > > > [Sat Jul 18 00:30:33 2009] [error] [client ip] user > > > subdomain.example.de\user > > > not found: / > > > for the digest method the same with "realm" > > > however there is no preview for the files with this method, and that is > > what > > > i need :( > > > > > > i think i haven't installed kb907306 in the moment(mh ok maybe it is in > > > servicepack 3 ?), but i don't know what you mean with dbl click feature > > :-( > > > > > > i'm really pleased for your help :-) > > > > > > 2009/7/17 <delaage.pierre(a)free.fr> > > > > > > > Next step : > > > > be sure to have kb892211 (preferred) or more recent kb907306 (suppress > > dbl > > > > click > > > > feature!) installed on your system and retry. > > > > Yes you have to create the registry key by hand on your client system, > > > > but you really have to know more about your server authentication > > process. > > > > About ie7 : have you been able to browse in your webfolders, via a > > folder > > > > view? > > > > > > > > Try also adding your web folder to windows explorer by using "Add > > Network > > > > location", which is another mechanism than mapping a drive letter, and > > more > > > > often works. > > > > > > > > See you soon, > > > > Pierre Delaage > > > > > > > > > > > > > > > > Quoting Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > > > > > wow thank you, some really good tips :) > > > > > i tested it with ie 7 and it is running fine. > > > > > then i've set the regkey, is it right that i have to create it by > > myself? > > > > > rebooted - and no, there is the same error :-( > > > > > the gui for the net use command ( explorer/tools/ map networkdrive) > > isn't > > > > > running, too! > > > > > > > > > > i really hope, that any body could help me > > > > > thank you > > > > > > > > > > > > > > > 2009/7/17 <delaage.pierre(a)free.fr> > > > > > > > > > > > Hello, > > > > > > There are many things to check on Windows configuration before > > > > > > checking potential issues in stunnel. > > > > > > > > > > > > At first you should check what is the HTTP authentication mechanism > > > > used by > > > > > > your > > > > > > webdav server : > > > > > > if this server is using "basic plain text authentication", this > > WILL > > > > NOT BE > > > > > > supported by the windows "webdav redirector" (the system component > > that > > > > > > allows > > > > > > you to map a webdav folder to a virtual system drive)...unless you > > set > > > > up > > > > > > this > > > > > > registry key : > > > > > > > > > > > > > > > > [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebClientParameters] > > > > > > "UseBasicAuth"=dword:00000001 > > > > > > > > > > > > Check this page for some MS explanations: > > > > > > > > http://technet.microsoft.com/en-us/library/cc787023%28WS.10%29.aspx > > > > > > > > > > > > Something else to check : try to open your webdav location by using > > > > > > "internet > > > > > > explorer 6 or 7"/file-open/check "web folder" checkbox. let us know > > > > whether > > > > > > it > > > > > > works. > > > > > > Try also by "Explorer/Tools/Map network drive", but it is very > > painful > > > > by > > > > > > asking > > > > > > many times for credentials. > > > > > > > > > > > > Yours sincerely, > > > > > > Pierre Delaage > > > > > > > > > > > > Selon Jan-Florian Hilgenberg <florianhilgenberg(a)googlemail.com>: > > > > > > > > > > > > > > > > > > > hi - i want to use webdav through stunnel to provide a > > drive(letter). > > > > > > > system: winxp sp3 > > > > > > > net use http://127.0.0.1/dirname /user:someuser > > > > > > > offers a systemfailure 64... stunnel log said SSL_connect: > > 1408F06B: > > > > > > > error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression > > > > > > > but a connection with firefox is running fine. > > > > > > > i am doing try&error for about a week and i am sick now :( > > > > > > > i hope you can help me - thank you > > > > > > > > > > > > > > client=yes > > > > > > > verify=0 > > > > > > > [psuedo-https] > > > > > > > accept = 80 > > > > > > > connect = ssl.studenten-wg-halle.de:443 > > > > > > > TIMEOUTclose = > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [View Less]

1 0

using webdav
by Jan-Florian Hilgenberg 17 Jul '09

17 Jul '09

hi - i want to use webdav through stunnel to provide a drive(letter). system: winxp sp3 net use http://127.0.0.1/dirname /user:someuser offers a systemfailure 64... stunnel log said SSL_connect: 1408F06B: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression but a connection with firefox is running fine. i am doing try&error for about a week and i am sick now :( i hope you can help me - thank you client=yes verify=0 [psuedo-https] accept = 80 connect = ssl.studenten-wg-halle.de:443 TIMEOUTclose =

2 1

Common Name checking
by Mark Bolton 15 Jul '09

15 Jul '09

Hi, I believe this has been discussed before on the list but I wanted to get a better understanding and confirm the current situation. Is it still correct that when using verify=2, the peer's hostname is not checked (via a name service lookup) to match the Common Name in the presented certificate? With the main reason being that you cannot necessarily trust the name service? I am asking because we have a closed network in which we do trust our dns servers, and Common Name checking … [View More]

2 3

[patch] add new option send_client_info
by Henrik Riomar 14 Jul '09

14 Jul '09

Hi, The attached patch adds a new option that allows stunnel to pass on some client information to for instance a web service that uses stunnel for it's encryption. The first line of data contains the client info and if the new option is not enabled the patch does nothing. Regards, Henrik Riomar P.S. public domain.

1 0

stunnel throttling and statistics
by Laurens Van Houtven 10 Jul '09

10 Jul '09

Hi! I'm using stunnel to secure an AMQP message broker (RabbitMQ, specifically) using pre-shared certificates. This means that my backends never get to see the SSL certificate that the client used to connect -- unfortunately, it's that very backend that's the first who can decide if a message is malicious or not. In order to sort-of fix this problem, I'm using UUIDs so that the keyspace is so absurdly huge that the odds that someone will guess a key are second to none. Still, if someone is … [View More]

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users July 2009