March 2010 - stunnel-users

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Stunnel doesn't work at all since 4.30
by Denis Solovyov 06 Apr '10

06 Apr '10

Dear friends, I use stunnel for a long time to provide pop3s connections inside a local network. It is quite an old linux server under 2.4 kernel. Stunnel is started from xinetd. xinetd.conf: service pop3s { socket_type = stream wait = no user = root server = /usr/local/bin/stunnel server_args = /usr/local/etc/stunnel/pop3s.conf bind = [ip_address] } /usr/local/etc/stunnel/pop3s.conf: cert = /usr/local/etc/stunnel/mail.pem debug = debug exec = /usr/local/sbin/popa3d execargs = popa3d Everything worked perfectly before 4.30, but when I installed 4.30 pop3s connections just stopped. There is absolutely nothing in logs, just start and stop; example: Mar 24 20:29:51 aldema xinetd[2235]: START: pop3s pid=19123 from=[ip] Mar 24 20:29:51 aldema xinetd[2235]: EXIT: pop3s status=1 pid=19123 duration=0(sec) It is "all.log", i.e. syslog puts everything (*.*) into this file. If starting xinetd with '-v' option, nothing interesting is shown in its own verbose output. When I use 4.29 all.log looks like (with debug = info): Mar 21 09:40:04 aldema xinetd[2235]: START: pop3s pid=32516 from=[ip] Mar 21 09:40:04 aldema stunnel: LOG5[32516:16384]: stunnel 4.29 on i686-pc-linux-gnu with OpenSSL 0.9.7e Mar 21 09:40:04 aldema stunnel: LOG5[32516:16384]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Mar 21 09:40:04 aldema stunnel: LOG5[32516:16384]: stunnel accepted connection from[ip]:4020 Mar 21 09:40:04 aldema stunnel: LOG6[32516:16384]: SSL accepted: new session negotiated Mar 21 09:40:04 aldema stunnel: LOG6[32516:16384]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 Mar 21 09:40:04 aldema stunnel: LOG6[32516:16384]: Local mode child started (PID=32517) Mar 21 09:40:05 aldema popa3d[32517]: Authentication passed for [username] from 127.0.0.1 Mar 21 09:40:05 aldema popa3d[32517]: 0 messages (0 bytes) loaded Mar 21 09:40:05 aldema popa3d[32517]: 0 (0) deleted, 0 (0) left Mar 21 09:40:05 aldema stunnel: LOG6[32516:16384]: SSL_shutdown successfully sent close_notify Mar 21 09:40:05 aldema stunnel: LOG5[32516:16384]: Connection closed: 29 bytes sent to SSL, 48 bytes sent to socket Mar 21 09:40:05 aldema xinetd[2235]: EXIT: pop3s status=0 pid=32516 duration=1(sec) When 4.30 was released I thought it may be buggy because it was marked "experimental", but now I see 4.32 and the same behaviour. Actually, I don't know what to do... nothing in logs really confuses me. Does it mean stunnel crashes at startup (running "stunnel -version" is OK)? Any ideas? Thank you. With the best regards, Denis Solovyov

1 1

More Issues with Openssl 1.0.0
by Carter Browne 01 Apr '10

01 Apr '10

My standard configurations of stunnel use the verify=2 option. With recent versions of stunnel and openssl-0.9.8 for Linux systems, I have capath = /capath and stunnel searches directory /capath relative to chroot for the certificates. Using the same configuration file and openssl-1.0.0, this directory is no longer being searched. Any ideas about how to specify the location of capath with openssl-1.0.0? Thanks, Carter -- Carter Browne CBCS cbrowne(a)cbcs-usa.com 781-721-2890

2 1

stunnel sends empty list of trusted CAs
by Sebastian Bork 01 Apr '10

01 Apr '10

Hi, I have a problem which Google did not help me with. A communications partner of one of our customers wants to connect their SAP Business Connector to our platform using HTTPS. Our software does not have SSL/TLS implemented, we rather use stunnel for all communications links, inbound or outbound, where the customer or partner wants to use HTTPS with client authentication. The normal setup is "verify = 3" and the complete certificate chain for each partner is put into the CA path. In most cases, this works without problems. However, in the handshake, after the server certificate is sent and stunnel asks the client to send a client certificate, stunnel sends an empty list of triusted CAs. SAP BC expects the list of supported CAs to contain certificates, instead of being empty. My hope was that using "verify = 2" might help, so I have configured a new server instance of stunnel, and have copied the certificate of the partner's own CA into the CA path. Unfortunately, the partner says it still does not work, and the log file shows they still do not send their certificate when the server asks for a client cert. It seems that stunnel still returns an empty list of trusted CAs, which causes SAP BC to find no certificate to send. Is there any way I can configure stunnel to send back either every certificate found in a path or file, or at least to send back some fixed value for the trusted CAs?

2 1

Problem with openssl-1.0.0
by Carter Browne 31 Mar '10

31 Mar '10

For the Windows version of stunnel-4.31 and 4.32 I tried running stunnel with openssl-1.0.0 compiled for Windows and ssleay32.dll renamed to libssl32.dll. When I make a connection using using stunnel, I get a invalid memory reference to location 0 in libeay32.dll. I have had no problem with this approach with many versions of openssl up through and including openssl-0.9.8n. Any ideas? Carter -- Carter Browne CBCS cbrowne(a)cbcs-usa.com 781-721-2890

2 1

error:1408F10B
by Greg Groth 30 Mar '10

30 Mar '10

I'm having similar issues recently on two separate machines that are producing similar errors. In both instances, /var/log/messages starts filling up with lines similar to the following: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number I can give further details on both systems, as well as the exact issue, if warranted. First off, can anyone explain what a 1408F10B error is? My gut feeling is that in both instances something changed on the client end (in both instances the client is a version of outlook). Any help would be greatly appreciated. Greg Groth

1 0

Re: [stunnel-users] GNU (clarification)
by tony westenhofer 28 Mar '10

28 Mar '10

Mr. Trojnara, That is what I was after: > Please simply include stunnel source (stunnel-4.xx.tar.gz) on whatever media > (e.g. CD, DVD, web page, etc.) you use to distribute your product together > with stunnel binary. Thank you again for such a wonderful piece of work-- And supporting it!!!!! Best Regards Tony > From: stunnel-users-request(a)mirt.net > Subject: stunnel-users Digest, Vol 68, Issue 9 > To: stunnel-users(a)mirt.net > Date: Sat, 27 Mar 2010 12:00:02 +0100 > > Send stunnel-users mailing list submissions to > stunnel-users(a)mirt.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > stunnel-users-request(a)mirt.net > > You can reach the person managing the list at > stunnel-users-owner(a)mirt.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. Re: GNU (Michal Trojnara) > 2. Re: auto-disconnecting people when CRL updated (Michal Trojnara) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 26 Mar 2010 22:27:51 +0100 > From: Michal Trojnara <Michal.Trojnara(a)mirt.net> > Subject: Re: [stunnel-users] GNU > To: stunnel-users(a)mirt.net > Message-ID: <201003262228.10766.Michal.Trojnara(a)mirt.net> > Content-Type: text/plain; charset="utf-8" > > tony westenhofer wrote: > > I am using stunnel (no code modifications) to encrypt communications > > for some applications to eventually be sold. First off outstanding work, > > stunnel saved hours of work having to figure out how to add the security > > desired. > > Thank you. That's exactly why I wrote it. 8-) > > > Now I am wanting to make sure to comply with licensing. > > Can someone be specific and help on this? > > As the author of stunnel I'll be glad to help. > > > I know we have to post a few things on the website for the > > product. (what? a link, an actually dl > > for stunnel...) > > Please simply include stunnel source (stunnel-4.xx.tar.gz) on whatever media > (e.g. CD, DVD, web page, etc.) you use to distribute your product together > with stunnel binary. > > > What about paper distribution for the product, what > > about stunnel must be included? > > I'm not sure I understand your question. > Do you distribute your software on paper? > > Do you mean any advertisement or documentation for your product? > The license does not require that you do anything about it, but it would be > nice of you to mention my name. > > Best regards, > Michal Trojnara > the author of stunnel >

1 0

auto-disconnecting people when CRL updated
by David van Zijl 27 Mar '10

27 Mar '10

Hello Is it possible to get stunnel to disconnect people on a graceful restart when a certificate has expired? Stunnel version 4.30 added the graceful reload option which is great because it will allow us to reload the CRLs, keep everybody connected and prevent new people connecting when their certs have expired (tested and working) - however existing connections are not terminated even though they have just expired... I'm not sure if we've missed a configuration option or if this is just not possible. A little background: We host an IRC server listening on localhost:6667, on top of that we have stunnel listening on the external interface port 6697 We're using the CAfile and CRLpath options to ensure that people are connecting with a valid certificate. Every hour a job runs to download the latest CRL files, if there is a change it restarts stunnel and kicks everybody off (we'd like to use a graceful restart instead) We are running stunnel on Red Hat Linux using the following line inside an init script to run it as a daemon: daemon /usr/local/bin/stunnel /etc/stunnel/stunnel.conf Excerpt from stunnel.conf: setuid = daemon setgid = daemon ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [irc-in] CAfile = /etc/ca/our-chains.pem CRLpath = /etc/crl accept = 192.168.0.1:6697setuid = daemon setgid = daemon connect = localhost:6667 verify = 2 Running stunnel -version tells me: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none Kind Regards Dave

2 1

GNU
by tony westenhofer 27 Mar '10

27 Mar '10

Hello, I am using stunnel (no code modifications) to encrypt communications for some applications to eventually be sold. First off outstanding work, stunnel saved hours of work having to figure out how to add the security desired. Now I am wanting to make sure to comply with licensing. Can someone be specific and help on this? I know we have to post a few things on the website for the product. (what? a link, an actually dl for stunnel...) What about paper distribution for the product, what about stunnel must be included? Please be as specific as you can or better yet point me to an example of someone else already giving proper credit where due. Again thank you for your hard work (all involved). Second question, any recommendations for securing the stunnel folder without interfering with its functionality on Windows systems. Have not had time to try locking down different ntfs setting yet. Thanks in advance and I do apologies if my questions have already been covered in the past. If so please provide url. Tony _________________________________________________________________ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:…

2 1