March 2010 - stunnel-users

Re: [stunnel-users] Stunnel 4.32 released
by Jose Alf. 25 Mar '10

25 Mar '10

Hi Michal, Thanks for the new 4.32 version. I tested beta 1 and 2 and everything worked fine on my side. Should have been released a day after because OpenSSL released a new version (0.9.8n) the same day. I compiled mine against it on Windows and it works. regards, Jose.

1 0

Still not working with client certificates
by Ron Cordell 24 Mar '10

24 Mar '10

Hello, I'm hoping that someone can give me a hint of where to look at this issue because I'm totally stuck and have been for a few days. When I attempt to use sTunnel in client mode with client certificates, the SSL seems to negotiate the certs and ciphers and then nothing else happens; the services hang. I'm hoping that someone has some insights about something that I haven't looked at, yet. My setup: Server: Windows Server, IIS 7 running SOAP services set for SSL Required, Client Certificate required (transport level client certificate, not SOAP message level). client: Windows machine, simple web application acting as a test client for the SOAP service. In between: sTunnel v4.32 Testing Scenario #1 -- Client configured to use client certificates directly against the IIS 7 service instance. This works as expected. Testing Scenario #2 -- Server configured to not require client certificates, but require SSL. sTunnel configured to listen on local port 8090 and forward to the IIS 7 server. This works as expected. Testing Scenario #3 -- Server configured to require client certificates. sTunnel configured to use client certificate as issued by a local CA in addition to the setup as before. This does not work, but hangs. sTunnel.conf: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = C:\certs\client-cert-for-internal-environments.pem ;key = c:\certs\test_cert.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = c:\temp\stunnel.log ; Use it for client mode client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 [http] accept = 8090 ;connect = 10.12.32.164:443 connect = 10.12.32.68:1443 TIMEOUTclose = 0 ; vim:ft=dosini sTunnel log: 2010.03.24 11:54:31 LOG5[5616:5992]: Reading configuration from file stunnel.conf 2010.03.24 11:54:31 LOG7[5616:5992]: RAND_status claims sufficient entropy for the PRNG 2010.03.24 11:54:31 LOG7[5616:5992]: PRNG seeded successfully 2010.03.24 11:54:31 LOG7[5616:5992]: Certificate: C:\certs\client-cert-for-internal-environments.pem 2010.03.24 11:54:31 LOG7[5616:5992]: Certificate loaded 2010.03.24 11:54:31 LOG7[5616:5992]: Key file: C:\certs\client-cert-for-internal-environments.pem 2010.03.24 11:54:38 LOG7[5616:5992]: Private key loaded 2010.03.24 11:54:38 LOG7[5616:5992]: SSL context initialized for service http 2010.03.24 11:54:38 LOG5[5616:5992]: Configuration successful 2010.03.24 11:54:38 LOG5[5616:5992]: No limit detected for the number of clients 2010.03.24 11:54:38 LOG7[5616:5992]: FD=176 in non-blocking mode 2010.03.24 11:54:38 LOG7[5616:5992]: Option SO_REUSEADDR set on accept socket 2010.03.24 11:54:38 LOG7[5616:5992]: Service http bound to 0.0.0.0:8090 2010.03.24 11:54:38 LOG7[5616:5992]: Service http opened FD=176 2010.03.24 11:54:38 LOG3[5616:5992]: c:\temp\stunnel.log: Input/output error (5) 2010.03.24 11:54:38 LOG3[5616:5992]: Unable to open output file: c:\temp\stunnel.log 2010.03.24 11:54:38 LOG5[5616:5992]: stunnel 4.32 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009 2010.03.24 11:54:38 LOG5[5616:5992]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2010.03.24 11:54:54 LOG7[5616:6192]: Service http accepted FD=436 from 127.0.0.1:56102 2010.03.24 11:54:54 LOG7[5616:6192]: Creating a new thread 2010.03.24 11:54:54 LOG7[5616:6192]: New thread created 2010.03.24 11:54:54 LOG7[5616:6696]: Service http started 2010.03.24 11:54:54 LOG7[5616:6696]: FD=436 in non-blocking mode 2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on local socket 2010.03.24 11:54:54 LOG5[5616:6696]: Service http accepted connection from 127.0.0.1:56102 2010.03.24 11:54:54 LOG7[5616:6696]: FD=456 in non-blocking mode 2010.03.24 11:54:54 LOG6[5616:6696]: connect_blocking: connecting 10.12.32.68:1443 2010.03.24 11:54:54 LOG7[5616:6696]: connect_blocking: s_poll_wait 10.12.32.68:1443: waiting 10 seconds 2010.03.24 11:54:54 LOG5[5616:6696]: connect_blocking: connected 10.12.32.68:1443 2010.03.24 11:54:54 LOG5[5616:6696]: Service http connected remote server from 10.12.47.109:56103 2010.03.24 11:54:54 LOG7[5616:6696]: Remote FD=456 initialized 2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on remote socket 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): before/connect initialization 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client hello A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server hello A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server certificate A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server done A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client key exchange A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write change cipher spec A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write finished A 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 flush data 2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read finished A 2010.03.24 11:54:54 LOG7[5616:6696]: 1 items in the session cache 2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects (SSL_connect()) 2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects that finished 2010.03.24 11:54:54 LOG7[5616:6696]: 0 client renegotiations requested 2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects (SSL_accept()) 2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects that finished 2010.03.24 11:54:54 LOG7[5616:6696]: 0 server renegotiations requested 2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache hits 2010.03.24 11:54:54 LOG7[5616:6696]: 0 external session cache hits 2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache misses 2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache timeouts 2010.03.24 11:54:54 LOG6[5616:6696]: SSL connected: new session negotiated 2010.03.24 11:54:54 LOG6[5616:6696]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 This is where things time out; nothing happens beyond this point.

1 0

Stunnel 4.32 released
by Michal Trojnara 24 Mar '10

24 Mar '10

Dear Users, I'm glad to announce a new version of stunnel. The ChangeLog entry: Version 4.32, 2010.03.24, urgency: MEDIUM: * New features - New service-level "libwrap" option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - Win32 DLLs for OpenSSL 0.9.8m. * Bugfixes - Fixed a transfer() loop issue with SSLv2 connections. - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option. - Logging subsystem bugfixes and cleanup. - Installer bugfixes for Vista and later versions of Windows. - FIPS mode can be enabled/disabled at runtime. SHA-1 value for stunnel-4.32.tar.gz: e9be8b9150d1c901a7c37b58494e351815147a79 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara

1 0

Trying to use client certificates but no success so far
by Ron Cordell 19 Mar '10

19 Mar '10

Hello, I'm trying to set up sTunnel to use client certificates in the following arrangement: Client Java Server (HTTP) --> sTunnel (HTTPS w/client cert) --> Windows IIS SOAP service, requires client cert The client certificate was generated from a MS CA cert generation tool, one we use for our internal certificates and our internal CA. The client cert was generated as a .pfx file and I used OpenSSL to convert it to a .pem file with the -nodes option. Testing without the client certificates shows that if the IIS hosted SOAP service is set to not require a client certificate, the sTunnel configuration works and we're able to communicate between the HTTP only client and the HTTPS IIS hosted service. However, once we add the certificate, the communication stops at the handshake. I'm wondering if I need to change the client .pem cert to have the private key (don't use the -nodes option when converting using OpenSSL). Here is the contents of the .conf file: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = user_cert.pem key = user_cert.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = c:\temp\stunnel.log ; Use it for client mode client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 [http] accept = 8090 connect = 10.12.32.164:443 TIMEOUTclose = 0 ; vim:ft=dosini Here is the output from the log file showing two attempts to hit the service with the client cert, one from a browser and one from a bit of client code: 2010.03.19 09:58:27 LOG5[5864:4032]: Reading configuration from file stunnel.conf 2010.03.19 09:58:27 LOG7[5864:4032]: RAND_status claims sufficient entropy for the PRNG 2010.03.19 09:58:27 LOG7[5864:4032]: PRNG seeded successfully 2010.03.19 09:58:27 LOG7[5864:4032]: Certificate: user_cert.pem 2010.03.19 09:58:27 LOG7[5864:4032]: Certificate loaded 2010.03.19 09:58:27 LOG7[5864:4032]: Key file: user_cert.pem 2010.03.19 09:58:27 LOG7[5864:4032]: Private key loaded 2010.03.19 09:58:27 LOG7[5864:4032]: SSL context initialized for service http 2010.03.19 09:58:27 LOG5[5864:4032]: Configuration successful 2010.03.19 09:58:27 LOG5[5864:4032]: No limit detected for the number of clients 2010.03.19 09:58:27 LOG7[5864:4032]: FD=176 in non-blocking mode 2010.03.19 09:58:27 LOG7[5864:4032]: Option SO_REUSEADDR set on accept socket 2010.03.19 09:58:27 LOG7[5864:4032]: Service http bound to 0.0.0.0:8090 2010.03.19 09:58:27 LOG7[5864:4032]: Service http opened FD=176 2010.03.19 09:58:27 LOG5[5864:4032]: stunnel 4.31 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009 2010.03.19 09:58:27 LOG5[5864:4032]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2010.03.19 09:59:42 LOG7[5864:3864]: Service http accepted FD=440 from 127.0.0.1:49886 2010.03.19 09:59:42 LOG7[5864:3864]: Creating a new thread 2010.03.19 09:59:42 LOG7[5864:3864]: New thread created 2010.03.19 09:59:42 LOG7[5864:4328]: Service http started 2010.03.19 09:59:42 LOG7[5864:4328]: FD=440 in non-blocking mode 2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on local socket 2010.03.19 09:59:42 LOG5[5864:4328]: Service http accepted connection from 127.0.0.1:49886 2010.03.19 09:59:42 LOG7[5864:4328]: FD=460 in non-blocking mode 2010.03.19 09:59:42 LOG6[5864:4328]: connect_blocking: connecting 10.12.32.164:443 2010.03.19 09:59:42 LOG7[5864:4328]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds 2010.03.19 09:59:42 LOG5[5864:4328]: connect_blocking: connected 10.12.32.164:443 2010.03.19 09:59:42 LOG5[5864:4328]: Service http connected remote server from 10.12.47.109:49887 2010.03.19 09:59:42 LOG7[5864:4328]: Remote FD=460 initialized 2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on remote socket 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): before/connect initialization 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client hello A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server hello A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server certificate A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server done A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client key exchange A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write change cipher spec A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write finished A 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 flush data 2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read finished A 2010.03.19 09:59:42 LOG7[5864:4328]: 1 items in the session cache 2010.03.19 09:59:42 LOG7[5864:4328]: 1 client connects (SSL_connect()) 2010.03.19 09:59:42 LOG7[5864:4328]: 1 client connects that finished 2010.03.19 09:59:42 LOG7[5864:4328]: 0 client renegotiations requested 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server connects (SSL_accept()) 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server connects that finished 2010.03.19 09:59:42 LOG7[5864:4328]: 0 server renegotiations requested 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache hits 2010.03.19 09:59:42 LOG7[5864:4328]: 0 external session cache hits 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache misses 2010.03.19 09:59:42 LOG7[5864:4328]: 0 session cache timeouts 2010.03.19 09:59:42 LOG6[5864:4328]: SSL connected: new session negotiated 2010.03.19 09:59:42 LOG6[5864:4328]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2010.03.19 10:01:54 LOG3[5864:4328]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054) 2010.03.19 10:01:54 LOG5[5864:4328]: Connection reset: 568 bytes sent to SSL, 0 bytes sent to socket 2010.03.19 10:01:54 LOG7[5864:4328]: Service http finished (0 left) 2010.03.19 10:03:28 LOG7[5864:3864]: Service http accepted FD=476 from 127.0.0.1:50155 2010.03.19 10:03:28 LOG7[5864:3864]: Creating a new thread 2010.03.19 10:03:28 LOG7[5864:3864]: New thread created 2010.03.19 10:03:28 LOG7[5864:1216]: Service http started 2010.03.19 10:03:28 LOG7[5864:1216]: FD=476 in non-blocking mode 2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on local socket 2010.03.19 10:03:28 LOG5[5864:1216]: Service http accepted connection from 127.0.0.1:50155 2010.03.19 10:03:28 LOG7[5864:1216]: FD=440 in non-blocking mode 2010.03.19 10:03:28 LOG6[5864:1216]: connect_blocking: connecting 10.12.32.164:443 2010.03.19 10:03:28 LOG7[5864:1216]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds 2010.03.19 10:03:28 LOG5[5864:1216]: connect_blocking: connected 10.12.32.164:443 2010.03.19 10:03:28 LOG5[5864:1216]: Service http connected remote server from 10.12.47.109:50156 2010.03.19 10:03:28 LOG7[5864:1216]: Remote FD=440 initialized 2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on remote socket 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): before/connect initialization 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write client hello A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read server hello A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read finished A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write change cipher spec A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write finished A 2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 flush data 2010.03.19 10:03:28 LOG7[5864:1216]: 1 items in the session cache 2010.03.19 10:03:28 LOG7[5864:1216]: 2 client connects (SSL_connect()) 2010.03.19 10:03:28 LOG7[5864:1216]: 2 client connects that finished 2010.03.19 10:03:28 LOG7[5864:1216]: 0 client renegotiations requested 2010.03.19 10:03:28 LOG7[5864:1216]: 0 server connects (SSL_accept()) 2010.03.19 10:03:28 LOG7[5864:1216]: 0 server connects that finished 2010.03.19 10:03:29 LOG7[5864:1216]: 0 server renegotiations requested 2010.03.19 10:03:29 LOG7[5864:1216]: 1 session cache hits 2010.03.19 10:03:29 LOG7[5864:1216]: 0 external session cache hits 2010.03.19 10:03:29 LOG7[5864:1216]: 0 session cache misses 2010.03.19 10:03:29 LOG7[5864:1216]: 0 session cache timeouts 2010.03.19 10:03:29 LOG6[5864:1216]: SSL connected: previous session reused 2010.03.19 10:04:28 LOG7[5864:1216]: Socket closed on read 2010.03.19 10:04:28 LOG7[5864:1216]: SSL write shutdown 2010.03.19 10:04:28 LOG7[5864:1216]: SSL alert (write): warning: close notify 2010.03.19 10:04:28 LOG6[5864:1216]: SSL_shutdown successfully sent close_notify 2010.03.19 10:04:28 LOG6[5864:1216]: s_poll_wait timeout: connection close 2010.03.19 10:04:28 LOG5[5864:1216]: Connection closed: 1541 bytes sent to SSL, 25 bytes sent to socket 2010.03.19 10:04:28 LOG7[5864:1216]: Service http finished (0 left) Any hints would be appreciated!

1 0

How to have multiple HTTPS connection with different PEM file
by Andrew Culross 18 Mar '10

18 Mar '10

We are running sTunnel 4.2 and want to have two HTTPS connection that use different PEM certs and are having difficulty doing this - how do you set this up? We have something like ---- Cert = cert1.pem [https] connect = xxx.xxx.xxx.xxx:442 connect = yyy.yyy.yyy.yyy:443 accept = 9876 ------ and we need something like this? -------- [https] connect = xxx.xxx.xxx.xxx:442 cert = cert1.pem accept = 9876 [https] connect = yyy.yyy.yyy.yyy:443 cert = cert2.pem accept = 9877 ----- Can we do that in the config file? If not, how does one specify ? Thanks! Andrew Culross TwoFour Systems 445 Hamilton Ave White Plains, NY 10601 Direct +1 (914) 220-8849 Main +1 (914) 220-8800 Fax +1 (914) 220-8899 <http://www.twofour.com/> www.TwoFour.com <http://www.twofour.com/emaildisclaimer.aspx> http://www.twofour.com/emaildisclaimer.aspx

2 1

Stunnel server with access from Firefox
by Ricky I 15 Mar '10

15 Mar '10

Hi, I am trying to use Stunnel to provide HTTPS access to a web site (my router configurations). That is, stunnel is used to accept HTTPS connection and it forwards the request using HTTP to the web site. The problem seems to be that one connection is opened and it performs an HTTP GET. Afterwards Stunnel does not accept any more connections and I have to restart. I'm not sure what I'm doing wrong. The strange thing I notice is that service router is finished with -1. What does minus one mean? I am using Firefox as the client. What I see is that Firefox is trying to load the page. Using wireshark, I was able to see that all the HTML data from the web page was loaded but Firefox was having trouble performing HTTP GET for the images on the site. I need to restart Stunnel in order to have another connection open. This is confirmed where I made a test by restarting Stunnel and then I tried to just load images from the Web site: e.g. https://192.168.1.88:8880/image1.jpg and https://192.168.1.88:8880/image2.jpg. I get image1.jpg but Firefox can't access image2.jpg, unless I restart then get image2. Here's the logs showing that I am able to make one access to the site. 2010.03.16 00:47:41 LOG5[3266:1024]: stunnel 4.31 on armv5tejl-unknown-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009 2010.03.16 00:47:41 LOG5[3266:1024]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 2010.03.16 00:47:41 LOG7[3266:1024]: Cleaning up the signal pipe 2010.03.16 00:47:41 LOG7[3266:1024]: Signal pipe is empty 2010.03.16 00:47:46 LOG7[3266:1024]: Service router accepted FD=0 from 192.168.1.80:2821 2010.03.16 00:47:46 LOG7[3268:1026]: Service router started 2010.03.16 00:47:46 LOG7[3268:1026]: FD=0 in non-blocking mode 2010.03.16 00:47:46 LOG7[3268:1026]: Option TCP_NODELAY set on local socket 2010.03.16 00:47:46 LOG5[3268:1026]: Service router accepted connection from 192.168.1.80:2821 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): before/accept initialization 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 read client hello A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 write server hello A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 write certificate A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 write server done A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 flush data 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 read client key exchange A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 read finished A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 write change cipher spec A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 write finished A 2010.03.16 00:47:46 LOG7[3268:1026]: SSL state (accept): SSLv3 flush data 2010.03.16 00:47:46 LOG7[3268:1026]: 1 items in the session cache 2010.03.16 00:47:46 LOG7[3268:1026]: 0 client connects (SSL_connect()) 2010.03.16 00:47:46 LOG7[3268:1026]: 0 client connects that finished 2010.03.16 00:47:46 LOG7[3268:1026]: 0 client renegotiations requested 2010.03.16 00:47:46 LOG7[3268:1026]: 1 server connects (SSL_accept()) 2010.03.16 00:47:46 LOG7[3268:1026]: 1 server connects that finished 2010.03.16 00:47:46 LOG7[3268:1026]: 0 server renegotiations requested 2010.03.16 00:47:46 LOG7[3268:1026]: 0 session cache hits 2010.03.16 00:47:46 LOG7[3268:1026]: 0 external session cache hits 2010.03.16 00:47:46 LOG7[3268:1026]: 1 session cache misses 2010.03.16 00:47:46 LOG7[3268:1026]: 0 session cache timeouts 2010.03.16 00:47:46 LOG6[3268:1026]: SSL accepted: new session negotiated 2010.03.16 00:47:46 LOG6[3268:1026]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2010.03.16 00:47:46 LOG7[3268:1026]: FD=9 in non-blocking mode 2010.03.16 00:47:46 LOG6[3268:1026]: connect_blocking: connecting 192.168.1.1:80 2010.03.16 00:47:46 LOG7[3268:1026]: connect_blocking: s_poll_wait 192.168.1.1:80: waiting 10 seconds 2010.03.16 00:47:46 LOG5[3268:1026]: connect_blocking: connected 192.168.1.1:80 2010.03.16 00:47:46 LOG5[3268:1026]: Service router connected remote server from 192.168.1.88:1133 2010.03.16 00:47:46 LOG7[3268:1026]: Remote FD=9 initialized 2010.03.16 00:47:46 LOG7[3268:1026]: Option TCP_NODELAY set on remote socket 2010.03.16 00:47:46 LOG7[3268:1026]: Socket closed on read 2010.03.16 00:47:46 LOG7[3268:1026]: SSL write shutdown 2010.03.16 00:47:46 LOG7[3268:1026]: SSL alert (write): warning: close notify 2010.03.16 00:47:46 LOG6[3268:1026]: SSL_shutdown successfully sent close_notify 2010.03.16 00:47:46 LOG6[3268:1026]: s_poll_wait timeout: connection close 2010.03.16 00:47:46 LOG5[3268:1026]: Connection closed: 4675 bytes sent to SSL, 445 bytes sent to socket 2010.03.16 00:47:46 LOG7[3268:1026]: Service router finished (-1 left) ============ Finally here's my stunnel.conf: cert = /mnt/HD_a2/ffp/etc/stunnel/stunnel.pem sslVersion = SSLv3 pid = /stunnel.pid ; performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; debugging stuff (may useful for troubleshooting) debug = 7 output = /ffp/etc/stunnel/stunnel.log ; service-level configuration [router] accept = 8880 connect = 192.168.1.1:80 TIMEOUTclose = 0 Thank you very much for any help you can provide. Rick _________________________________________________________________ Check your Hotmail from your phone. http://go.microsoft.com/?linkid=9712957

1 0

DSA server certificate
by Carl 15 Mar '10

15 Mar '10

Hi, Does stunnel support server certificate with a DSA private key? When I try to use a self generated one, stunnel responds with: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib SSL_CTX_use_RSAPrivateKey_file: 607907F: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key Is this bug report relevant? http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg43770.ht… Thanks, Carl

1 0

How do you configure Stunnel Ver 4.31 for TLSv1 - More Info
by David M. Douglass 11 Mar '10

11 Mar '10

Reference: Stunnel Ver 4.31 Windows Binaries This is the actual configuration file I am using. There is not too much to it. As shown below, this WORKS for Gmail's SSL port.. Port 465. Notice that the sslVersion statement is remarked "out". +++++++++++++++++++++++++++ output = STUNNEL.log taskbar = NO cert = stunnel.pem client = yes [SSMTP] accept=DADSXPPRO:8025 connect=smtp.gmail.com:465 ;sslVersion = TLSv1 ++++++++++++++++++++++++++++ In theory (as I have read it...), to change this to TLS, I enable the sslVersion line, And change the port (for Gmail) to 587. Port 587 and TLS for Gmail have been tested and verified via Microsoft Outlook testing. But when I do so, I cannot even log onto the Gmail server. I get the error message referenced in the first message: 2010.02.25 10:35:44 LOG3[2696:2740]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number It occurs to me that I am only using the "stunnel.pem" file, as supplied by the installer program. Do I have a certificate issue? David M. Douglass david(a)az-douglass.net Home (480) 839-2629 Cell (602) 908-9092

4 5