September 2010 - stunnel-users

Server side logging, no connection details logged
by Bucci, David G 22 Sep '10

22 Sep '10

Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log). On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring. Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this. Thx! ---- David G. Bucci If you can't say anything nice, at least have the decency to be vague.

1 2

FIPS compliance
by Bucci, David G 21 Sep '10

21 Sep '10

The documentation on fips= seems ambiguous to me ... does leaving it at the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate it? Or does it do something else I'm not understanding? Basically, the q. is, what do you have to configure to ensure that you're operating in a FIPS 140-2 compliant manner (at least, as the version of OpenSSL libs bundled understood it)? Do you have to specify ciphers that are validated, etc.? Or just set that config option to "yes" ("no"?)? And how can one tell if the stunnel binary in use was compiled with FIPS support active? (I'm using the Windows 4.33 binary d/l'ed from mirt.net) Tia! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com

2 1

Large performance difference: Solaris vs Linux
by Cliffe, Stephen 20 Sep '10

20 Sep '10

Hi, I've just been comparing the performance of stunnel on Solaris 10 & Linux (Centos 5.5) and am seeing a big difference. I'm using stunnel 4.33 compiled with the same options on both platforms and the tcpstress benchmarking tool (http://stunnel.mirt.net/?page=perf) On a Dell 780 running Solaris 10 I got 163.31 connections/second but on an older, slower Dell 620 running Linux I got 408.01 connections/second. Both machines were otherwise idle. Does anyone know why there would be such a big difference between the two OS's? Thanks, Steve. Steve Cliffe Senior Engineer - Development Infrastructure Team Andrew Network Solutions Asia Pacific [ Address : Andrew Corporation Building (39), Northfields Avenue, Wollongong University, NSW, Australia 2500 ] [ Postal Address : PO Box U40, Wollongong University, NSW, Australia 2500 ] [ Tel : +61 2 4221 2991] [ Fax : +61 2 4221 2901 ] [ Email : Stephen.Cliffe(a)andrew.com] Visit Andrew on the Web at www.andrew.com<http://www.andrew.com/> [cid:image001.gif@01CB5688.22C2E4D0][cid:image002.gif@01CB5688.22C2E4D0]

3 5

Generically referencing file locations in stunnel.conf
by Bucci, David G 20 Sep '10

20 Sep '10

Hi - I'm back to trying to run Stunnel with a different user certificate for each user. So far, the best technique I've found is to have a separate stunnel.conf for each user (in their home directory, which is referenced by envvar %USERPROFILE%), and run stunnel using that configuration file. As part of that, I'm trying to generically reference file locations (log, user certificates) in the .conf. But I haven't found a way short of fully pathing the locations in the .conf e.g. "output=c:\users\dbucci\stunnel\stunnel.log". That's undesirable, because it means I have to make every user's .conf unique. So ... is there a generic way to accomplish this? I've tried setting the "Start In" location in the Windows shortcut to that location (via envvar %USERPROFILE%, which allows me to make every user's shortcut generic), then saying "output=.\stunnel.log", but without success - it seems to always be using c:\program files\stunnel as it's starting point for reference. Likewise, the envvar isn't usable in the .conf Note that I thought about creating a subdir per user in C:\program files\stunnel (with appropriate perms for that user), but can't, because in many of our deployment locations, users aren't permitted to write to c:\program files. Btw, this is why I'm asking about the commandline parms in Windows - I don't seem to be able to get them to work, but if I could, I could say e.g. "-o %USERPROFILE%\stunnel\stunnel.log", and that would work generically for every user. Likewise, I could use "-A %USERPROFILE&\stunnel\usercert.pem" and have a generic way of installing user certs. Heck, if I could set ALL the options via command line (-c, -r, etc.) I would love to simply do away with a user-specific .conf file. So ... sorry for rambling a bit, but any help with the intent of what I'm trying to accomplish, make as generic as possible a user-specific config setup? Thx! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com

2 2

Command line args available on Windows version 4.33?
by Bucci, David G 20 Sep '10

20 Sep '10

Hi - are all the command line arguments documented at http://www.stunnel.org/faq/args.html#ToC1 available in the Windows 4.33 version? When you execute stunnel -V, very few are listed. And if they are available, do they take precedence over a configuration file, if one is used? (Is a .conf mandatory, or can you set all the required options via command line in the Windows version?) Thx! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com

2 1

Accept connections only from local processes?
by Bucci, David G 20 Sep '10

20 Sep '10

Hi - I'm looking to configure Stunnel in client mode to accept connections only from the PC it's running on. Would the config option "socket = a:SO_BINDTODEVICE=lo" accomplish that? And would this work on Windows? (is there a "lo" interface on Windows?) I'm going to do some testing, but thought I'd ask in case someone already knows I'll be pounding sand. And before anyone asks, turning on a firewall isn't an option - we don't have control of all the PCs involved. ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com

2 1

(no subject)
by Sunil Karumuri 16 Sep '10

16 Sep '10

Hello- I am new to Stunnel and have a basic architecture question. I have Stunnel installed on box A where it receives http messages from multiple client processes . Stunnel sends them to box B via https (mutual ssl). We are seeing that Stunnel opens one connection for each client processes. Can we configure Stunnel to have only ONE SSL connection (or a pool of connections) between box A and B and have Stunnel use the open connection for all traffic from various clients ? We would like to avoid the overhead of SSL-handshake for each new client process. Thanks for the help. Sunil

3 2

Hey buddy, can you review a log file?
by Jay Sprenkle 08 Sep '10

08 Sep '10

Good afterrnoon, Can anyone review the stunnel log file below and see if there's any indication of a problem? What we're doing with stunnel: We're using stunnel to encrypt a tcp connection between a client and our server. What's happening: A client is reporting the connection fails. I believe it's a timeout issue on the client software. My interpretation of this log is that the session is open about 4 seconds then closed by the client. Is that correct? Thanks in advance Stunnel Log: 2010.09.08 14:34:38 LOG7[1392:2328]: Service exchange started 2010.09.08 14:34:38 LOG7[1392:2328]: FD=200 in non-blocking mode 2010.09.08 14:34:38 LOG5[1392:2328]: Service exchange accepted connection from 127.0.0.1:2340 2010.09.08 14:34:38 LOG7[1392:2328]: FD=224 in non-blocking mode 2010.09.08 14:34:38 LOG6[1392:2328]: connect_blocking: connecting xxx.242.123.150:7443 2010.09.08 14:34:38 LOG7[1392:2328]: connect_blocking: s_poll_wait xxx.242.123.150:7443: waiting 10 seconds 2010.09.08 14:34:38 LOG5[1392:2328]: connect_blocking: connected xxx.242.123.150:7443 2010.09.08 14:34:38 LOG5[1392:2328]: Service exchange connected remote server from 192.168.1.29:2341 2010.09.08 14:34:38 LOG7[1392:2328]: Remote FD=224 initialized 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): before/connect initialization 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): SSLv3 write client hello A 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): SSLv3 read server hello A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read server certificate A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read server done A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write client key exchange A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write change cipher spec A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write finished A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 flush data 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read finished A 2010.09.08 14:34:39 LOG7[1392:2328]: 1 items in the session cache 2010.09.08 14:34:39 LOG7[1392:2328]: 1 client connects (SSL_connect()) 2010.09.08 14:34:39 LOG7[1392:2328]: 1 client connects that finished 2010.09.08 14:34:39 LOG7[1392:2328]: 0 client renegotiations requested 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server connects (SSL_accept()) 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server connects that finished 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server renegotiations requested 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache hits 2010.09.08 14:34:39 LOG7[1392:2328]: 0 external session cache hits 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache misses 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache timeouts 2010.09.08 14:34:39 LOG6[1392:2328]: SSL connected: new session negotiated 2010.09.08 14:34:39 LOG6[1392:2328]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2010.09.08 14:34:44 LOG7[1392:2328]: SSL socket closed on SSL_read 2010.09.08 14:34:44 LOG7[1392:2328]: Socket write shutdown 2010.09.08 14:34:44 LOG5[1392:2328]: Connection closed: 8 bytes sent to SSL, 48 bytes sent to socket 2010.09.08 14:34:44 LOG7[1392:2328]: Service exchange finished (0 left) -- --- "Is real reporting dead? News at 11!"

1 0

Re: [stunnel-users] Individual user certs for each person who uses Windows PC
by Bucci, David G 07 Sep '10

07 Sep '10

Thx for replying, Scott ... how did you handle multiple users on the PC, though? They all shared that cert? I thought about having a single location and copying to there on user login (from a standard location in a user's home dir, e.g.) ... then firing up stunnel ... but it seems like so much can go wrong, resulting in User B accessing using User A's certificate (because the copy failed, e.g.). And we're leery of exposing User A's cert to User B - especially since stunnel doesn't support encryption of the user's key, right? So the permissions would be a little tricky and maybe fragile. Seems like there should be a straightforward way to do it, dadnabit! ________________________________ From: Scott Gifford <sgifford(a)suspectclass.com> To: Bucci, David G Cc: stunnel-users(a)mirt.net <stunnel-users(a)mirt.net> Sent: Mon Aug 30 17:41:09 2010 Subject: EXTERNAL: Re: [stunnel-users] Individual user certs for each person who uses Windows PC On Mon, Aug 30, 2010 at 3:41 PM, Bucci, David G <david.g.bucci(a)lmco.com<mailto:david.g.bucci@lmco.com>> wrote: [ ... ] I've tried using envvars in the stunnel.conf (e.g., cert = %USERPROFILE%\usercert.pem), tried adjusting the command line to include "-p %USERPROFILE%\usercert.pem" as an option ... We implemented something similar by simply making a "C:\stunnel" directory on each PC, naming the certificate the same thing on all machines, then hardcoding that path into the stunnel configuration (e.g. "C:\stunnel\usercert.pem"). Not quite as nice as %USERPROFILE%\usercert.pem, but it worked. :-) Hope this is helpful, ----Scott.

5 11

Honor --sysconfdir and --localstatedir in stunnel.conf-sample.in
by Sebastian Kayser 01 Sep '10

01 Sep '10

Hi, I am packaging stunnel for opencsw.org. Would you guys mind merging a patch [1] to make use of --sysconfdir and --localstatedir (instead of @prefix@/{etc,var}) in the sample configuration file? Currently, if --sysconfdir and --localstatedir are passed to ./configure and are not a directory below prefix, the configuration file doesn't reflect this layout. The patch is against 4.33. Fedora seems to carry the same change [2]. Sebastian [1]http://gar.svn.sf.net/svnroot/gar/csw/mgar/pkg/stunnel/trunk/files/0001-M… [2]http://lists.fedoraproject.org/pipermail/scm-commits/2010-March/413078.ht…

3 4