stunnel-users November 2011

stunnel-users@stunnel.org

23 participants
29 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

stunnel and hosts.allow
by Yousef Alhashemi 05 Jul '16

05 Jul '16

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, which would be "stunnel" in my case, but using "stunnel : LOCAL" or even "stunnel : ALL" doesn't work. The rule that seems to work, as mentioned, is "nntps : KNOWN" ("nntps" being the group name in stunnel.conf). What's even more confusing to me is that "nntps : LOCAL" does not work either. Nor does "nntps : localhost 127.0.0.1", "nntps : localhost", "nntps : 127.0.0.1", or "nntps : 192.168.1.". Pan is running on the same machine as stunnel so all connections must be coming from localhost. Why do these rules not trigger? Either way, I'd like to know the "least permissive" hosts.allow rule that would allow me to connect to my news provider from pan, and/or whether "nntps : KNOWN" is a safe option. Thanks, Yousef

3 6

stunnel.conf in %USERAPPDATA%
by Sebastian Rose-Indorf 19 Mar '12

19 Mar '12

Hello, I use Stunnel with Windows. The configuration file "stunnel.conf" and the log file "stunnel.log" are in the %USERAPPDATA%\Stunnel folder. Stunnel starts and works without problems. But the GUI options "Edit stunnel.conf" and "Reload stunnel.conf" do not work. Is remedy possible? Sebastian

2 3

patch for using stunnel as client with pkcs11-engine and opensc smartcard
by Märt Laak 29 Jan '12

29 Jan '12

Dear stunnel managers, I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux. We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT --- Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ---- I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { --- After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded --- It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation Thank you very much for excellent piece of software! With best regards, Märt Laak

2 2

Stunnel 4.33 last one to work with VM & IMAP
by Drew McDermott 11 Jan '12

11 Jan '12

I am running VM 8.1, the Emacs mail reader, connecting via imap to gmail. It can be made to work with stunnel 4.33 providing the encryption, but any version after that causes VM to choke when fetching messages, generating the following error message: vm-imap-protocol-error: IMAP protocol error: "unexpected char (10)" Not being an expert in any of the programs that are chained together to make my e-mail setup work, I was able to trace this no deeper than the point where VM reads the buffer Emacs uses for interprocess communication. Sure enough, there is a linefeed in a place where it isn't expected, but it also happens to be the first character in the sequence: " Process IMAP over SSL finished " which may be there because of problems deeper than the representation of "newline." At the end of this message I give my attempt to represent the complete contents of the buffer with name "trace of IMAP over SSL session to imap.gmail.com." The ^M's were inserted by hand because cutting and pasting didn't seem to reproduce them. I realize that I am providing quite a bit of information from VM, and none from stunnel, which is frustrating in an stunnel forum, but I am a complete newbie regarding stunnel. I would be glad to run further experiments with guidance on how to get stunnel itself to generate more useful information. The only reason I suspect it is that installing version 4.33 fixes the problem; but I realize it may be that VM or some other component is violating the rules somehow. When I say "any version after" 4.33, I mean that I have tried 4.35, the version installed by MacPorts; and 4.49, the latest stable version, recompiled by hand. They behave identically. -- Drew McDermott Professor of Computer Science Yale Computer Science Department The interprocess-communication buffer (everything between the dashes, including the newline after "finished," but not including the newline before "starting"): --------------- starting IMAP over SSL session Tue Nov 29 14:20:01 2011 connecting to imap.gmail.com:993 connected * OK Gimap ready for requests from 128.36.148.241 s17if7011003qao.19 VM CAPABILITY Process IMAP over SSL finished ---------------

2 3

FIPS_mode_set error
by Stefano Lodi 02 Dec '11

02 Dec '11

The problem referred to by Koenraad affects Windows 7 32 bit as well. Anyway fips=no fixes it.

2 1

Key and Certificate file issue!
by Hamid.Shahid＠sungard.com 30 Nov '11

30 Nov '11

Hi, I am trying to establish a SSL connection with a remote server on a random port 10170. I have got a public key from the server side. And I have sent my public key to the server. And I am trying to use my certificate file and the public key of the server like this. cert = sunPrimary.pem key = sunStunnel.pem But the problem is both the public key from server and my own certificate file starts with "-----BEGIN CERTIFICATE-----" by default. So now, if I don't change the "-----BEGIN CERTIFICATE-----" header of the my certificate to "-----BEGIN PRIVATE KEY-----" I get errors and if I change it to private key and make the public key of the server as certificate then I still get errors. Please let me know, how can I use the key and certificate together. Thanks. Kind Regards, Hamid Shahid

2 3

Pop3, CAPA before STLS (allow stunnel to work with android devices using proto pop3 option).
by Anthony Morgan 30 Nov '11

30 Nov '11

Hi, I'm running a pop3 server on a non-standard port and having stunnel listen on both 110 and 995 like so: [pop3_ssl] accept = 995 connect = ... [pop3_tls] accept = 110 connect = ... protocol = pop3 When connecting from an android device (2.3 on Nexus S at least), it confirms the server supports STLS using CAPA (and seemingly will not configure otherwise), so I modified protocol.c to announce support: < fdputline(c, c->local_wfd.fd, "+OK Stunnel capability list follows"); < fdputline(c, c->local_wfd.fd, "STLS"); < fdputline(c, c->local_wfd.fd, "."); --- > fdputline(c, c->local_wfd.fd, "-ERR Stunnel does not support capabilities"); It seems to me that there is no harm in this, because the RFC states that the client MUST recheck the servers capabilities with another CAPA command after starting TLS. It may be better to check the servers actual capabilities, add STLS to them and return that, but this does work. Any thoughts or comments? Tony Morgan --- Sent from Post.fm

1 0

FIPS_mode_set error
by Koenraad Lelong 29 Nov '11

29 Nov '11

Hi, I have an application which uses stunnel. Using stunnel 4.25 everything works fine. If I replace this with stunnel 4.49, I get an error, see the log : No limit detected for the number of clients make_sockets: s_socket#1: FD=228 allocated (blocking mode) make_sockets: s_socket#2: FD=232 allocated (blocking mode) make_sockets: s_accept: FD=236 allocated (non-blocking mode) stunnel 4.49 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011 Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6 Reading configuration from file stunnel.conf FIPS_mode_set: 2D06906E: error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match Server is down My stunnel.conf : cert = my.keycrt socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CApath = certs CAfile = cacert.pem debug = 7 ; output = c:\Program Files\stunnel\stunnel.log client = yes [Server] accept = 6051 connect = server.example.com:8051 What am I doing wrong ? I'm trying this on Win7-64bit. On WinXP-32bit it works fine. Thanks for any clarification, Regards, Koenraad Lelong.

2 2

stunnel 4.49 released
by Michal Trojnara 28 Nov '11

28 Nov '11

Dear Users, I have released version 4.49 of stunnel. The ChangeLog entry: Version 4.49, 2011.11.28, urgency: MEDIUM: * Bugfixes - Missing Microsoft Visual C++ Redistributable (msvcr100.dll) required by FIPS-compliant OpenSSL library was added to the Windows installer. - A bug was fixed causing crashes on MacOS X and some other platforms. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.49.tar.gz: dcb0e1f21e9fcf56f4d67bc7a5a4ef8720845b61063a749953417db2616cb20d Best regards, Mike

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users November 2011