December 2011 - stunnel-users

Reload/change CRL?
by John Abloyer 14 Dec '11

14 Dec '11

Hi, Is there a way to reload CRL, or actually change to a newer, *without* restarting stunnel?

2 1

Is Stunnel Right Tool for....?
by Brian McGinity 13 Dec '11

13 Dec '11

Is Stunnel the right tool for this situation? I am using an Intel disk monitoring tool which has the ability to send out email alerts. In the Email Setup it asks for Host, From and To, there is not a username or pw. Could Stunnel be configured to add the username and pw and send the message to gmail's smtp?

2 1

stunnel-4.50 on Nexus S android
by Jason Haar 13 Dec '11

13 Dec '11

Hi there I'm trying out the stunnel android binary from 4.50 on a rooted 2.3.6 Android, mapping localhost port 80 to a remote client-cert protected ActiveSync server. It crashes after a client makes a connection. Here's the "debug = 7" logs 2011.12.14 07:44:55 LOG7[8738:2949960768]: Private key loaded 2011.12.14 07:44:55 LOG7[8738:2949960768]: SSL options set: 0x00000004 2011.12.14 07:44:55 LOG6[8738:2949960768]: SSL context initialized 2011.12.14 07:44:55 LOG5[8738:2949960768]: Configuration successful 2011.12.14 07:44:55 LOG7[8738:2949960768]: Option SO_REUSEADDR set on accept socket 2011.12.14 07:44:55 LOG7[8738:2949960768]: Service ActiveSync bound to 0.0.0.0:80 2011.12.14 07:44:55 LOG7[8738:2949960768]: Service ActiveSync opened FD=5 2011.12.14 07:44:55 LOG7[8738:2949960768]: Created pid file /data/local/etc/stunnel/pid 2011.12.14 07:44:59 LOG7[8738:2949960768]: Service ActiveSync accepted FD=6 from 127.0.0.1:58088 2011.12.14 07:44:59 LOG7[8738:1525312]: Service ActiveSync started 2011.12.14 07:44:59 LOG7[8738:1525312]: Option TCP_NODELAY set on local socket ...[I do "telnet 127.0.0.1 80" ] 2011.12.14 07:44:59 LOG5[8738:1525312]: Service ActiveSync accepted connection from 127.0.0.1:58088 Segmentation fault Any ideas how to debug this? I basically grabbed a working config off my Linux laptop and moved it over (different paths of course), so I assume the binary is missing something? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

2 1

unsubscribe
by Brian McGinity 13 Dec '11

13 Dec '11

Unsubscribe

1 0

SSL alert (write): fatal: protocol version
by René Legault 13 Dec '11

13 Dec '11

Hi, I have an issue when using Stunnel. Can somebody help me? I have a module on my network that sends non-SSL e-mail but my ISP (Sympatico.ca) is accepting only SSL communication. This is my stunnel.conf file: cert = stunnel.pem protocol = smtp ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [smtp] accept=192.168.1.17:25 connect = smtphm.sympatico.ca:25 And this is my log: 2011.12.13 19:55:06 LOG7[2468:1644]: Service smtp accepted FD=316 from 192.168.1.200:12149 2011.12.13 19:55:06 LOG7[2468:1644]: Creating a new thread 2011.12.13 19:55:06 LOG7[2468:1644]: New thread created 2011.12.13 19:55:06 LOG7[2468:2684]: Service smtp started 2011.12.13 19:55:06 LOG5[2468:2684]: Service smtp accepted connection from 192.168.1.200:12149 2011.12.13 19:55:06 LOG6[2468:2684]: connect_blocking: connecting 65.55.172.251:25 2011.12.13 19:55:06 LOG7[2468:2684]: connect_blocking: s_poll_wait 65.55.172.251:25: waiting 10 seconds 2011.12.13 19:55:06 LOG5[2468:2684]: connect_blocking: connected 65.55.172.251:25 2011.12.13 19:55:06 LOG5[2468:2684]: Service smtp connected remote server from 192.168.1.17:3013 2011.12.13 19:55:06 LOG7[2468:2684]: Remote FD=392 initialized 2011.12.13 19:55:06 LOG6[2468:2684]: Client-mode smtp protocol negotiations started 2011.12.13 19:55:06 LOG7[2468:2684]: <- 220 BLU0-SMTP6.phx.gbl Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 13 Dec 2011 16:55:06 -0800 2011.12.13 19:55:06 LOG7[2468:2684]: -> 220 BLU0-SMTP6.phx.gbl Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 13 Dec 2011 16:55:06 -0800 2011.12.13 19:55:06 LOG7[2468:2684]: -> EHLO localhost 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-BLU0-SMTP6.phx.gbl Hello [65.94.163.170] 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-TURN 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-SIZE 41943040 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-ETRN 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-PIPELINING 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-DSN 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-ENHANCEDSTATUSCODES 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-8bitmime 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-BINARYMIME 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-CHUNKING 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-VRFY 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-TLS 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250-STARTTLS 2011.12.13 19:55:06 LOG7[2468:2684]: <- 250 OK 2011.12.13 19:55:06 LOG7[2468:2684]: -> STARTTLS 2011.12.13 19:55:06 LOG7[2468:2684]: <- 220 2.0.0 SMTP server ready 2011.12.13 19:55:06 LOG6[2468:2684]: Client-mode smtp protocol negotiations succeeded 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): before/connect initialization 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 write client hello A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 read server hello A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 read server certificate A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 read server done A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 write client key exchange A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 write change cipher spec A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 write finished A 2011.12.13 19:55:06 LOG7[2468:2684]: SSL state (connect): SSLv3 flush data 2011.12.13 19:55:07 LOG7[2468:2684]: SSL state (connect): SSLv3 read finished A 2011.12.13 19:55:07 LOG7[2468:2684]: 1 items in the session cache 2011.12.13 19:55:07 LOG7[2468:2684]: 86477 client connects (SSL_connect()) 2011.12.13 19:55:07 LOG7[2468:2684]: 86477 client connects that finished 2011.12.13 19:55:07 LOG7[2468:2684]: 0 client renegotiations requested 2011.12.13 19:55:07 LOG7[2468:2684]: 0 server connects (SSL_accept()) 2011.12.13 19:55:07 LOG7[2468:2684]: 0 server connects that finished 2011.12.13 19:55:07 LOG7[2468:2684]: 0 server renegotiations requested 2011.12.13 19:55:07 LOG7[2468:2684]: 0 session cache hits 2011.12.13 19:55:07 LOG7[2468:2684]: 0 external session cache hits 2011.12.13 19:55:07 LOG7[2468:2684]: 0 session cache misses 2011.12.13 19:55:07 LOG7[2468:2684]: 0 session cache timeouts 2011.12.13 19:55:07 LOG6[2468:2684]: SSL connected: new session negotiated 2011.12.13 19:55:07 LOG6[2468:2684]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2011.12.13 19:55:07 LOG6[2468:2684]: Compression: null, expansion: null 2011.12.13 19:55:07 LOG7[2468:2684]: SSL alert (write): fatal: protocol version 2011.12.13 19:55:07 LOG3[2468:2684]: SSL_read: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2011.12.13 19:55:07 LOG5[2468:2684]: Connection reset: 19 bytes sent to SSL, 219 bytes sent to socket 2011.12.13 19:55:07 LOG7[2468:2684]: Service smtp finished (0 left) 2011.12.13 19:55:07 LOG7[2468:2684]: str_stats: 16 block(s), 353 data byte(s), 544 control byte(s) What am I doing wrong? Thanks Rene

1 0

Problems with Stunnel 4.5*
by Sebastian Rose-Indorf 12 Dec '11

12 Dec '11

Hello Mike, many thanks for your work. However, I have problems with the current Stunnel versions. (I work with Windows 64bit.) Stunnel 4.47 works without problems. Stunnel 4.51b1 however - starts only if "fips = no" is set; - not accepts my certificate and my private key (SHA384 or RMD160, AES128 or IDEA) any more: error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm Yours sincerely Sebastian

3 10

stunnel 4.50 released
by Michal Trojnara 12 Dec '11

12 Dec '11

Dear Users, I have released version 4.50 of stunnel. The ChangeLog entry: Version 4.50, 2011.12.03, urgency: MEDIUM: * New features - Added Android port. - Updated INSTALL.FIPS. * Bugfixes - Fixed internal memory allocation problem in inetd mode. - Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL - POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.50.tar.gz: 933467009529bae4f338bb20e758e0ea20b0759130e7695ea2193c4f270e5eaf Best regards, Mike

4 18

Problem with sslv2 clients
by Markus Borst 09 Dec '11

09 Dec '11

Hi, we have a strange problem with newer stunnel versions (4.50 on windows), compared to older ones (known to work is version 4.35). The problem seems to be, that if a client sends a SSLv2 Helo message, the stunnel server simply resets the TCP connection, without trying to negotioate anything. Setup: Stunnel is used top provide ssl/tls for imap, Hobbit is used to monitor service availability. The Hobbit module to monitor imaps seems to try SSLv2 first, but also supports newer versions (SSLv3 and TLSv1). The ssl connection never gets established, stunnel sends a tcp RST, hobbit never retries. We can force some hobbit modules to use TLSv1 exclusively, but not all of them. We fear that some older mailclients will also have problems initiating a connection, so we keep stunnel 4.35 running for now. stunnel.conf: fips = no debug = 7 output = stunnel.log [imaps] accept = 130.83.174.1:993 connect = 127.0.0.1:143 cert = imap.xxx.company.yy.pem stunnel.log: 2011.12.09 14:55:12 LOG5[6820:2144]: Service imaps accepted connection from xxx.yyy.zzz.105:45294 2011.12.09 14:55:12 LOG3[6820:2144]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2011.12.09 14:55:12 LOG5[6820:2144]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.12.09 14:55:12 LOG7[6820:2144]: Service imaps finished (0 left) 2011.12.09 14:55:12 LOG7[6820:2144]: str_stats: 0 block(s), 0 data byte(s), 0 control byte(s) Wireshark Packet Trace (see attached image). What's wrong here? Shouldn't client and server negotiate the methods used? The client seems to offer TLS ("Version: TLS 1.0 ..."), but instead of negotiating, the server simply closes the connection. Greetings Markus Borst

1 0

NFS over sTunnel
by Elodie BOSSIER 07 Dec '11

07 Dec '11

Greetings again, I have a problem to mount a NFS share via my sTunnel. If i don't use the stunnel it's work : #mount -t nfs 188.165.214.229:/home /mnt/nfs/ #df -h [...] 188.165.214.229:/home 7.2T 12G 6.9T 1% /mnt/nfs #umount /mnt/nfs but if i use the stunnel client it's don't work : #mount -t nfs 127.0.0.1:/home /mnt/nfs/ (.......sleep....... and i need to ctrl+C to stop my command) The log into the serveur is : 2011.12.08 00:55:54 LOG7[12438:140256813074176]: nfs accepted FD=18 from 178.33.214.192:8671 2011.12.08 00:55:54 LOG7[12438:140256812631808]: nfs started 2011.12.08 00:55:54 LOG7[12438:140256812631808]: FD 18 in non-blocking mode 2011.12.08 00:55:54 LOG7[12438:140256812631808]: TCP_NODELAY option set on local socket 2011.12.08 00:55:54 LOG7[12438:140256812631808]: Waiting for a libwrap process 2011.12.08 00:55:54 LOG7[12438:140256812631808]: Acquired libwrap process #0 2011.12.08 00:55:54 LOG7[12438:140256812631808]: Releasing libwrap process #0 2011.12.08 00:55:54 LOG7[12438:140256812631808]: Released libwrap process #0 2011.12.08 00:55:54 LOG7[12438:140256812631808]: nfs permitted by libwrap from 178.33.214.192:8671 2011.12.08 00:55:54 LOG5[12438:140256812631808]: nfs accepted connection from 178.33.214.192:8671 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): before/accept initialization 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 read client hello A 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 write server hello A 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 write change cipher spec A 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 write finished A 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 flush data 2011.12.08 00:55:54 LOG7[12438:140256812631808]: SSL state (accept): SSLv3 read finished A 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 1 items in the session cache 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 client connects (SSL_connect()) 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 client connects that finished 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 client renegotiations requested 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 12 server connects (SSL_accept()) 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 12 server connects that finished 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 server renegotiations requested 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 9 session cache hits 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 external session cache hits 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 0 session cache misses 2011.12.08 00:55:54 LOG7[12438:140256812631808]: 1 session cache timeouts 2011.12.08 00:55:54 LOG6[12438:140256812631808]: SSL accepted: previous session reused 2011.12.08 00:55:54 LOG7[12438:140256812631808]: FD 19 in non-blocking mode 2011.12.08 00:55:54 LOG6[12438:140256812631808]: connect_blocking: connecting 127.0.0.1:2049 2011.12.08 00:55:54 LOG7[12438:140256812631808]: connect_blocking: s_poll_wait 127.0.0.1:2049: waiting 10 seconds 2011.12.08 00:55:54 LOG5[12438:140256812631808]: connect_blocking: connected 127.0.0.1:2049 2011.12.08 00:55:54 LOG5[12438:140256812631808]: nfs connected remote server from 127.0.0.1:51193 2011.12.08 00:55:54 LOG7[12438:140256812631808]: Remote FD=19 initialized 2011.12.08 00:55:54 LOG7[12438:140256812631808]: TCP_NODELAY option set on remote socket ( my ctrl+C is here ) 2011.12.08 00:56:58 LOG7[12438:140256812631808]: SSL alert (read): warning: close notify 2011.12.08 00:56:58 LOG7[12438:140256812631808]: SSL closed on SSL_read 2011.12.08 00:56:58 LOG7[12438:140256812631808]: Socket write shutdown 2011.12.08 00:56:58 LOG7[12438:140256812631808]: Socket closed on read 2011.12.08 00:56:58 LOG7[12438:140256812631808]: SSL write shutdown 2011.12.08 00:56:58 LOG7[12438:140256812631808]: SSL alert (write): warning: close notify 2011.12.08 00:56:58 LOG6[12438:140256812631808]: SSL_shutdown successfully sent close_notify 2011.12.08 00:56:58 LOG5[12438:140256812631808]: Connection closed: 76 bytes sent to SSL, 164 bytes sent to socket 2011.12.08 00:56:58 LOG7[12438:140256812631808]: nfs finished (0 left) (End of the log server) My config client : [rquotad] accept = 1040 connect = 188.165.214.229:1041 [mountd] accept = 1048 connect = 188.165.214.229:1049 [nfs] accept = 2049 connect = 188.165.214.229:2050 [status] accept = 1039 connect = 188.165.214.229:1038 [portmapper] accept = 111 connect = 188.165.214.229:112 [nlockmgr] accept = 1047 connect = 188.165.214.229:1046 My config server : [rquotad] accept = 1041 connect = 1040 [mountd] accept = 1049 connect = 1048 [nfs] accept = 2050 connect = 2049 [status] accept = 1038 connect = 1039 [portmapper] accept = 112 connect = 111 [nlockmgr] accept = 1046 connect = 1047 Do you have an idea please ?

1 1

stunnel in client and server mode in same time
by Elodie BOSSIER 07 Dec '11

07 Dec '11

Greetings, I would like use stunnel in client & server mode but i don't find the way to do it, it's don't work My stunnel is a client of a remote MySQL server and a server of a NFS in local Do you have an idea please ?

4 3