February 2011 - stunnel-users

X-Forwarded-For / X-Forwarded-Proto
by Stefan Behte 09 Feb '11

09 Feb '11

Hello Michal, I've read that you prefer not to support X-Forwarded-For because an old code had a buffer overflow and did not support keep-alive functions of HTTP/1.1. I believe the overflow was fixed in the newer version of the patch I've attached. IMHO the patch will still be very useful, even if it does not support keep-alive: often in high-performence setups keep-alive is not even desired because it fills up ressources needlessly. Even if this does not provide all features, a lot of people would be satisfied with it. There is a great desire for this patch, if one searches for "stunnel x-forwarded-for" on google, you will find more than 60 pages and not only a few dozens of blogs/mailing lists that discuss applying the patch and getting it to work as an SSL terminator for loadbalancing software. And last, I know that the patch (the one Willy Tarreau is hosting on haproxy.1wt.eu and is attached) is in use at several high-traffic websites and runs stable. ;) If it's too much of a hassle for you to review and/or integrate the patch, I can understand that very well, I'd just like to open a discussion and would like to know if you have concerns regarding the patch quality, even if you do not want to include the patch at this time. :) Best regards, Stefan Behte

2 1

stunnel HUP bug
by Stefan Behte 09 Feb '11

09 Feb '11

Hi, kill -HUP does not seem to work for me with 4.35, I always get: 2011.02.07 17:51:25 LOG5[14988:139705784043264]: Received signal 15; terminating Best regards, Stefan Behte Babiel GmbH Moskauer Str. 27 D-40227 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: S.Behte(a)babiel.com Internet: http://www.babiel.com

2 6

stunnel libwrap/tcpwrapper bug (patch included)
by Stefan Behte 09 Feb '11

09 Feb '11

Hi, I stumbled upon a really old bug in stunnel: ./configure --enable-libwrap && make [...] mv -f .deps/pty.Tpo .deps/pty.Po gcc -DPACKAGE_NAME=\"stunnel\" -DPACKAGE_TARNAME=\"stunnel\" -DPACKAGE_VERSION=\"4.35\" -DPACKAGE_STRING=\"stunnel\ 4.35\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DPACKAGE=\"stunnel\" -DVERSION=\"4.35\" -D_GNU_SOURCE=1 -DHOST=\"i686-pc-linux-gnu\" -DCPU_I686=1 -DVENDOR_PC=1 -DOS_LINUX_GNU=1 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DSIZEOF_UNSIGNED_CHAR=1 -DSIZEOF_UNSIGNED_SHORT=2 -DSIZEOF_UNSIGNED_INT=4 -DSIZEOF_UNSIGNED_LONG=4 -DHAVE_DEV_PTMX=1 -DRANDOM_FILE=\"/dev/urandom\" -DHAVE_UCONTEXT_H=1 -DHAVE_PTHREAD_H=1 -DHAVE_SYS_SELECT_H=1 -DHAVE_POLL_H=1 -DHAVE_SYS_POLL_H=1 -DHAVE_TCPD_H=1 -DHAVE_SYS_IOCTL_H=1 -DHAVE_STROPTS_H=1 -DHAVE_GRP_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_RESOURCE_H=1 -DHAVE_PTY_H=1 -DHAVE_SYS_SOCKET_H=1 -DHAVE_STRUCT_MSGHDR_MSG_CONTROL=1 -DHAVE_MSGHDR_MSG_CONTROL=1 -DHAVE_LINUX_NETFILTER_IPV4_H=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBDL=1 -DHAVE_LIBZ=1 -DHAVE_LIBPTHREAD=1 -DUSE_PTHREAD=1 -DHAVE_SNPRINTF=1 -DHAVE_VSNPRINTF=1 -DHAVE_OPENPTY=1 -DHAVE_DAEMON=1 -DHAVE_WAITPID=1 -DHAVE_WAIT4=1 -DHAVE_SETSID=1 -DHAVE_SETGROUPS=1 -DHAVE_CHROOT=1 -DHAVE_SYSCONF=1 -DHAVE_GETRLIMIT=1 -DHAVE_PTHREAD_SIGMASK=1 -DHAVE_LOCALTIME_R=1 -DHAVE_GETCONTEXT=1 -DHAVE_POLL=1 -DHAVE_ENDHOSTENT=1 -DHAVE_GETNAMEINFO=1 -DHAVE_GETADDRINFO=1 -DHAVE_PIPE2=1 -DHAVE_ACCEPT4=1 -DHAVE_OPENSSL=1 -Dssldir=\"/usr\" -DHAVE_OSSL_ENGINE_H=1 -DUSE_IPv6=1 -DHAVE_LIBWRAP=1 -I. -I/usr/kerberos/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -g -O2 -Wall -Wextra -pedantic -Wno-long-long -I/usr/include -MT libwrap.o -MD -MP -MF .deps/libwrap.Tpo -c -o libwrap.o libwrap.c libwrap.c: In function 'libwrap_init': libwrap.c:91: warning: ignoring return value of 'write', declared with attribute warn_unused_result mv -f .deps/libwrap.Tpo .deps/libwrap.Po /bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -Wall -Wextra -pedantic -Wno-long-long -I/usr/include -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o libwrap.o -lz -ldl -lutil -lnsl -lpthread -L/usr/lib64 -L/usr/lib -lssl -lcrypto /bin/sh: warning: setlocale: LC_ALL: cannot change locale (c) libtool: link: gcc -g -O2 -Wall -Wextra -pedantic -Wno-long-long -I/usr/include -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o libwrap.o -lz -ldl -lutil -lnsl -lpthread -L/usr/lib64 -L/usr/lib -lssl -lcrypto libwrap.o: In function `check': /usr/portage/distfiles/stunnel-4.35/src/libwrap.c:194: undefined reference to `request_init' /usr/portage/distfiles/stunnel-4.35/src/libwrap.c:195: undefined reference to `sock_host' /usr/portage/distfiles/stunnel-4.35/src/libwrap.c:196: undefined reference to `hosts_access' collect2: ld returned 1 exit status make[1]: *** [stunnel] Error 1 make[1]: Leaving directory `/usr/portage/distfiles/stunnel-4.35/src' make: *** [all-recursive] Error 1 The attached patch solves the problem; it would be cool, if you could include it in the next release. Best regards Stefan Behte Babiel GmbH Moskauer Strasse 27 D-40227 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: S.Behte(a)babiel.com Internet: http://www.babiel.com Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 ~~~~~~~~~~~~~~ DISCLAIMER ~~~~~~~~~~~~~~~ The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer.

2 2

Using CA intyermediate on stunnel problem
by Abdelkarim Mateos Sanchez 08 Feb '11

08 Feb '11

Hi. We are using RapidSSL certificate for my hosts. We are using stunnel for ASSP (AntiSpam Proxy System) We are trying use this certificate but get some errors. We are looking for solution but problem persist, cert = /etc/stunnel/cpanel.pem chroot = /usr/local/cpanel/var/run/stunnel-assp/ pid = /stunnel.pid setuid = stunnel setgid = stunnel output = /var/log/stunnel.log [ssmtp] accept = 465 connect = 127.0.0.2:26 #CAfile = /etc/stunnel/cpanel.cabundle #CApath = /etc/stunnel/rapidssl/ When try connect get this error depth=0 /serialNumber=cso/HwRW/nTj87jIivvttDvfpI7rUt2c/C=ES/O=genesis.islaserver.com/OU=GT15685418/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=genesis.islaserver.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=cso/HwRW/nTj87jIivvttDvfpI7rUt2c/C=ES/O=genesis.islaserver.com/OU=GT15685418/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=genesis.islaserver.com verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=cso/HwRW/nTj87jIivvttDvfpI7rUt2c/C=ES/O=genesis.islaserver.com/OU=GT15685418/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=genesis.islaserver.com verify error:num=21:unable to verify the first certificate verify return:1 Of /etc/stunnel/cpanel.pem there're KEY and CERT for host CA intermediate certificate for RapidSSL I'm lost. Apreciate help.

2 1

stunnel 4.35 released
by Michal Trojnara 05 Feb '11

05 Feb '11

Dear Users, I'm pleased to announce long-awaited version 4.35 of stunnel. The ChangeLog entry: * New features - Updated Win32 DLLs for OpenSSL 1.0.0c. - Transparent source (non-local bind) added for FreeBSD 8.x. - Transparent destination ("transparent = destination") added for Linux. * Bugfixes - Fixed reload of FIPS-enabled stunnel. - Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc. - Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler. - CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments. - Directory lib64 included in the OpenSSL library search path. - Windows CE compilation fixes (thx to Pierre Delaage). - Deprecated RSA_generate_key() replaced with RSA_generate_key_ex(). * Domain name changes (courtesy of Bri Hatch) - http://stunnel.mirt.net/ --> http://www.stunnel.org/ - ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/ - stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel - stunnel-users(a)mirt.net --> stunnel-users(a)stunnel.org - stunnel-announce(a)mirt.net --> stunnel-announce(a)stunnel.org Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.35.tar.gz: a810e220498239483e14fae24eeb2a188a6167e9118958b903f8793768c4460f Best regards, Mike

1 0

Compiling with ./configure --enable-fips option
by Lewis, Joseph E Sr Mr CTR USA USA 01 Feb '11

01 Feb '11

I am having a problem with compiling with fips enable mode on. The default is suppose to fips enabled but when the configure runs with no options it states that fips is not enabled and the make runs successfully. When I use the –enable-fips option, the configure runs just fine but the make fails with : In file included from common.h:374, from file.c:38: /usr/include/openssl/fips.h:69:2: error: #error FIPS is disabled. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. IBM support assures me that FIPS is enabled. At this point I am stuck and do not know what to do next. Can anyone offer any suggestions? My system, oslevel, ssl level, etc… are as follows: $ uname -a AIX velssi02 3 5 00C866124C00 $oslevel –s AIX 5300-12-02-1036 $ lslpp -l | grep libc bos.rte.libc 5.3.12.2 COMMITTED libc Library bos.rte.libcfg 5.3.12.1 COMMITTED libcfg Library bos.rte.libcur 5.3.11.0 COMMITTED libcurses Library $ gcc -v Using built-in specs. Target: powerpc-ibm-aix5.3.0.0 Configured with: ../configure --with-as=/usr/bin/as --with-ld=/usr/bin/ld --enable-languages=c,c++,java --prefix=/opt/freeware --enable-threads --enable-version-specific-runtime-libs --host=powerpc-ibm-aix5.3.0.0 --target=powerpc-ibm-aix5.3.0.0 --build=powerpc-ibm-aix5.3.0.0 --disable-libjava-multilib Thread model: aix gcc version 4.2.0 $ ssh –V OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 stunnel-4.34 $ /usr/local/bin/stunnel/stunnel -version stunnel 4.32 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8k-fips 25 Mar 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none

2 2

malformed packets - follow-up
by Jean-Yves F. Barbier 01 Feb '11

01 Feb '11

Hi list, After asking a friend about these errors, it appear they come from large packets reassembly; so my questions are: does it come from stunnel or http-tunnel? & if it is stunnel, is there an easy way to fine tune the max packet size? JY -- We totally deny the allegations, and we're trying to identify the allegators.

1 0