April 2011 - stunnel-users

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

patch for using stunnel as client with pkcs11-engine and opensc smartcard
by Märt Laak 29 Jan '12

29 Jan '12

Dear stunnel managers, I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux. We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT --- Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ---- I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { --- After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded --- It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation Thank you very much for excellent piece of software! With best regards, Märt Laak

2 2

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] Temporary failure in name resolution, (Michal Trojnara)
by Phil Wieland 08 May '11

08 May '11

On 30/04/11 11:00, stunnel-users-request(a)stunnel.org wrote: > > Your stunnel.conf contains: > chroot = /var/lib/stunnel4/ > > Unfortunately this directory does not contain resolver configuration > files: [] >> > These are WITHOUT the suggested patch, I am not really equipped for >> > building on this server. > The patch should solve your problem by causing stunnel to wait until your > resolver is available before chroot(2) is executed. > > Workarounds: > 1. mkdir /var/lib/stunnel4/etc&& cp /etc/resolv.conf > /var/lib/stunnel4/etc/ > 2. Use IP address instead of host names in your stunnel.conf > 3. Add static IP address of your remote host to /etc/hosts > > Best regards, > Mike > > Many thanks for the analysis, Mike. I'll have to organise myself to build so I can apply the patch. Can I be really cheeky and ask one more question? Why does the problem not go away when my resolver is available - Shouldn't stunnel look again for this stuff after getting a temporary error? Thanks again, Phil

2 2

transparent = source, stunnel connect always times out
by Robert Hardy 05 May '11

05 May '11

I've been fighting with stunnel, trying to get its transparent proxy support to work. No matter what I do, as soon as transparent = source support is turned on, tests with my mail client just time out. If I turn transparent proxy support off it works but appears as if connections are from localhost, which is undesirable. My goal is to have stunnel listen on *:465 and provide SSL protected connectivity, which appear to arrive from the remote client IP, on my mail server's external IP address on port 25. My mail server and the firewall with the rules on it are the same physical machine. Can someone please make some suggestions as to what else I can try to get this working? I'm running Linux 2.6.38 on a current CentOS/rhel5 box and I've got modules built for most netfilter options, including: NF_CONNTRACK=m NETFILTER_TPROXY=m NETFILTER_XT_MATCH_SOCKET=m NETFILTER_XT_TARGET_TPROXY=m /proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/ip_forward = 1 This is my stunnel config: cert = /etc/stunnel/assps.crt key = /etc/stunnel/assps.key pid = /var/run/stunnel/stunnel_smtps.pid verify = 0 debug = 7 output = /var/log/stunnel_smtps.log TIMEOUTconnect = 60 [smtps] accept = 465 connect = MY_EXTERNAL_IP:25 transparent = source My stunnel seems happy with the DH Parameters in my cert file. My firewall relevant rules: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 # stunnel -version stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 July 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH curve = sect163r2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none # stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- TCP_KEEPCNT -- -- -- 9 TCP_KEEPIDLE -- -- -- 7200 TCP_KEEPINTVL -- -- -- 75 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 Here is the log file with the connection timeout: 2011.03.20 15:26:43 LOG5[23214:3073877712]: Reading configuration from file /etc/stunnel/stunnel-assp_smtps.conf 2011.03.20 15:26:43 LOG7[23214:3073877712]: Snagged 64 random bytes from /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: Wrote 1024 new random bytes to /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: PRNG seeded successfully 2011.03.20 15:26:43 LOG7[23214:3073877712]: Using DH parameters from /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG6[23214:3073877712]: DH initialized with 512 bit key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate: /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: Key file: /etc/stunnel/assps.key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Private key loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: SSL context initialized for service smtps 2011.03.20 15:26:43 LOG5[23214:3073877712]: Configuration successful 2011.03.20 15:26:43 LOG5[23214:3073877712]: No limit detected for the number of clients 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=3 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=8 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=9 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=10 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: accept socket: FD=11 allocated (non-blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: Option SO_REUSEADDR set on accept socket 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps bound to 0.0.0.0:465 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps opened FD=11 2011.03.20 15:26:44 LOG7[23220:3073877712]: Created pid file /var/run/stunnel/stunnel_smtps.pid 2011.03.20 15:26:44 LOG5[23220:3073877712]: stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.03.20 15:26:44 LOG5[23220:3073877712]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.03.20 15:26:56 LOG7[23220:3073877712]: local socket: FD=0 allocated (non-blocking mode) 2011.03.20 15:26:56 LOG7[23220:3073877712]: Service smtps accepted FD=0 from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps started 2011.03.20 15:26:56 LOG7[23220:3073874832]: Option TCP_NODELAY set on local socket 2011.03.20 15:26:56 LOG7[23220:3073874832]: Waiting for a libwrap process 2011.03.20 15:26:56 LOG7[23220:3073874832]: Acquired libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Releasing libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Released libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps permitted by libwrap from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG5[23220:3073874832]: Service smtps accepted connection from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): before/accept initialization 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write server hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate request A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client key exchange A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write change cipher spec A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 items in the session cache 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects (SSL_connect()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects (SSL_accept()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 server renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 external session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache misses 2011.03.20 15:26:57 LOG7[23220:3073874832]: 0 session cache timeouts 2011.03.20 15:26:57 LOG6[23220:3073874832]: SSL accepted: new session negotiated 2011.03.20 15:26:57 LOG6[23220:3073874832]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.03.20 15:26:57 LOG7[23220:3073874832]: remote socket: FD=1 allocated (non-blocking mode) 2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port 2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25 2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds 2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded 2011.03.20 15:27:57 LOG5[23220:3073874832]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.03.20 15:27:57 LOG7[23220:3073874832]: Service smtps finished (0 left) 2011.03.20 15:29:21 LOG7[23220:3073877712]: Dispatching signals from the signal pipe 2011.03.20 15:29:21 LOG5[23220:3073877712]: Received signal 15; terminating 2011.03.20 15:29:21 LOG7[23220:3073877712]: removing pid file /var/run/stunnel/stunnel_smtps.pid The only even slightly odd thing I see other than the timeouts is the " 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate" I'm not sure what that is about, but it doesn't seem critical...

2 3

Re: [stunnel-users] Temporary failure in name resolution (Michal Trojnara)
by Phil Wieland 29 Apr '11

29 Apr '11

I attach two strace reports, strace-good shows a successful use, strace-bad shows it failing after a reboot. In both cases I just telnet to localhost 55899, which gives the smtp server's banner in the good case. ltrace craps out with a [pid 1107] +++ killed by SIGTRAP +++ in both cases, and doesn't show anything useful. These are WITHOUT the suggested patch, I am not really equipped for building on this server. Phil

2 1

Re: [stunnel-users] Réf. : Re: Tr : Réf. : Re: Need some informations about stunnel(AC,?crl ?files)
by Ludolf Holzheid 29 Apr '11

29 Apr '11

On Fri, 2011-04-29 15:39:45 +0200, laurent.uk(a)bnpparibas.com wrote: > Dear Ludolf thank you for your response. > > I have another question. > > Is it possible to have 2 stunnel running on the same server? > > 1 stunnel with no client's certificate verification (verify = 0) with a > specific port > > and 1 stunnel with client's certificate verification (verify = 3) with > other specific port You may run as many instances of stunnel as you like, as long as they don't share listening ports (accept=...) or pid files (pid=...). Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Re: [stunnel-users] Tr : Réf. : Re: Need some informations about stunnel (AC,?crl?files)
by Ludolf Holzheid 28 Apr '11

28 Apr '11

On Thu, 2011-04-28 17:06:28 +0200, laurent.uk(a)bnpparibas.com wrote: > Dear Ludolf i need some help with the verify option. > > I want to check the certificate client in my machine and also check if the > certificate's client is in the crl list. > > You said that " > If you are using verify=3, stunnel checks client certificates against > the set of certificates in CApath or CAfile, not against CAs and CRLs." > > Is it possible to check client certificates with certificates in CaPath > and also with CRls? Laurent, By installing a certificate (to CApath or CAfile), you express your trust in the certificate. For the client certificates, you could either o implicitly trust all certificates signed by an installed CA certificate and not yet revoked (verify=2), or o explicitly trust installed client certificates (verify=3). In both cases, all installed certificates are fully trusted. Cross-checking a trusted (client-) certificate against an other trusted (CA-) certificate does not raise security or trustworthiness. In order to revoke a client certificate in verify=3 mode, just uninstall it. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Delay before sending server hello
by Dan Price 28 Apr '11

28 Apr '11

I am using stunnel to accept TLS connections. I'm opening eight connections at virtually the same time, and occasionally see that for one of the connections, the handshake does not complete - stunnel does not send the server hello, and the client usually resets the connection. I did manage to capture one instance where stunnel sends the server hello, but it is delayed by over a minute. I upgraded to version 4.35, and I see the same behavior. I set debug=debug, and captured what I think are the relevant logs (through write server hello). I kept the logs for the successful connection (59924) that came in after the failed one (59923). Apr 27 13:21:22 cm stunnel: LOG7[10357:1431918272]: local socket: FD=15 allocated (non-blocking mode) Apr 27 13:21:22 cm stunnel: LOG7[10357:1431918272]: Service msrp accepted FD=15 from ::ffff:10.50.2.11:59923 Apr 27 13:21:22 cm stunnel: LOG7[10357:1431918272]: local socket: FD=16 allocated (non-blocking mode) Apr 27 13:21:22 cm stunnel: LOG7[10357:1431918272]: Service msrp accepted FD=16 from ::ffff:10.50.2.11:59924 Apr 27 13:21:22 cm stunnel: LOG7[10357:1431989136]: Service msrp started Apr 27 13:21:22 cm stunnel: LOG7[10357:1431989136]: Waiting for a libwrap process Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Service msrp started Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Waiting for a libwrap process Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Acquired libwrap process #1 Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Releasing libwrap process #1 Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Released libwrap process #1 Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: Service msrp permitted by libwrap from ::ffff:10.50.2.11:59924 Apr 27 13:21:22 cm stunnel: LOG5[10357:1433471888]: Service msrp accepted connection from ::ffff:10.50.2.11:59924 Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: SSL state (accept): before/accept initialization Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: SSL state (accept): SSLv3 read client hello A Apr 27 13:21:22 cm stunnel: LOG7[10357:1433471888]: SSL state (accept): SSLv3 write server hello A Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: Acquired libwrap process #4 Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: Releasing libwrap process #4 Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: Released libwrap process #4 Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: Service msrp permitted by libwrap from ::ffff:10.50.2.11:59923 Apr 27 13:22:38 cm stunnel: LOG5[10357:1431989136]: Service msrp accepted connection from ::ffff:10.50.2.11:59923 Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: SSL state (accept): before/accept initialization Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: SSL state (accept): SSLv3 read client hello A Apr 27 13:22:38 cm stunnel: LOG7[10357:1431989136]: SSL state (accept): SSLv3 write server hello A Thanks, Dan

1 0

Does stunnel support startTLS?
by Markus Borst 28 Apr '11

28 Apr '11

Stunnel supports encryption in the "old" ssl style extra port configuration (i.e. imaps on port 993) where the encryption is negotiated immediately upon start of the connection. Does stunnel also support the startTLS method? i.e. a clear text connection is established (imap on port 143) and one of the first imap commands is startTLS, which negotiates the encryption and protects the connection from that time onwards. I know that supporting startTLS is a lot harder, since it means sniffing commands in the higher level protocol, but we need it nevertheless. (In fact, our imap server does support startTLS, but it does _not_ support importing an external certificate, which is why I'm looking for an external solution.) From reading the documentation I'm not sure whether stunnel supports startTLS, there are a few option descriptions which might point to startTLS, but I'm not sure. Anybody knows the definite answer? Greetings Markus Borst -- TU Darmstadt Hochschulrechenzentrum (HRZ) Markus Borst Adresse: Petersenstrasse 30, 64287 Darmstadt, Germany Tel.: 06151/16-2056 Email: M.Borst(a)hrz.tu-darmstadt.de

2 3