April 2011 - stunnel-users

Stunnel 4.33 released
by Michal Trojnara 22 Apr '11

22 Apr '11

The ChangeLog entry: Version 4.33, 2010.04.05, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 1.0.0. This library requires to c_rehash CApath/CRLpath directories on upgrade. - Win32 DLLs for zlib 1.2.4. - Experimental support for local mode on WIN32 platform. Try "exec = c:\windows\system32\cmd.exe". * Bugfixes - Inetd mode fixed SHA-1 value for stunnel-4.33.tar.gz: 695c7ef834952cb8ddbc790e10b6e32798fc2767 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara

4 6

Possible leak in client.c:init_ssl()
by Sven Ulland 16 Apr '11

16 Apr '11

Quick summary: Stunnel 4.35 configured with four services. As clients connect, the main stunnel process grows a lot in vsz/rss memory. With a lot of clients connecting, it quickly grows to several gigabytes rss. The use case is quite special: The multithreaded download accelerator 'axel' is used to download large files using 800 simultaneous threads. The downloads are from China, so the network performance is horrible, and connections are reset/broken all the time, so there is lots of new connections created constantly. Up to four axel instances run at the same time, so we're talking 3200 simultaneous connections. Over a short 2h timespan, nearly 30000 connections have been set up (ref attached stunnel.log). The memory use increases over time, often in very large steps. As connections finish and the transfers stop (i.e. no active connections at all), the memory is not released. A similar issue was reported in 2008 [1]. Attached are the following files: stunnel.conf: Four services, no special config. Debug level 5. massif.out.excerpt.txt: Valgrind Massif output. The Massif log indicates that most of the memory is allocated through client.c:init_ssl(), by libssl and zlib. I haven't looked too much at the code yet, but could this be related to the high rate of connection resets/timeouts, combined with connection/session reuse? sven [1]: possible stunnel memory leak Message-ID: <47E8E0AD.8010709(a)eu.citrix.com> http://www.stunnel.org/pipermail/stunnel-users/2008-March/001903.html

4 5

Re: [stunnel-users] Weird error when trying to use 512bit RSA key
by Leandro Avila 12 Apr '11

12 Apr '11

The problem seems to be the key size If you use a 512 key for stunnel it works However, when the key used by stunnel is 1024 and you try to use the EXP-RC4-MD5 cipher, a temporary 512 key is generated BUT that fails. So I tested: Stunnel 4.35 and OpenSSL 1.0.0d Using a 512 RSA key and EXP-RC4-MD5 works Using a 1025 RSA key and EXP-RC4-MD5 fails Looks more like an OpenSSL thing. I'm uncertain about how this situation is handled in the protocol spec. When the server has a 1024 key but the client wants to negotiate with a smaller key. Cheers ----------------- Leandro Avila ----- Original Message ----- From:Outofwall.com <root(a)outofwall.com> To:stunnel-users-bounces@stunnel.org; stunnel-users(a)stunnel.org Cc: Sent:Monday, April 11, 2011 10:39 PM Subject:Re: [stunnel-users] Weird error when trying to use 512bit RSA key In fact, I'm using TLSv1, just use the custom ciphers list. Here's what I have on the server side: ciphers EXP-RC4-MD5:ALL and test sunyc@www:~$ openssl s_client -tls1 -connect ssl.sgivpn.info:443 -cipher EXP-RC4-MD5 CONNECTED(00000003) depth=0 /C=US/ST=CA/O=XXX verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=CA/O=XXX verify return:1 32684:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1093:SSL alert number 40 32684:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: Error: Apr 11 18:57:35 localhost stunnel: LOG3[8319:139884220368640]: SSL_accept: 1409B11A: error:1409B11A:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:error generating tmp rsa key Both client and server is running ubuntu 10.04, with openssl 0.9.8k I think. Cheers. _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0

Re: [stunnel-users] Weird error when trying to use 512bit RSA key
by Outofwall.com 12 Apr '11

12 Apr '11

In fact, I'm using TLSv1, just use the custom ciphers list. Here's what I have on the server side: ciphers EXP-RC4-MD5:ALL and test sunyc@www:~$ openssl s_client -tls1 -connect ssl.sgivpn.info:443 -cipher EXP-RC4-MD5 CONNECTED(00000003) depth=0 /C=US/ST=CA/O=XXX verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=CA/O=XXX verify return:1 32684:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1093:SSL alert number 40 32684:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: Error: Apr 11 18:57:35 localhost stunnel: LOG3[8319:139884220368640]: SSL_accept: 1409B11A: error:1409B11A:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:error generating tmp rsa key Both client and server is running ubuntu 10.04, with openssl 0.9.8k I think. Cheers.

1 0

The verify=3 option in client mode
by Philipp Hartwig 09 Apr '11

09 Apr '11

Hello, I'm using stunnel in client mode to provide an SSL connection for offlineimap[1] which does not support verification of SSL certificates. As I've read stunnel does not compare the name of the server offering the certificate to the server name mentioned in the certificate (in the CN field for example). So if I used the following section in my stunnel.conf client=yes [imaps] accept = 127.0.0.1:4322 connect = imap.gmail.com:993 CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt verify = 2 stunnel would happily accept any certificate signed by Equifax for an arbitrary website. Is this correct? So I've switched to using the verify=3 option and I just want to make sure I configured it correctly. I'm now using the following section client=yes [imaps] accept = 127.0.0.1:4322 connect = imap.gmail.com:993 CAfile= /home/ph/.certs/imaps.pem verify = 3 imaps.pem is a file containing two certificates, namely the first and the last certificate in the certificate chain of imap.gmail.com, that is the Equifax CA certificate and the server certificate itself. I then use offlineimap to establish an unencrypted connection to 127.0.0.1:4322. My understanding is that stunnel will now exclusively accept the server certificate stored in the imaps.pem file rendering all MITM attacks impossible. I'd be grateful if someone could confirm that this setup makes sense. Is this the way the verify=3 option is supposed to use? First I thought that it should be enough to just provide the server certificate in the imaps.pem file, but then openssl would complain about a self-signed certificate, so I included the CA certificate as well. Regards, Philipp [1] https://github.com/jgoerzen/offlineimap/wiki/

2 3

Is local mode on WIN32 working?
by Joerg Behrend 09 Apr '11

09 Apr '11

The changelog of stunnel 4.33 states that "Experimental support for local mode on WIN32 platform" is working and that should be tried exec = c:\windows\system32\cmd.exe In practice, it is for me not working, a connection is accepted but always reset with the stunnel log message: readsocket: Connection reset by peer (WSAECONNRESET) (10054) It was tested using the 4.35 Windows installer. Are there other requirements or settings necessary? Is a recompilation with special options senseful? Thanks! Joerg

1 0

issue making stunnel 4.35 use an apache http proxy to go out?
by Matt Wise 08 Apr '11

08 Apr '11

I've got an Apache proxy on port 3128 that will allow our clients to get outbound with a 'CONNECT" to a few services.. I'm trying to make stunnel use this service, and it seems to be ignoring my configuration completely. Tcpdumps show NO packets going outbound on port 3128... any ideas what i'm doing wrong? This config allows an inbound connection to port 1234 to hit port 2345 (a local service), while also handling the setup of an inbound connection to localhost:514 to a remote host on port 1514... debug = 7 pid = /var/run/stunnel.pid service = stunnel syslog = yes foreground = no socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 fips = no # Localhost:1234 hits localhost:2345 [cseservices] client = no accept = 1234 connect = 127.0.0.1:2345 CAfile = /etc/stunnel/ssl/tunnel-CAs.cert.pem cert = /etc/stunnel/ssl/server.pub key = /etc/stunnel/ssl/server.key verify = 2 ## Localhost:514 hits remotehost:1514 [syslog] client = yes accept = 514 connect = xxx:1514 CAfile = /var/lib/puppet/ssl/certs/ca.pem key = /var/lib/puppet/ssl/private_keys/xxx.pem cert = /var/lib/puppet/ssl/certs/xxx.pem session = 5 TIMEOUTidle = 600 TIMEOUTbusy = 600 TIMEOUTclose = 300 TIMEOUTconnect = 10 verify = 2 protocol=connect protocolHost=proxy:3128 protocolAuthentication=basic —Matt

1 1

Re: [stunnel-users] stunnel through elb.. need packets sent semi-frequently
by Leandro Avila 08 Apr '11

08 Apr '11

Hi I'm not sure this will work, but have you checked the option TIMEOUTidle = <num_seconds> ? Sounds to me like the setting you might be looking for ----------------- Leandro Avila ----- Original Message ----- From:Matt Wise <mwise(a)netflix.com> To:"stunnel-users(a)stunnel.org" <stunnel-users(a)stunnel.org> Cc: Sent:Thursday, April 7, 2011 6:04 PM Subject:Re: [stunnel-users] stunnel through elb.. need packets sent semi-frequently I'm using stunnel to pass some data through an Amazon ELB. Unfortunately, there are times when the session times out due to packets not passing for 60 seconds (an amazon ELB timeout). I'm wondering whether theres some way I can configure stunnel itself to pass some whitespaces or something back and forth every few seconds to make sure the session stays open and live? (and yes, I'm posing the same question to the app developer who's ap we're passing through.. but I'm looking at both avenues.. ) _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

3 2

stunnel through elb.. need packets sent semi-frequently
by Matt Wise 08 Apr '11

08 Apr '11

I'm using stunnel to pass some data through an Amazon ELB. Unfortunately, there are times when the session times out due to packets not passing for 60 seconds (an amazon ELB timeout). I'm wondering whether theres some way I can configure stunnel itself to pass some whitespaces or something back and forth every few seconds to make sure the session stays open and live? (and yes, I'm posing the same question to the app developer who's ap we're passing through.. but I'm looking at both avenues.. )

2 2

Re: [stunnel-users] STunnel server handshake fails
by Leandro Avila 08 Apr '11

08 Apr '11

Hello, I think you probably want to use the sslVersion = TLSv1 setting in your configuration. Instead of the options for OpenSSL Hope that helps ----------------- Leandro Avila ________________________________ From: John C. Kadyk <jckadyk(a)pacbell.net> To: stunnel-users(a)stunnel.org Sent: Thursday, April 7, 2011 7:06 PM Subject: Re: [stunnel-users] STunnel server handshake fails STunnel server handshake fails I'm trying to set up STunnel so our non-SSL network scanner can email scans through our email server, which requires TLS. A desktop email client with the same server/port settings can send email OK. I think I have STunnel configured correctly, but there's a handshake failure when it tries to connect to the server. STunnel seems to be attempting an SSLv3 connection even though I turned that option off in the config file. I want to force it to use TLS but not sure how to do that. Any suggestions greatly appreciated. Here's the config file: cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS options = NO_SSLv2 options = NO_SSLv3 ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 ;output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 1025 connect = mail022-1.exch022.serverdata.net:1025 <http://mail022-1.exch022.serverdata.net:1025> ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini and here's the log: 2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file stunnel.conf 2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd 2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd 2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully 2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000 2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004 2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded 2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded 2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service pop3s 2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000 2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004 2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded 2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded 2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service imaps 2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000 2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004 2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded 2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem 2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded 2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service ssmtp 2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful 2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of clients 2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated (non-blocking mode) 2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket 2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995 <http://0.0.0.0:995> 2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136 2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated (non-blocking mode) 2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket 2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993 <http://0.0.0.0:993> 2011.04.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124 2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated (non-blocking mode) 2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket 2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025 <http://0.0.0.0:1025> 2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148 2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with OpenSSL 1.0.0c 2 Dec 2010 2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated (non-blocking mode) 2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from 10.10.17.57:49968 <http://10.10.17.57:49968> 2011.04.07 16:41:17 LOG7[3744:2436]: Creating a new thread 2011.04.07 16:41:17 LOG7[3744:2436]: New thread created 2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started 2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket 2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from 10.10.17.57:49968 <http://10.10.17.57:49968> 2011.04.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated (non-blocking mode) 2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting 64.78.22.98:1025 <http://64.78.22.98:1025> 2011.04.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected 64.78.22.98:1025 <http://64.78.22.98:1025> 2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server from 10.10.17.249:4081 <http://10.10.17.249:4081> 2011.04.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized 2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket 2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect initialization 2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client hello A 2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake failure 2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left) Any suggestions greatly appreciated. Thanks! John _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0