stunnel-users September 2011

stunnel-users@stunnel.org

17 participants
18 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

stunnel and hosts.allow
by Yousef Alhashemi 05 Jul '16

05 Jul '16

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, which would be "stunnel" in my case, but using "stunnel : LOCAL" or even "stunnel : ALL" doesn't work. The rule that seems to work, as mentioned, is "nntps : KNOWN" ("nntps" being the group name in stunnel.conf). What's even more confusing to me is that "nntps : LOCAL" does not work either. Nor does "nntps : localhost 127.0.0.1", "nntps : localhost", "nntps : 127.0.0.1", or "nntps : 192.168.1.". Pan is running on the same machine as stunnel so all connections must be coming from localhost. Why do these rules not trigger? Either way, I'd like to know the "least permissive" hosts.allow rule that would allow me to connect to my news provider from pan, and/or whether "nntps : KNOWN" is a safe option. Thanks, Yousef

3 6

patch for using stunnel as client with pkcs11-engine and opensc smartcard
by Märt Laak 29 Jan '12

29 Jan '12

Dear stunnel managers, I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux. We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT --- Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ---- I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { --- After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded --- It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation Thank you very much for excellent piece of software! With best regards, Märt Laak

2 2

Error detected on socket (read) file descriptor: Broken pipe (32)
by Alex Magee 08 Nov '11

08 Nov '11

Hello, I'm trying to use stunnel to workaround a wine bug which prevents an old Windows mail client from accessing my mail server through a pop3s 995 port. I'm not an expert on linux, stunnel, sockets or ssl. The process seems to start off well, establishes a connection to the correct remote mail server, and negotiates an ssl connection, but then terminates with: Error detected on socket (read) file descriptor: Broken pipe (32) I've played with various settings in the stunnel.conf file, but with no success. A Google search turned up one other example of this problem back in Nov 2010, but no solution was forthcoming. Does anyone have any suggestions of what might be the problem? The level 7 debug stunnel.log file follows at the end, with TCP addresses masked. The system is SUSE Linux 11.4. Using the latest versions of ssl and stunnel. Thanks, Alex stunnel.log -------------- local socket: FD=0 allocated (non-blocking mode) Service pmail-pop3 accepted FD=0 from 127.0.0.1:48828 Service pmail-pop3 started Option TCP_NODELAY set on local socket Service pmail-pop3 accepted connection from 127.0.0.1:48828 remote socket: FD=1 allocated (non-blocking mode) connect_blocking: connecting xxx.xxx.xxx.xxx:995 connect_blocking: s_poll_wait xxx.xxx.xxx.xxx:995: waiting 10 seconds connect_blocking: connected xxx.xxx.xxx.xxx:995 Service pmail-pop3 connected remote server from 192.168.1.47:46187 Remote FD=1 initialized Option TCP_NODELAY set on remote socket SNI: host name: yyy.yyy.yyy..com SSL state (connect): before/connect initialization SSL state (connect): SSLv3 write client hello A SSL state (connect): SSLv3 read server hello A SSL state (connect): SSLv3 read server certificate A SSL state (connect): SSLv3 read server done A SSL state (connect): SSLv3 write client key exchange A SSL state (connect): SSLv3 write change cipher spec A SSL state (connect): SSLv3 write finished A SSL state (connect): SSLv3 flush data SSL state (connect): SSLv3 read finished A 1 items in the session cache 1 client connects (SSL_connect()) 1 client connects that finished 0 client renegotiations requested 0 server connects (SSL_accept()) 0 server connects that finished 0 server renegotiations requested 0 session cache hits 0 external session cache hits 0 session cache misses 0 session cache timeouts SSL connected: new session negotiated Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 Socket closed on read Sending SSL write shutdown Error detected on socket (read) file descriptor: Broken pipe (32) Connection reset: 79 bytes sent to SSL, 64 bytes sent to socket Service pmail-pop3 finished (0 left) str_stats: 0 block(s), 0 byte(s)

2 2

stunnel.exe stops connecting
by Mike Brazil 27 Sep '11

27 Sep '11

I'm running stunnel 4.44 for both POP3 and SMTP with my email client, Outlook Express, and my Spam filter, Cactus Spam. The OS is Win XP SP3. I have added the following to stunnel.conf: client = yes debug = debug [pop3s] accept = 127.0.0.1:11010 connect = camel.arvixe.com:995 [ssmtp] accept = 25 connect = camel.arvixe.com:465 Other than adding those lines, I've not changed anything in the rest of stunnel.conf as it comes with the program. When I boot the computer, Outlook Express, Cactus Spam, and stunnel all start and function correctly. However, after a period of time (a few hours -- I haven't yet pinned down whether there is a specific length to the time period), something goes wrong with stunnel, in that it stops communicating with Outlook Express, and it's CPU usage goes up to 25% (quad-core Intel CPU) and stays at that level indefinitely until I terminate the process. It is only the stunnel.exe process that is affected -- the service continues to run without error. I then restart stunnel.exe, and it works normally once again for a few hours. I usually become aware that stunnel has stopped connecting with Outlook Express when I come back to the computer after a few hours away from it, so I have so far been unable to see whether anything observable occurs when it gets into trouble or whether the length of time it ran properly varies or is constant. -- Mike Brazil mike(a)milibra.net

1 0

stunnel 4.44 - tools/Makefile $(ssldir) vs $(SSLDIR)
by Sebastian Kayser 27 Sep '11

27 Sep '11

Hi, I am building a recent stunnel version for Solaris via opencsw.org and with 4.44 it seems as if --with-ssl is used to AC_SUBST([SSLDIR]), yet tools/Makefile uses lowercase $(ssldir). Lead to an empty expansion and failed calls to openssl in my case. $ grep -i ssldir Makefile tools/Makefile Makefile:SSLDIR = /opt/csw tools/Makefile:SSLDIR = /opt/csw tools/Makefile:openssl = $(ssldir)/bin/openssl Sebastian

1 0

Certificates
by Cary Corse 17 Sep '11

17 Sep '11

I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect? Cheers and thanks Cary

4 4

stunnel 4.44 released
by Michal Trojnara 17 Sep '11

17 Sep '11

Dear Users, I have released version 4.44 of stunnel. The ChangeLog entry: Version 4.44, 2011.09.17, urgency: MEDIUM: * New features - Major automake/autoconf cleanup. - Heap buffer overflow protection with canaries. - Stack buffer overflow protection with -fstack-protector. * Bugfixes - Fixed garbled error messages on errors with setuid/setgid options. - SNI fixes (thx to Alexey Drozdov). - Use after free in fdprintf() (thx to Alexey Drozdov). This issue might cause GPF with "protocol" or "ident" options. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.44.tar.gz: fa0dfc33f323abfbc94aa993d90d37481cd2f652ee93ec2f8c333ac7a496c7b9 Best regards, Mike

1 0

Goldmine 6.7 behind a Server
by Blake Miller 16 Sep '11

16 Sep '11

We are planning to transition our email service to Google Apps with our Goldmine 6.7 Corporate Edition so need to use Stunnel. We have Goldmine setup and run from a central Server and a shared/networked drive F: Each client machine runs Goldmine, BUT via the server path noted earlier. When logged in locally to the server and running Goldmine locally, everything works great. Stunnel is connected, we're able to send/receive email, etc. However from a remote machine, it doesn't work. Have tried installing stunnel on the local machine. Have tried accessing the said ports via the Server's IP address from within the network. And have hacked around different config setups without luck. Being a NOOB with Stunnel, we're at a loss with further configuration without literally 'hacking around' in the dark any further. Our config file is just below Thanks in advance. Blake ; **************************************************************************** * ; * Global Options * ; **************************************************************************** * ; Debugging stuff (may useful for troubleshooting) debug = 7 output = stunnel.log ; **************************************************************************** * ; * Service Defaults (may also be specified in individual service sections) * ; **************************************************************************** * ; Certificate/key is needed in server mode and optional in client mode cert = stunnel.pem ;key = stunnel.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; The following options provide additional security at some performance penalty ; Default ECDH/DH parameters are strong/conservative, so it is quite safe to ; comment out these lines in order to get a performance boost options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; **************************************************************************** * ; * Service Definitions (at least one service has to be defined) * ; **************************************************************************** * ; Example SSL server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 ; Example SSL client mode services [gmail-pop3] client = yes accept = 127.0.0.1:9995 connect = pop.gmail.com:995 [gmail-smtp] client = yes accept = 127.0.0.1:4465 connect = smtp.gmail.com:465 ;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993 ; Certificate/key is needed in server mode and optional in client mode cert = stunnel.pem ;key = stunnel.pem

3 4

stunnel claims it needs certificate
by JOSE 14 Sep '11

14 Sep '11

Hi I am trying to get stunnel stunnel 4.36 on ia64-hp-hpux11.23 with OpenSSL 0.9.8o 01 Jun 2010 working on this server and so far I have generated a new pem file as per the instructions, but it is the time to make to run, it keeps looking for a certificate for one of the services: bash-3.2# /opt/iexpress/stunnel/bin/stunnel /opt/iexpress/stunnel/etc/stunnel/stunnel.conf Reading configuration from file /opt/iexpress/stunnel/etc/stunnel/stunnel.conf Snagged 64 random bytes from /opt/iexpress/stunnel/etc/stunnel/stunnel.rnd Wrote 1024 new random bytes to /opt/iexpress/stunnel/etc/stunnel/stunnel.rnd PRNG seeded successfully Line 37: End of section revnet_preprod_sunquest: SSL server needs a certificate my conf file is as follows: bash-3.2# more /opt/iexpress/stunnel/etc/stunnel/stunnel.conf # Sample stunnel configuration file #RNDfile=/opt/hpws/apache/stunnel/.stunnel.rnd RNDfile=/opt/iexpress/stunnel/etc/stunnel/stunnel.rnd # Chroot #chroot = /var/chroot/stunnel/ # PID is created inside chroot jail #pid = /opt/hpws/apache/logs/stunnel.pid pid = /opt/iexpress/stunnel/etc/stunnel/stunnel.pid # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Client Authentication #verify = 2 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /certs # or simply use CAfile instead: #CAfile = /opt/hpws/apache/conf/certs.pem # Some debugging stuff debug = 7 output = /opt/hpws/apache/logs/stunnel.log # Use in client mode client = no # Run in the background foreground = no # Service-level configuration [revnet_preprod_sunquest] accept = 10.99.10.37:8011 connect = 127.0.0.1:18011 #connect = 18011 [revnet_preprod_funsun] accept = 10.99.10.37:8017 connect = 127.0.0.1:18017 #connect = 18017 any help or tips would be welcome Thanks Jose

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users September 2011