stunnel-users September 2011

stunnel-users@stunnel.org

17 participants
18 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: … [View More]

5 9

stunnel and hosts.allow
by Yousef Alhashemi 05 Jul '16

05 Jul '16

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, … [View More]

3 6

patch for using stunnel as client with pkcs11-engine and opensc smartcard
by Märt Laak 29 Jan '12

29 Jan '12

Dear stunnel managers, I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux. We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT --- Problem is, with this setup stunnel … [View More]does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ---- I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { --- After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded --- It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation Thank you very much for excellent piece of software! With best regards, Märt Laak [View Less]

2 2

Error detected on socket (read) file descriptor: Broken pipe (32)
by Alex Magee 08 Nov '11

08 Nov '11

Hello, I'm trying to use stunnel to workaround a wine bug which prevents an old Windows mail client from accessing my mail server through a pop3s 995 port. I'm not an expert on linux, stunnel, sockets or ssl. The process seems to start off well, establishes a connection to the correct remote mail server, and negotiates an ssl connection, but then terminates with: Error detected on socket (read) file descriptor: Broken pipe (32) I've played with various settings in the stunnel.conf … [View More]file, but with no success. A Google search turned up one other example of this problem back in Nov 2010, but no solution was forthcoming. Does anyone have any suggestions of what might be the problem? The level 7 debug stunnel.log file follows at the end, with TCP addresses masked. The system is SUSE Linux 11.4. Using the latest versions of ssl and stunnel. Thanks, Alex stunnel.log -------------- local socket: FD=0 allocated (non-blocking mode) Service pmail-pop3 accepted FD=0 from 127.0.0.1:48828 Service pmail-pop3 started Option TCP_NODELAY set on local socket Service pmail-pop3 accepted connection from 127.0.0.1:48828 remote socket: FD=1 allocated (non-blocking mode) connect_blocking: connecting xxx.xxx.xxx.xxx:995 connect_blocking: s_poll_wait xxx.xxx.xxx.xxx:995: waiting 10 seconds connect_blocking: connected xxx.xxx.xxx.xxx:995 Service pmail-pop3 connected remote server from 192.168.1.47:46187 Remote FD=1 initialized Option TCP_NODELAY set on remote socket SNI: host name: yyy.yyy.yyy..com SSL state (connect): before/connect initialization SSL state (connect): SSLv3 write client hello A SSL state (connect): SSLv3 read server hello A SSL state (connect): SSLv3 read server certificate A SSL state (connect): SSLv3 read server done A SSL state (connect): SSLv3 write client key exchange A SSL state (connect): SSLv3 write change cipher spec A SSL state (connect): SSLv3 write finished A SSL state (connect): SSLv3 flush data SSL state (connect): SSLv3 read finished A 1 items in the session cache 1 client connects (SSL_connect()) 1 client connects that finished 0 client renegotiations requested 0 server connects (SSL_accept()) 0 server connects that finished 0 server renegotiations requested 0 session cache hits 0 external session cache hits 0 session cache misses 0 session cache timeouts SSL connected: new session negotiated Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 Socket closed on read Sending SSL write shutdown Error detected on socket (read) file descriptor: Broken pipe (32) Connection reset: 79 bytes sent to SSL, 64 bytes sent to socket Service pmail-pop3 finished (0 left) str_stats: 0 block(s), 0 byte(s) [View Less]

2 2

stunnel.exe stops connecting
by Mike Brazil 27 Sep '11

27 Sep '11

I'm running stunnel 4.44 for both POP3 and SMTP with my email client, Outlook Express, and my Spam filter, Cactus Spam. The OS is Win XP SP3. I have added the following to stunnel.conf: client = yes debug = debug [pop3s] accept = 127.0.0.1:11010 connect = camel.arvixe.com:995 [ssmtp] accept = 25 connect = camel.arvixe.com:465 Other than adding those lines, I've not changed anything in the rest of stunnel.conf as it comes with the program. When I boot the computer, Outlook Express, Cactus … [View More]

1 0

stunnel 4.44 - tools/Makefile $(ssldir) vs $(SSLDIR)
by Sebastian Kayser 27 Sep '11

27 Sep '11

Hi, I am building a recent stunnel version for Solaris via opencsw.org and with 4.44 it seems as if --with-ssl is used to AC_SUBST([SSLDIR]), yet tools/Makefile uses lowercase $(ssldir). Lead to an empty expansion and failed calls to openssl in my case. $ grep -i ssldir Makefile tools/Makefile Makefile:SSLDIR = /opt/csw tools/Makefile:SSLDIR = /opt/csw tools/Makefile:openssl = $(ssldir)/bin/openssl Sebastian

1 0

Certificates
by Cary Corse 17 Sep '11

17 Sep '11

I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect? Cheers and thanks Cary

4 4

stunnel 4.44 released
by Michal Trojnara 17 Sep '11

17 Sep '11

Dear Users, I have released version 4.44 of stunnel. The ChangeLog entry: Version 4.44, 2011.09.17, urgency: MEDIUM: * New features - Major automake/autoconf cleanup. - Heap buffer overflow protection with canaries. - Stack buffer overflow protection with -fstack-protector. * Bugfixes - Fixed garbled error messages on errors with setuid/setgid options. - SNI fixes (thx to Alexey Drozdov). - Use after free in fdprintf() (thx to Alexey Drozdov). This issue might cause … [View More]

1 0

Goldmine 6.7 behind a Server
by Blake Miller 16 Sep '11

16 Sep '11

We are planning to transition our email service to Google Apps with our Goldmine 6.7 Corporate Edition so need to use Stunnel. We have Goldmine setup and run from a central Server and a shared/networked drive F: Each client machine runs Goldmine, BUT via the server path noted earlier. When logged in locally to the server and running Goldmine locally, everything works great. Stunnel is connected, we're able to send/receive email, etc. However from a remote machine, it doesn't work. Have … [View More]tried installing stunnel on the local machine. Have tried accessing the said ports via the Server's IP address from within the network. And have hacked around different config setups without luck. Being a NOOB with Stunnel, we're at a loss with further configuration without literally 'hacking around' in the dark any further. Our config file is just below Thanks in advance. Blake ; **************************************************************************** * ; * Global Options * ; **************************************************************************** * ; Debugging stuff (may useful for troubleshooting) debug = 7 output = stunnel.log ; **************************************************************************** * ; * Service Defaults (may also be specified in individual service sections) * ; **************************************************************************** * ; Certificate/key is needed in server mode and optional in client mode cert = stunnel.pem ;key = stunnel.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; The following options provide additional security at some performance penalty ; Default ECDH/DH parameters are strong/conservative, so it is quite safe to ; comment out these lines in order to get a performance boost options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; **************************************************************************** * ; * Service Definitions (at least one service has to be defined) * ; **************************************************************************** * ; Example SSL server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 ; Example SSL client mode services [gmail-pop3] client = yes accept = 127.0.0.1:9995 connect = pop.gmail.com:995 [gmail-smtp] client = yes accept = 127.0.0.1:4465 connect = smtp.gmail.com:465 ;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993 ; Certificate/key is needed in server mode and optional in client mode cert = stunnel.pem ;key = stunnel.pem [View Less]

3 4

stunnel claims it needs certificate
by JOSE 14 Sep '11

14 Sep '11

Hi I am trying to get stunnel stunnel 4.36 on ia64-hp-hpux11.23 with OpenSSL 0.9.8o 01 Jun 2010 working on this server and so far I have generated a new pem file as per the instructions, but it is the time to make to run, it keeps looking for a certificate for one of the services: bash-3.2# /opt/iexpress/stunnel/bin/stunnel /opt/iexpress/stunnel/etc/stunnel/stunnel.conf Reading configuration from file /opt/iexpress/stunnel/etc/stunnel/stunnel.conf Snagged 64 random bytes from /opt/… [View More]

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users September 2011