Hi,
This may be a little bit off-topic, but does anyone here use stunnel with
pan? My connections to stunnel (in pan) are always refused by libwrap. I was
looking for the right rule to add to /etc/hosts.allow but nothing seems to
work aside from "ALL : ALL" (which is obviously not good) and "nntps:
KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing
to say the least. It mentions that daemon (the first token on any line) is
the name of the daemon running the process, …
[View More]which would be "stunnel" in my
case, but using "stunnel : LOCAL" or even "stunnel : ALL" doesn't work. The
rule that seems to work, as mentioned, is "nntps : KNOWN" ("nntps" being the
group name in stunnel.conf).
What's even more confusing to me is that "nntps : LOCAL" does not work
either. Nor does "nntps : localhost 127.0.0.1", "nntps : localhost", "nntps
: 127.0.0.1", or "nntps : 192.168.1.". Pan is running on the same machine as
stunnel so all connections must be coming from localhost. Why do these rules
not trigger?
Either way, I'd like to know the "least permissive" hosts.allow rule that
would allow me to connect to my news provider from pan, and/or whether
"nntps : KNOWN" is a safe option.
Thanks,
Yousef
[View Less]
Dear stunnel managers,
I would like to inform you that there exist some incompatibility with
stunnel and openssl pkcs11-engine with external PIN entry device (like
RSA smartcard using opensc) in Linux.
We use this config to load openssl engine stunnel.conf:
---
engine=dynamic
engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so
engineCtrl=ID:pkcs11
engineCtrl=LIST_ADD:1
engineCtrl=LOAD
engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so
engineCtrl=INIT
---
Problem is, with this setup stunnel …
[View More]does not allow user to enter PIN for
the secret key.
Instead it tries to get secret key without PIN, 3 times (and then
therefore usually blocks card PIN) and retires:
----
Initializing engine 1
Engine 1 initialized
PRNG seeded successfully
Certificate: mart.pem
Certificate loaded
Key file: id_01
error queue: 26096080 : error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key
error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
incorrect
Wrong PIN: retrying
error queue: 26096080 : error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key
error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
incorrect
Wrong PIN: retrying
error queue: 26096080 : error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key
ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11
library:PKCS11_login:PIN incorrect
----
I discovered workaround that is valid form version 4.26 till current
4.34, as follows, NULL-ing the ui_data.method property in ctx.c:
---
diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c
*** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300
--- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300
***************
*** 304,309 ****
--- 304,310 ----
UI_method_set_reader(ui_method, pin_cb);
#else /* USE_WIN32 */
ui_method=UI_OpenSSL();
+ ui_data.section = NULL;
#endif /* USE_WIN32 */
if(section->engine)
for(i=1; i<=3; i++) {
---
After that patch private key loads correctly:
---
Initializing engine 1
Engine 1 initialized
PRNG seeded successfully
Certificate: mart.pem
Certificate loaded
Key file: id_01
private key loaded
---
It would be nice if:
* somebody investigates more precisely why the OpenSSL PIN entry is not
showing with unpached stunnel
* include my or better patch for this situation
Thank you very much for excellent piece of software!
With best regards,
Märt Laak
[View Less]
Hello,
I'm trying to use stunnel to workaround a wine bug which prevents an old
Windows mail client from accessing my mail server through a pop3s 995
port. I'm not an expert on linux, stunnel, sockets or ssl.
The process seems to start off well, establishes a connection to the
correct remote mail server, and negotiates an ssl connection, but then
terminates with:
Error detected on socket (read) file descriptor: Broken pipe (32)
I've played with various settings in the stunnel.conf …
[View More]file, but with no
success. A Google search turned up one other example of this problem
back in Nov 2010, but no solution was forthcoming. Does anyone have any
suggestions of what might be the problem?
The level 7 debug stunnel.log file follows at the end, with TCP addresses
masked. The system is SUSE Linux 11.4. Using the latest versions of ssl
and stunnel.
Thanks,
Alex
stunnel.log
--------------
local socket: FD=0 allocated (non-blocking mode)
Service pmail-pop3 accepted FD=0 from 127.0.0.1:48828
Service pmail-pop3 started
Option TCP_NODELAY set on local socket
Service pmail-pop3 accepted connection from 127.0.0.1:48828
remote socket: FD=1 allocated (non-blocking mode)
connect_blocking: connecting xxx.xxx.xxx.xxx:995
connect_blocking: s_poll_wait xxx.xxx.xxx.xxx:995: waiting 10 seconds
connect_blocking: connected xxx.xxx.xxx.xxx:995
Service pmail-pop3 connected remote server from 192.168.1.47:46187
Remote FD=1 initialized
Option TCP_NODELAY set on remote socket
SNI: host name: yyy.yyy.yyy..com
SSL state (connect): before/connect initialization
SSL state (connect): SSLv3 write client hello A
SSL state (connect): SSLv3 read server hello A
SSL state (connect): SSLv3 read server certificate A
SSL state (connect): SSLv3 read server done A
SSL state (connect): SSLv3 write client key exchange A
SSL state (connect): SSLv3 write change cipher spec A
SSL state (connect): SSLv3 write finished A
SSL state (connect): SSLv3 flush data
SSL state (connect): SSLv3 read finished A
1 items in the session cache
1 client connects (SSL_connect())
1 client connects that finished
0 client renegotiations requested
0 server connects (SSL_accept())
0 server connects that finished
0 server renegotiations requested
0 session cache hits
0 external session cache hits
0 session cache misses
0 session cache timeouts
SSL connected: new session negotiated
Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
Socket closed on read
Sending SSL write shutdown
Error detected on socket (read) file descriptor: Broken pipe (32)
Connection reset: 79 bytes sent to SSL, 64 bytes sent to socket
Service pmail-pop3 finished (0 left)
str_stats: 0 block(s), 0 byte(s)
[View Less]
I'm running stunnel 4.44 for both POP3 and SMTP with my email client, Outlook Express, and my Spam filter, Cactus Spam. The OS is Win XP SP3.
I have added the following to stunnel.conf:
client = yes
debug = debug
[pop3s]
accept = 127.0.0.1:11010
connect = camel.arvixe.com:995
[ssmtp]
accept = 25
connect = camel.arvixe.com:465
Other than adding those lines, I've not changed anything in the rest of stunnel.conf as it comes with the program.
When I boot the computer, Outlook Express, Cactus …
[View More]Spam, and stunnel all start and function correctly. However, after a period of time (a few hours -- I haven't yet pinned down whether there is a specific length to the time period), something goes wrong with stunnel, in that it stops communicating with Outlook Express, and it's CPU usage goes up to 25% (quad-core Intel CPU) and stays at that level indefinitely until I terminate the process. It is only the stunnel.exe process that is affected -- the service continues to run without error. I then restart stunnel.exe, and it works normally once again for a few hours. I usually become aware that stunnel has stopped connecting with Outlook Express when I come back to the computer after a few hours away from it, so I have so far been unable to see whether anything observable occurs when it gets into trouble or whether the length of time it ran properly varies or is constant.
--
Mike Brazil
mike(a)milibra.net
[View Less]
Hi,
I am building a recent stunnel version for Solaris via opencsw.org and
with 4.44 it seems as if --with-ssl is used to AC_SUBST([SSLDIR]), yet
tools/Makefile uses lowercase $(ssldir). Lead to an empty expansion and
failed calls to openssl in my case.
$ grep -i ssldir Makefile tools/Makefile
Makefile:SSLDIR = /opt/csw
tools/Makefile:SSLDIR = /opt/csw
tools/Makefile:openssl = $(ssldir)/bin/openssl
Sebastian
I'm trying to use stunnel to connect to a secure server for syslogging. I have a certificate from the central logging server. How do I load this into stunnel so that I can connect?
Cheers and thanks
Cary
Dear Users,
I have released version 4.44 of stunnel.
The ChangeLog entry:
Version 4.44, 2011.09.17, urgency: MEDIUM:
* New features
- Major automake/autoconf cleanup.
- Heap buffer overflow protection with canaries.
- Stack buffer overflow protection with -fstack-protector.
* Bugfixes
- Fixed garbled error messages on errors with setuid/setgid options.
- SNI fixes (thx to Alexey Drozdov).
- Use after free in fdprintf() (thx to Alexey Drozdov).
This issue might cause …
[View More]GPF with "protocol" or "ident" options.
Home page: http://www.stunnel.org/
Download: ftp://ftp.stunnel.org/stunnel/
SHA-256 hash for stunnel-4.44.tar.gz:
fa0dfc33f323abfbc94aa993d90d37481cd2f652ee93ec2f8c333ac7a496c7b9
Best regards,
Mike
[View Less]
We are planning to transition our email service to Google Apps with our
Goldmine 6.7 Corporate Edition so need to use Stunnel. We have Goldmine
setup and run from a central Server and a shared/networked drive F: Each
client machine runs Goldmine, BUT via the server path noted earlier. When
logged in locally to the server and running Goldmine locally, everything
works great. Stunnel is connected, we're able to send/receive email, etc.
However from a remote machine, it doesn't work. Have …
[View More]tried installing
stunnel on the local machine. Have tried accessing the said ports via the
Server's IP address from within the network. And have hacked around
different config setups without luck.
Being a NOOB with Stunnel, we're at a loss with further configuration
without literally 'hacking around' in the dark any further.
Our config file is just below
Thanks in advance.
Blake
;
****************************************************************************
*
; * Global Options
*
;
****************************************************************************
*
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = stunnel.log
;
****************************************************************************
*
; * Service Defaults (may also be specified in individual service sections)
*
;
****************************************************************************
*
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; The following options provide additional security at some performance
penalty
; Default ECDH/DH parameters are strong/conservative, so it is quite safe to
; comment out these lines in order to get a performance boost
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
;
****************************************************************************
*
; * Service Definitions (at least one service has to be defined)
*
;
****************************************************************************
*
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
[gmail-pop3]
client = yes
accept = 127.0.0.1:9995
connect = pop.gmail.com:995
[gmail-smtp]
client = yes
accept = 127.0.0.1:4465
connect = smtp.gmail.com:465
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
[View Less]
Hi
I am trying to get stunnel stunnel 4.36 on ia64-hp-hpux11.23 with
OpenSSL 0.9.8o 01 Jun 2010 working on this server and so far I have
generated a new pem file as per the instructions, but it is the time to
make to run, it keeps looking for a certificate for one of the services:
bash-3.2# /opt/iexpress/stunnel/bin/stunnel
/opt/iexpress/stunnel/etc/stunnel/stunnel.conf
Reading configuration from file
/opt/iexpress/stunnel/etc/stunnel/stunnel.conf
Snagged 64 random bytes from /opt/…
[View More]iexpress/stunnel/etc/stunnel/stunnel.rnd
Wrote 1024 new random bytes to /opt/iexpress/stunnel/etc/stunnel/stunnel.rnd
PRNG seeded successfully
Line 37: End of section revnet_preprod_sunquest: SSL server needs a
certificate
my conf file is as follows:
bash-3.2# more /opt/iexpress/stunnel/etc/stunnel/stunnel.conf
# Sample stunnel configuration file
#RNDfile=/opt/hpws/apache/stunnel/.stunnel.rnd
RNDfile=/opt/iexpress/stunnel/etc/stunnel/stunnel.rnd
# Chroot
#chroot = /var/chroot/stunnel/
# PID is created inside chroot jail
#pid = /opt/hpws/apache/logs/stunnel.pid
pid = /opt/iexpress/stunnel/etc/stunnel/stunnel.pid
# Workaround for Eudora bug
#options = DONT_INSERT_EMPTY_FRAGMENTS
# Client Authentication
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
#CAfile = /opt/hpws/apache/conf/certs.pem
# Some debugging stuff
debug = 7
output = /opt/hpws/apache/logs/stunnel.log
# Use in client mode
client = no
# Run in the background
foreground = no
# Service-level configuration
[revnet_preprod_sunquest]
accept = 10.99.10.37:8011
connect = 127.0.0.1:18011
#connect = 18011
[revnet_preprod_funsun]
accept = 10.99.10.37:8017
connect = 127.0.0.1:18017
#connect = 18017
any help or tips would be welcome
Thanks
Jose
[View Less]