stunnel-users October 2013

stunnel-users@stunnel.org

21 participants
28 discussions

Transparent Proxy Source on HPUX 11i
by Jeremy Brock 24 Oct '13

24 Oct '13

Hi All, Are there any plans to make Transparent Mode possible on HPUX? 2013.10.22 16:24:22 LOG5[3607:1]: stunnel 4.56 on ia64-hp-hpux11.23 platform 2013.10.22 16:24:22 LOG5[3607:1]: Compiled/running with OpenSSL 0.9.8y 5 Feb 2013 2013.10.22 16:24:22 LOG5[3607:1]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP 2013.10.22 16:24:22 LOG5[3607:1]: Reading configuration from file /ASKPLUS/stunnel/stunnel.conf 2013.10.22 16:24:22 LOG5[3607:1]: Configuration successful 2013.10.22 16:24:47 LOG5[3608:2]: Service [ vsrvtcp ] accepted connection from 192.168.15.6:1169 *2013.10.22 16:24:47 LOG3[3608:2]: Transparent proxy in remote mode is not supported on this platform* 2013.10.22 16:24:47 LOG5[3608:2]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket ~Jeremy -- Jeremy Brock Vital Soft, Inc www.vital-soft.com

2 1

Stunnel Service as other user
by Florian Götz 24 Oct '13

24 Oct '13

Hi Stunnel users, if I use xinetd to start a service I got the possibility to start the service with a dedicated user. For example: service fex { socket_type = stream wait = no type = unlisted protocol = tcp bind = 123.12.1.12 port = 80 cps = 10 2 * user = fex groups = yes server = /home/fex/bin/fexsrv nice = 0 disable = no } I got some kind of webserver (not apache, nginx etc) that needs to be started with xinetd (the example above). This server should get a SSL tunnel. If I use Stunnel in daemon mode (without jails/chroot) and define a service like this: [https] accept = 123.12.1.12:443 exec = /home/fex/bin/fexsrv execargs = fexsrv stunnel TIMEOUTclose = 2 Everything works fine, except that the server now runs as root. Is there a possibility to set a user for a service? Best regards Florian Götz -- Mit freundlichen Grüßen Florian Götz ----------------------------------------------------------------- Dipl.-Inf. (FH) Florian Götz Rechenzentrum Hochschule Mannheim Paul-Wittsack-Straße 10 68163 Mannheim Tel: 0621/292-6232 EMail: f.goetz(a)hs-mannheim.de Internet: http://www.rz.hs-mannheim.de -----

2 1

Username and Password in Clear Text
by Peter K. O'Connor 24 Oct '13

24 Oct '13

Hi, I am using stunnel 4.56 Windows verison. I thought the username and password will *only* be sent to SERVER2, *after* the SSL handshake, with each request. However, the truth is that the Proxy-Authorization header is attached to the request to SERVER1 "CONNECT SERVER2:433 HTTP/1.1", as well. So SERVER1 can see username and password. It is not necessary and safe. Am I missing anything here? Regards, Peter [stunnel] client = yes accept = 127.0.0.1:8080 connect = SERVER1:3128 protocol = connect protocolHost = SERVER2:443 protocolUsername = username protocolPassword = password

2 1

Re: [stunnel-users] Which X.509 certificate types (.crt, .pem, .der .p7c) possible for stunnel and how to import them?
by Ben Stover 24 Oct '13

24 Oct '13

Assume I have already an *.pem cert (for SMTP over STARTTLS transfer). Where (in whcih directory) should I put this cert file? Ben On Fri, 18 Oct 2013 12:35:25 +0000, Eckert, Doug wrote: >You can use OpenSSL to convert between formats (to .pem for STunnel) >https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-v… >You can also use openssl to strip the key's passphrase. This is handy for automatic starting (init/cron/at) of STunnel without having it prompt for the passphrase. > $ openssl rsa -in source.pem -out target.pem >-----Original Message----- >From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ben Stover >Sent: Friday, October 18, 2013 3:21 AM >To: Stunnel Users >Subject: [stunnel-users] Which X.509 certificate types (.crt, .pem, .der .p7c) possible for stunnel and how to import them? >Which X.509 certificate types (e.g. .crt, .pem, .der .p7c) are possible for stunnel? >Assume I have got such a certificate as separate file (and not retrieved by OpenSSL). >How do I import it into stunnel? >Do I have to just copy it into (which ?) directory? >Does the certifcate file name have to have a certain pattern? >Or is stunnel smart enough to read and analyze the content independently from filename? >Thank you >Ben >_______________________________________________ >stunnel-users mailing list >stunnel-users(a)stunnel.org >https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

1 0

Which X.509 certificate types (.crt, .pem, .der .p7c) possible for stunnel and how to import them?
by Ben Stover 18 Oct '13

18 Oct '13

Which X.509 certificate types (e.g. .crt, .pem, .der .p7c) are possible for stunnel? Assume I have got such a certificate as separate file (and not retrieved by OpenSSL). How do I import it into stunnel? Do I have to just copy it into (which ?) directory? Does the certifcate file name have to have a certain pattern? Or is stunnel smart enough to read and analyze the content independently from filename? Thank you Ben

2 1

How to setup most detailed error log (for one service?
by Ben Stover 17 Oct '13

17 Oct '13

currently I have specified in *.conf file debug = 7 Is this the most detailed log output possible? I miss somehow the transfer protocol lines (what is sent and what received) How do I get this? Is it possible to setup debug = 3 as global variable and to define debug = 7 for just ONE particular service? Ben

2 1

stunnel server communicating external client IP addresses through to a TCP server for logging purposes
by Simner, John 17 Oct '13

17 Oct '13

Hi, We have recently used stunnel on the phone as a server to encrypt the communication between an external client and a TCP server on the phone. There is a requirement for the phone to log every external client access. Is there any way for stunnel to include the IP address of the external client when setting up an new TCP connection to the local TCP server? Thank you for your assistance and I look forward to your responses. Thanks.. John John Simner BSc(Hons) MSc CEng. MIET Software Engineer Unify Enterprise Communications Ltd. Devices Development K Block, Technology Drive, Beeston, Nottingham, NG9 1LA Tel.: +44 (0) 19088 17378 Email: john.simner(a)unify.com <mailto:vorname.name@unify.com> www.unify.co.uk<http://www.unify.co.uk/> Follow us: [Social_media_icons] <http://www.unify.com/social-media> Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ Registered No: 5903714, England. This email contains confidential information and is for the exclusive use of the addressee. If you are not the addressee then any distribution, copying, or use of this email is prohibited. If received in error, please advise the sender and delete immediately. We accept no liability for any loss or damage suffered by any person arising from use of this email.

2 1

How to get the remote mail server certificate before/at first connect?
by Ben Stover 17 Oct '13

17 Oct '13

When I connect from my local mail client (e.g. Thunderbird) the first time (!) with a remote mail server through STARTTLS for a SMTP session then at first a server certificate is delivered. On the Thunderbird email client side a popup appears which prompts me to confirm the remote server certificate. Only AFTER this confirmation I am able to send email through this STARTTLS SMTP connection. Ok. Now lets switch to another scenario where a non-default email client (=NOT Thunderbird) want to send emails through stunnel to the remote mail server. Everything is setup in stunnel.conf and propriatary email client. But how do I get the remote server certificate (for stunnel)? Is there an option in stunnel.conf to receive and auto-accept the delivered server certificate at first? Where is it stored? Can I extract certificate from Thunderbird and import it to stunnel? Ben

2 1

Re: [stunnel-users] EXTERNAL: How to setup stunnel für SMTP over STARTTL S (and not pure SSL)?
by Bucci, David G 16 Oct '13

16 Oct '13

The protocol directive determines what Stunnel does during the connection setup. "protocol = smtp" tells Stunnel to use STARTTLS semantics for the connection to the server, as described in RFC2487 (similarly to how "protocol = imap" tells it to use STARTTLS for IMAP, per RFC 2595). -----Original Message----- From: Ben Stover [mailto:bxstover@yahoo.co.uk] Sent: Wednesday, October 16, 2013 11:08 AM To: Stunnel Users Cc: Bucci, David G Subject: RE: EXTERNAL: How to setup stunnel für SMTP over STARTTL S (and not pure SSL)? Sorry, I went to the webpage with the link you mentioned. There I searched for STARTTLS but NO (!) occurence was found. What does protocol (here = smtp) to do with the security handshare type (here = STARTTLS). On Wed, 16 Oct 2013 13:10:29 +0000, Bucci, David G wrote: >Oh, meant to add - look at the "protocol" option, documented here: http://www.stunnel.org/static/stunnel.html >-----Original Message----- >From: Bucci, David G >Sent: Wednesday, October 16, 2013 8:54 AM >To: 'Ben Stover'; Stunnel Users >Subject: RE: EXTERNAL: How to setup stunnel für SMTP over STARTTLS (and not pure SSL)? >https://www.stunnel.org/pipermail/stunnel-users/2011-April/003060.html >Yes, it's supported. (you'll get a cert error on that connect, ironically) >-----Original Message----- >From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ben Stover >Sent: Wednesday, October 16, 2013 5:56 AM >To: Stunnel Users >Subject: EXTERNAL: How to setup stunnel für SMTP over STARTTLS (and not pure SSL)? >Assume my mailbox provider offers only SMTP delivery over STARTTLS (and not pure SSL). >How do I have configure stunnel to cope with this protocol? >Lets say the remote smtp server would be >smtp.foobar.com:587 >How would a service section in conf file look like? >Thank you >Ben >_______________________________________________ >stunnel-users mailing list >stunnel-users(a)stunnel.org >https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

1 0

Re: [stunnel-users] EXTERNAL: How to setup stunnel für SMTP over STARTTL S (and not pure SSL)?
by Michal Trojnara 16 Oct '13

16 Oct '13

On 10/16/2013 05:07 PM, Ben Stover wrote: > Sorry, I went to the webpage with the link you mentioned. > There I searched for STARTTLS but NO (!) occurence was found. This is because STARTTLS is not a separate protocol, but rather an option (usually an extension) of various protocols that can negotiate SSL/TLS encryption. http://en.wikipedia.org/wiki/STARTTLS Mike

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users October 2013