Hi,
I have a problem using stunnel with mIRC:
I was using a pretty old version of stunnel.exe that was packed with a
mIRC script and could be ran as a command-line-only application without
a configuration file (supplying all necessary informations parameters).
I know that current mIRC version have their own ssl support, but I
prefer an old version without because it has much better performance.
The old one was used by "stunnel.exe -c -d localhost:<localport> -r
<irc-server-ip>:<irc-server-port>" in command line and "/server
localhost:<localport>" in irc.
A few of my servers stopped supporting an old ssl version, this old
stunnel.exe is no longer compatible to the new (open)ssl dll files and
so I had to upgrade to the most recent version of stunnel - and I have
some problems make it run properly.
Here you can see my configuration file (stunnel.conf):
; Sample stunnel configuration file for Win32 by Michal Trojnara
2002-2012
; Some options used here may be inadequate for your particular
configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available
options
;
**************************************************************************
; * Global
options *
;
**************************************************************************
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
;fips = no
;
**************************************************************************
; * Service defaults may also be specified in individual service
sections *
;
**************************************************************************
; Certificate/key is needed in server mode and optional in client mode
;cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance
degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
;
**************************************************************************
; * Service definitions (at least one service has to be
defined) *
;
**************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
[abjects]
client = yes
accept = 127.0.0.1:7001
connect = irc.abjects.net:9999
[Elite-IRC]
client = yes
accept = 127.0.0.1:7002
connect = SpeedSpace-IRC.eu:6697
[BodenTruppe]
client = yes
accept = 127.0.0.1:7003
connect = boden-truppe.zapto.org:7001
[LinkNet]
client = yes
accept = 127.0.0.1:7004
connect = irc.link-net.nl:7000
The first connect always works properly (as shown in the log below):
2013.09.03 12:30:45 LOG5[10696:9140]: stunnel 4.56 on
x86-pc-msvc-1500 platform
2013.09.03 12:30:45 LOG5[10696:9140]: Compiled/running with OpenSSL
1.0.1e-fips11 Feb 2013
2013.09.03 12:30:45 LOG5[10696:9140]: Threading:WIN32
Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2013.09.03 12:30:45 LOG5[10696:9140]: Reading configuration from
file stunnel.conf
2013.09.03 12:30:45 LOG5[10696:9140]: FIPS mode is enabled
2013.09.03 12:30:45 LOG5[10696:9140]: Configuration successful
2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] accepted
connection from 127.0.0.1:3397
2013.09.03 12:30:53 LOG5[10696:10756]: connect_blocking: connected
188.126.73.62:9999
2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] connected
remote server from 192.168.1.10:3398
2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] accepted
connection from 127.0.0.1:3399
2013.09.03 12:30:54 LOG5[10696:14396]: connect_blocking: connected
194.126.217.98:7000
2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] connected
remote server from 192.168.1.10:3400
2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] accepted
connectionfrom 127.0.0.1:3401
2013.09.03 12:30:54 LOG5[10696:2916]: connect_blocking: connected
178.254.22.94:7001
2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe]
connected remote server from 192.168.1.10:3402
2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] accepted
connection from 127.0.0.1:3403
2013.09.03 12:30:54 LOG5[10696:12260]: connect_blocking: connected
62.75.235.122:6697
2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] connected
remote server from 192.168.1.10:3404
But when I try to reconnect, it doesn't work for 2 of my 4 servers
This is an example for what happens to Elite-IRC:
2013.09.03 12:32:22 LOG5[10696:12260]: Connection closed: 1972
byte(s) sent to SSL, 26903 byte(s) sent to socket
2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] accepted
connection from 127.0.0.1:3429
2013.09.03 12:32:23 LOG5[10696:17168]: connect_blocking: connected
62.75.235.122:6697
2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] connected
remote server from 192.168.1.10:3430
2013.09.03 12:32:23 LOG3[10696:17168]: SSL_connect: Peer suddenly
disconnected
2013.09.03 12:32:23 LOG5[10696:17168]: Connection reset: 0 byte(s)
sent to SSL,0 byte(s) sent to socket
The frist line shows the manual disconnect occured by executing "/server
localhost:7002" in mIRC.
The second line shows the new incoming connection from my mIRC.
The third line? ... I got no clue why it has to block anything.
The fourth line: Successfully connected to IRC-Server?
And then the fifth line occurs. I'm not sure if I interpret it right,
but for some reason tstunnel.exe is kicking out my connected mIRC client
which makes mIRC to tell me "[10053] Software caused connection abort".
The whole lines in mIRC are:
[12:34pm] * Connect retry #1 localhost (7003)
------------------------------------------------------------
[12:34pm] * [10053] Software caused connection abort
------------------------------------------------------------
[12:34pm] * Disconnected
By the way, I have packed libeay32.dll, ssleay32.dll, stunnel.conf and
tstunnel.exe in a subdir in mIRC directory
and I'm starting it using "tstunnel.exe stunnel.conf"
When this error occurs, I have to kill tstunnel.exe and start it again -
then everything works fine again.
For 1 of 4 servers, I also had this error with the old command-line
stunnel.exe and I just wrote a script killing (only this) stunnel.exe
and restarting it when this mIRC error occurs. Unfortunately this is no
longer possible when tstunnel.exe is using a configuration file and one
process is managing all connections.
Is there any way I can fix this?
(Maybe by fixing the logout of my local mIRC from my local tstunnel.exe?)
Best regards