September 2013 - stunnel-users

postgres protocol
by Robert Bernier 21 Sep '13

21 Sep '13

Hi, I've been looking at using stunnel connecting it directly to postgres. As per the man page, https://www.stunnel.org/static/stunnel.html, I was able to get postgres version 8.3 working. However, I've not suceeded using postgres version 9.2. Any insights would be appreciated. Thanks -- Robert Bernier PostgreSQL Business Intelligence Analyst robert7390(a)comcast.net http://www.linkedin.com/pub/robert-bernier/69/6a6/921 http://beknown.com/robert-bernier

1 0

Difference between verify=2, 3 and 4
by Nikolaus Rath 20 Sep '13

20 Sep '13

Hello, Thanks for writing stunnel, it looks like a great tool! I have, however, a really hard time understanding the difference between verify=2,3 and 4. In the manpage, I found verify = level verify peer certificate level 0 - request and ignore peer certificate level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate level 4 - ignore CA chain and only verify peer certificate default - no verify Levels 0-2 seem pretty clear cut, but then it becomes confusing for me. First, I do not understand how level 3 differs from level2. What does "against a locally installed certificate" mean? It seems to me that I certainly need to have a local copy of the trusted CAs even in level 2 -- at least I hope that they aren't somehow build in to stunnel. But there is also just one CApath option, so will that be used for level 2 or level 3? For level 4, the "ignore the CA chain" path is fine -- but where do I put the peer certificates that I'm willing to accept? CApath seems wrong, but cert is already used for the server's own certificate... Best, -Nikolaus -- »Time flies like an arrow, fruit flies like a Banana.« PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C

6 13

Looking for a tech talk speaker on Secure Networking
by Chris Westin 16 Sep '13

16 Sep '13

I organize the speakers for the SF Bay Area Large-Scale Production Engineering meetup (http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/ ; take a look at the "PAST" tab to see the kinds of events we've had). For our event on Thursday October 17, 2013, I'm looking for speakers on the topic of "Secure Networking" (event: http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/events… ). As you can see from looking at our past events, I pick a topic, and then try to get 2-3 talks on that topic. Talks are usually 20-25 minutes long. This is a technical audience, and they don't appreciate a marketing pitch. They're eager to get into the nuts and bolts of the topic, including demos, code samples, and architecture. If you're going to be in the Bay Area then, and would be interested in giving a talk, please let me know here, or (preferably) through meetup.com. Thanks, Chris Westin

1 0

Re: [stunnel-users] IRC-Reconnect failed with "[10053] Software caused connection abort"(mIRC) and "SSL_connect: Peer suddenly disconnected"(tstunnel.exe)
by ralf29587＠gmx.de 13 Sep '13

13 Sep '13

Could some admin please remove my uploaded VCard and either my Name or my E-Mail-Adress shown on stunnel.org ?? Thanks a million!

1 0

stunnel accept a t3 connection?
by Scott Sikorski 09 Sep '13

09 Sep '13

I am curious if stunnel can support listening for an incoming t3 connection? I am having difficulty getting t3s to work between WebSphere and WebLogic for API calls and am curious if an alternative such as stunnel will work. I have stunnel installed betwen a client and the destination host, but the client doesn't seem to want to accept a t3://127.0.0.1:14010 connection but when I change this to http://127.0.0.1:14010 it works fine. Anything you can share would be appreciated. Mostly, if it will never work, that would be nice to know as to not spend more time troubleshooting. Best Regards, Scott Sikorski scottgsikorski(a)yahoo.com

2 1

Fullduplex in stunnel
by Krzysztof Kwiatkowski 07 Sep '13

07 Sep '13

Hi, I'm planning to use stunnel to do stress testing of my application. I decided to use stunnel because I've noticed that full-duplex has been added to version 3.2 (around 1999) and my application handles high throughput. AFAIK Stunnel uses openssl. Also I know that openssl doesn't handle fullduplex traffic very well. In fact without any tricks, half-duplex is most what I could get from openssl. As the full-duplex feature has been added to stunnel in 1999 (so long time ago) can you confirm that it is still there and full-duplex is still supported? If it is a case, how it is possible that stunnel handles fullduplex? Krzysztof Kwiatkowski

2 1

IRC-Reconnect failed with "[10053] Software caused connection abort"(mIRC) and "SSL_connect: Peer suddenly disconnected"(tstunnel.exe)
by ralf29587＠gmx.de 03 Sep '13

03 Sep '13

Hi, I have a problem using stunnel with mIRC: I was using a pretty old version of stunnel.exe that was packed with a mIRC script and could be ran as a command-line-only application without a configuration file (supplying all necessary informations parameters). I know that current mIRC version have their own ssl support, but I prefer an old version without because it has much better performance. The old one was used by "stunnel.exe -c -d localhost:<localport> -r <irc-server-ip>:<irc-server-port>" in command line and "/server localhost:<localport>" in irc. A few of my servers stopped supporting an old ssl version, this old stunnel.exe is no longer compatible to the new (open)ssl dll files and so I had to upgrade to the most recent version of stunnel - and I have some problems make it run properly. Here you can see my configuration file (stunnel.conf): ; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may useful for troubleshooting) ;debug = 7 ;output = stunnel.log ; Disable FIPS mode to allow non-approved protocols and algorithms ;fips = no ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode ;cert = stunnel.pem ;key = stunnel.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** ; Example SSL server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 ; Example SSL client mode services ;[gmail-pop3] ;client = yes ;accept = 127.0.0.1:110 ;connect = pop.gmail.com:995 ;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993 ;[gmail-smtp] ;client = yes ;accept = 127.0.0.1:25 ;connect = smtp.gmail.com:465 ; Example SSL front-end to a web server ;[https] ;accept = 443 ;connect = 80 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL ; Microsoft implementations do not use SSL close-notify alert and thus ; they are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; vim:ft=dosini [abjects] client = yes accept = 127.0.0.1:7001 connect = irc.abjects.net:9999 [Elite-IRC] client = yes accept = 127.0.0.1:7002 connect = SpeedSpace-IRC.eu:6697 [BodenTruppe] client = yes accept = 127.0.0.1:7003 connect = boden-truppe.zapto.org:7001 [LinkNet] client = yes accept = 127.0.0.1:7004 connect = irc.link-net.nl:7000 The first connect always works properly (as shown in the log below): 2013.09.03 12:30:45 LOG5[10696:9140]: stunnel 4.56 on x86-pc-msvc-1500 platform 2013.09.03 12:30:45 LOG5[10696:9140]: Compiled/running with OpenSSL 1.0.1e-fips11 Feb 2013 2013.09.03 12:30:45 LOG5[10696:9140]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2013.09.03 12:30:45 LOG5[10696:9140]: Reading configuration from file stunnel.conf 2013.09.03 12:30:45 LOG5[10696:9140]: FIPS mode is enabled 2013.09.03 12:30:45 LOG5[10696:9140]: Configuration successful 2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] accepted connection from 127.0.0.1:3397 2013.09.03 12:30:53 LOG5[10696:10756]: connect_blocking: connected 188.126.73.62:9999 2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] connected remote server from 192.168.1.10:3398 2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] accepted connection from 127.0.0.1:3399 2013.09.03 12:30:54 LOG5[10696:14396]: connect_blocking: connected 194.126.217.98:7000 2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] connected remote server from 192.168.1.10:3400 2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] accepted connectionfrom 127.0.0.1:3401 2013.09.03 12:30:54 LOG5[10696:2916]: connect_blocking: connected 178.254.22.94:7001 2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] connected remote server from 192.168.1.10:3402 2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] accepted connection from 127.0.0.1:3403 2013.09.03 12:30:54 LOG5[10696:12260]: connect_blocking: connected 62.75.235.122:6697 2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] connected remote server from 192.168.1.10:3404 But when I try to reconnect, it doesn't work for 2 of my 4 servers This is an example for what happens to Elite-IRC: 2013.09.03 12:32:22 LOG5[10696:12260]: Connection closed: 1972 byte(s) sent to SSL, 26903 byte(s) sent to socket 2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] accepted connection from 127.0.0.1:3429 2013.09.03 12:32:23 LOG5[10696:17168]: connect_blocking: connected 62.75.235.122:6697 2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] connected remote server from 192.168.1.10:3430 2013.09.03 12:32:23 LOG3[10696:17168]: SSL_connect: Peer suddenly disconnected 2013.09.03 12:32:23 LOG5[10696:17168]: Connection reset: 0 byte(s) sent to SSL,0 byte(s) sent to socket The frist line shows the manual disconnect occured by executing "/server localhost:7002" in mIRC. The second line shows the new incoming connection from my mIRC. The third line? ... I got no clue why it has to block anything. The fourth line: Successfully connected to IRC-Server? And then the fifth line occurs. I'm not sure if I interpret it right, but for some reason tstunnel.exe is kicking out my connected mIRC client which makes mIRC to tell me "[10053] Software caused connection abort". The whole lines in mIRC are: [12:34pm] * Connect retry #1 localhost (7003) ------------------------------------------------------------ [12:34pm] * [10053] Software caused connection abort ------------------------------------------------------------ [12:34pm] * Disconnected By the way, I have packed libeay32.dll, ssleay32.dll, stunnel.conf and tstunnel.exe in a subdir in mIRC directory and I'm starting it using "tstunnel.exe stunnel.conf" When this error occurs, I have to kill tstunnel.exe and start it again - then everything works fine again. For 1 of 4 servers, I also had this error with the old command-line stunnel.exe and I just wrote a script killing (only this) stunnel.exe and restarting it when this mIRC error occurs. Unfortunately this is no longer possible when tstunnel.exe is using a configuration file and one process is managing all connections. Is there any way I can fix this? (Maybe by fixing the logout of my local mIRC from my local tstunnel.exe?) Best regards

2 1

stunnel 4.56 to 4.50 on andriod
by Ronald Ning 02 Sep '13

02 Sep '13

Anyone have any luck running stunnel on android? I'm running the stock JB 4.2.2. I've tried every stunnel version from 4.50 to 4.56. When I try to run: root@andriod: /system/bin/stunnel stunnel.conf -> stunnel root@andriod: netstat -a netstat doesn't show the listening port: My stunnel.conf is this: client = yes debug = 7 [ssh] accept=2222 connect=myserver.com:22

2 1