stunnel-users April 2014

stunnel-users@stunnel.org

16 participants
17 discussions

DH not working, although initialized correctly
by Ovidiu Lixandru 14 Apr '14

14 Apr '14

Hello, I'm trying to enable Forward Secrecy. have an stunnel 4.56 instance compiled with authpriv and xforwardedfor patches, configured as follows: sslVersion = all options = NO_SSLv2 ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 renegotiation = no setuid = nobody setgid = nobody socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 libwrap = no TIMEOUTbusy = 120 xforwardedfor = yes [domain.com] accept = X.X.X.X:443 connect = 127.0.0.1:91 cert = /etc/pki/tls/certs/domain.pem key = /etc/pki/tls/private/domain.key domain.pem contains both the SSL certificate and the DH parameters (generated with "openssl dhparams 2048"). stunnel initializes the DH parameters correctly: 2014.04.14 12:08:18 LOG6[16629:140355580176320]: Initializing service [domain.com] 2014.04.14 12:08:18 LOG7[16629:140355580176320]: Certificate: /etc/pki/tls/certs/domain.pem 2014.04.14 12:08:18 LOG7[16629:140355580176320]: Certificate loaded 2014.04.14 12:08:18 LOG7[16629:140355580176320]: Key file: /etc/pki/tls/private/domain.key 2014.04.14 12:08:18 LOG7[16629:140355580176320]: Private key loaded 2014.04.14 12:08:18 LOG7[16629:140355580176320]: Using DH parameters from /etc/pki/tls/certs/domain.pem 2014.04.14 12:08:18 LOG7[16629:140355580176320]: DH initialized with 2048-bit key 2014.04.14 12:08:18 LOG7[16629:140355580176320]: SSL options set: 0x01000004 When I try to connect using openssl s_client, the connections fails with it unable to negotiate a cipher. On the client side: # openssl s_client -cipher ECDH -tls1 -connect www.domain.com:443 CONNECTED(00000003) 140735113126752:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 140735113126752:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1397471905 Timeout : 7200 (sec) Verify return code: 0 (ok) --- On the server side: 2014.04.14 11:57:10 LOG5[9647:140038728394496]: Service [domain.com] accepted connection from X.X.X.X:56678 2014.04.14 11:57:10 LOG7[9647:140038728394496]: SSL state (accept): before/accept initialization 2014.04.14 11:57:10 LOG7[9647:140038728394496]: SNI: no virtual services defined 2014.04.14 11:57:10 LOG7[9647:140038728394496]: SSL alert (write): fatal: handshake failure 2014.04.14 11:57:10 LOG3[9647:140038728394496]: SSL_accept: 1408A0C1: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher 2014.04.14 11:57:10 LOG5[9647:140038728394496]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket The client and the server have the same openssl version (1.0.1e), with the same supported ciphers. I tried different cipher combinations (i.e. "HIGH:!aNULL:!MD5"), but no lock. FWIW, the initial DH cipher list in the stunnel config file works correctly in an SSL nginx instance and openssl s_client negotiates "ECDHE-RSA-AES256-SHA". Any idea what may be wrong with stunnel? Thanks, Ovidiu

1 0

Re: [stunnel-users] Some troubles with PROXY protocol
by Alexey V. Drozdov 13 Apr '14

13 Apr '14

Hi, Mike! In spite of new changes, it's still work incorrect because of init_remote(c) connect to the address from root config section: protocol(c, PROTOCOL_PRE_CONNECT); init_remote(c); <<<<<<<<<< destination address from root section protocol(c, PROTOCOL_PRE_SSL); init_ssl(c); <<<<<<<<<<< switch to target SNI config section only there protocol(c, PROTOCOL_POST_SSL); <<<<<<<<<<< send PROXY protocol to incorrect address Context switch to target section parameters after init_ssl(c) only. /Alexey V. Drozdov e-mail: anyquist(a)yandex.ru

2 2

Connection closed with a turn server backend
by pablo platt 12 Apr '14

12 Apr '14

Hi, I'm trying to tunnel TLS connection to a turn server https://code.google.com/p/rfc5766-turn-server/ The connection is closed with; SSL socket closed on SSL_read I'm using the ubuntu 12.04 package http://packages.ubuntu.com/precise/stunnel4 Am I missing a configuration option in my stunnel config? Please see my config and log bellow. ----------------------------------------------- chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid debug = 7 output = /stunnel.log [ssl] accept = 443 connect = 3478 cert = /etc/stunnel/cert.pem key = /etc/stunnel/key.pem ---------------------------------------------------- 2014.04.12 13:40:15 LOG7[14983:140499885700864]: No limit detected for the number of clients 2014.04.12 13:40:15 LOG7[14983:140499885700864]: signal_pipe: FD=3 allocated (non-blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: signal_pipe: FD=4 allocated (non-blocking mode) 2014.04.12 13:40:15 LOG5[14983:140499885700864]: stunnel 4.42 on x86_64-pc-linux-gnu platform 2014.04.12 13:40:15 LOG5[14983:140499885700864]: Compiled/running with OpenSSL 1.0.1 14 Mar 2012 2014.04.12 13:40:15 LOG5[14983:140499885700864]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6 2014.04.12 13:40:15 LOG5[14983:140499885700864]: Reading configuration from file /etc/stunnel/stunnel.conf 2014.04.12 13:40:15 LOG7[14983:140499885700864]: PRNG seeded successfully 2014.04.12 13:40:15 LOG6[14983:140499885700864]: Initializing SSL context for service ssl 2014.04.12 13:40:15 LOG4[14983:140499885700864]: Insecure file permissions on /etc/stunnel/key.pem 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Certificate: /etc/stunnel/cert.pem 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Certificate loaded 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Key file: /etc/stunnel/key.pem 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Private key loaded 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Could not load DH parameters from /etc/stunnel/cert.pem 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Using hardcoded DH parameters 2014.04.12 13:40:15 LOG7[14983:140499885700864]: DH initialized with 2048-bit key 2014.04.12 13:40:15 LOG7[14983:140499885700864]: ECDH initialized with curve prime256v1 2014.04.12 13:40:15 LOG7[14983:140499885700864]: SSL options set: 0x00000004 2014.04.12 13:40:15 LOG6[14983:140499885700864]: SSL context initialized 2014.04.12 13:40:15 LOG5[14983:140499885700864]: Configuration successful 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=5 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=6 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=6 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=7 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=7 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=8 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=8 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=9 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=9 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: libwrap_init: FD=10 allocated (blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: accept socket: FD=11 allocated (non-blocking mode) 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Option SO_REUSEADDR set on accept socket 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Service ssl bound to 0.0.0.0:443 2014.04.12 13:40:15 LOG7[14983:140499885700864]: Service ssl opened FD=11 2014.04.12 13:40:15 LOG7[14989:140499885700864]: Created pid file /stunnel4.pid 2014.04.12 13:40:17 LOG7[14989:140499885700864]: local socket: FD=0 allocated (non-blocking mode) 2014.04.12 13:40:17 LOG7[14989:140499885700864]: Service ssl accepted FD=0 from 192.168.56.1:54561 2014.04.12 13:40:17 LOG7[14989:140499885700864]: local socket: FD=1 allocated (non-blocking mode) 2014.04.12 13:40:17 LOG7[14989:140499885700864]: Service ssl accepted FD=1 from 192.168.56.1:54562 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Service ssl started 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Option TCP_NODELAY set on local socket 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Waiting for a libwrap process 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Acquired libwrap process #0 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Service ssl started 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Option TCP_NODELAY set on local socket 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Waiting for a libwrap process 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Acquired libwrap process #1 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Releasing libwrap process #0 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Released libwrap process #0 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Service ssl permitted by libwrap from 192.168.56.1:54562 2014.04.12 13:40:17 LOG5[14989:140499885692672]: Service ssl accepted connection from 192.168.56.1:54562 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): before/accept initialization 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 read client hello A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write server hello A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write certificate A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write key exchange A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write server done A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 flush data 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Releasing libwrap process #1 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Released libwrap process #1 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Service ssl permitted by libwrap from 192.168.56.1:54561 2014.04.12 13:40:17 LOG5[14989:140499885790976]: Service ssl accepted connection from 192.168.56.1:54561 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): before/accept initialization 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 read client hello A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write server hello A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write certificate A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write key exchange A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write server done A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 flush data 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 read client key exchange A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 read finished A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write session ticket A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write change cipher spec A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 write finished A 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL state (accept): SSLv3 flush data 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 items in the session cache 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 client connects (SSL_connect()) 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 client connects that finished 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 client renegotiations requested 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 2 server connects (SSL_accept()) 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 1 server connects that finished 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 server renegotiations requested 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 session cache hits 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 external session cache hits 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 session cache misses 2014.04.12 13:40:17 LOG7[14989:140499885692672]: 0 session cache timeouts 2014.04.12 13:40:17 LOG6[14989:140499885692672]: SSL accepted: new session negotiated 2014.04.12 13:40:17 LOG6[14989:140499885692672]: Negotiated ciphers: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 2014.04.12 13:40:17 LOG7[14989:140499885692672]: remote socket: FD=2 allocated (non-blocking mode) 2014.04.12 13:40:17 LOG6[14989:140499885692672]: connect_blocking: connecting 192.169.56.300:3478 2014.04.12 13:40:17 LOG7[14989:140499885692672]: connect_blocking: s_poll_wait 192.169.56.300:3478: waiting 10 seconds 2014.04.12 13:40:17 LOG5[14989:140499885692672]: connect_blocking: connected 192.169.56.300:3478 2014.04.12 13:40:17 LOG5[14989:140499885692672]: Service ssl connected remote server from 192.169.56.300:59744 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Remote FD=2 initialized 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Option TCP_NODELAY set on remote socket 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 read client key exchange A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 read finished A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write session ticket A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write change cipher spec A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 write finished A 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL state (accept): SSLv3 flush data 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 items in the session cache 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 client connects (SSL_connect()) 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 client connects that finished 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 client renegotiations requested 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 2 server connects (SSL_accept()) 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 2 server connects that finished 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 server renegotiations requested 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 session cache hits 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 external session cache hits 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 session cache misses 2014.04.12 13:40:17 LOG7[14989:140499885790976]: 0 session cache timeouts 2014.04.12 13:40:17 LOG6[14989:140499885790976]: SSL accepted: new session negotiated 2014.04.12 13:40:17 LOG6[14989:140499885790976]: Negotiated ciphers: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 2014.04.12 13:40:17 LOG7[14989:140499885692672]: SSL socket closed on SSL_read 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Sending socket write shutdown 2014.04.12 13:40:17 LOG5[14989:140499885692672]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket 2014.04.12 13:40:17 LOG7[14989:140499885692672]: Service ssl finished (1 left) 2014.04.12 13:40:17 LOG7[14989:140499885692672]: str_stats: 0 block(s), 0 byte(s) 2014.04.12 13:40:17 LOG7[14989:140499885790976]: remote socket: FD=1 allocated (non-blocking mode) 2014.04.12 13:40:17 LOG6[14989:140499885790976]: connect_blocking: connecting 192.169.56.300:3478 2014.04.12 13:40:17 LOG7[14989:140499885790976]: connect_blocking: s_poll_wait 192.169.56.300:3478: waiting 10 seconds 2014.04.12 13:40:17 LOG5[14989:140499885790976]: connect_blocking: connected 192.169.56.300:3478 2014.04.12 13:40:17 LOG5[14989:140499885790976]: Service ssl connected remote server from 192.169.56.300:59745 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Remote FD=1 initialized 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Option TCP_NODELAY set on remote socket 2014.04.12 13:40:17 LOG7[14989:140499885790976]: SSL socket closed on SSL_read 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Sending socket write shutdown 2014.04.12 13:40:17 LOG5[14989:140499885790976]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket 2014.04.12 13:40:17 LOG7[14989:140499885790976]: Service ssl finished (0 left) 2014.04.12 13:40:17 LOG7[14989:140499885790976]: str_stats: 0 block(s), 0 byte(s)

1 0

Bleedingheart Bug in OpenSSL
by Burak Say 11 Apr '14

11 Apr '14

Hello, When do you think you can release a patch to use OpenSSL 1.0.1g instead of 1.0.1f? Thanks, Burak Say

4 5

Re: [stunnel-users] Some troubles with PROXY protocol
by Alexey V. Drozdov 10 Apr '14

10 Apr '14

Hi, Mike! I have analyze your fix and found mistake :( We will switch to target SNI section after init_ssl(c) only, thereby init_remote(c) will be connect to wrong destination. if(!c->opt->option.client && c->opt->protocol<0 #ifndef OPENSSL_NO_TLSEXT && !c->opt->servername_list_head #endif ) { /* server mode and no protocol negotiation needed */ init_ssl(c); init_remote(c); } else { /* client mode or protocol negotiation enabled */ protocol(c, PROTOCOL_PRE_CONNECT); init_remote(c); <<<<<<<<<< Incorrect destination protocol(c, PROTOCOL_PRE_SSL); init_ssl(c); <<<<<<<<<<< switch to target SNI config section only there protocol(c, PROTOCOL_POST_SSL); } /Alexey V. Drozdov e-mail: anyquist(a)yandex.ru

2 1

stunnel 5.01 released
by Michal Trojnara 08 Apr '14

08 Apr '14

Dear Users, I have released version 5.01 of stunnel. The ChangeLog entry: Version 5.01, 2014.04.08, urgency: HIGH: * Security bugfixes - OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160). * New features - X.509 extensions added to the created self-signed stunnel.pem. - "FIPS = no" also allowed in non-FIPS builds of stunnel. - Search all certificates with the same subject name for a matching public key rather than only the first one (thx to Leon Winter). - Create logs in the local application data folder if stunnel folder is not writable on Win32. * Bugfixes - close_notify not sent when SSL still has some data buffered. - Protocol negotiation with server-side SNI fixed. - A Mac OS X missing symbols fixed. - Win32 configuration file reload crash fixed. - Added s_pool_free() on exec+connect service retires. - Line-buffering enforced on stderr output. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-5.01.tar.gz: 2565bf58ffe8a612304c64df621105b2e42d6e389e815ed4205dbeec4f3f886b Best regards, Mike

1 0

Re: [stunnel-users] public domain [Patch] Support multiple X509 client certificates with same CN
by Leon Winter 01 Apr '14

01 Apr '14

Hi Michal, > >What license do you need the patch to be? > > Preferably public domain, but any GPL-compatbile and non-copyleft license > should be fine. I hereby release my patches to stunnel for support of muliple client certificates with the same CN into the public domain. Best regards, Leon Winter

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users April 2014