stunnel-users April 2015

stunnel-users@stunnel.org

14 participants
16 discussions

stunnel 5.15 release
by Michal Trojnara 16 Apr '15

16 Apr '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.15 of stunnel. The ChangeLog entry: Version 5.15, 2015.04.16, urgency: LOW: * New features - Added new service-level options "checkHost", "checkEmail" and "checkIP" for additional checks of the peer certificate subject. These options require OpenSSL version 1.0.2 or higher. - Win32 binary distribution now ships with the Mozilla root CA bundle. This bundle is intended be used together with the new "checkHost" option to validate server certs accepted by Mozilla. - New commandline options "-reload" to reload the configuration file and "-reopen" to reopen the log file of stunnel running as a Windows service (thx to Marc McLaughlin). - Added session persistence based on negotiated TLS sessions. https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence The current implementation does not support external TLS session caching with sessiond. - MEDIUM ciphers (currently SEED and RC4) are removed from the default cipher list. - The "redirect" option was improved to not only redirect sessions established with an untrusted certificate, but also sessions established without a client certificate. - OpenSSL version checking modified to distinguish FIPS and non-FIPS builds. - Improved compatibility with the current OpenSSL 1.1.0-dev tree. - Removed support for OpenSSL versions older than 0.9.7. The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004. - "sessiond" support improved to also work in OpenSSL 0.9.7. - Randomize the initial value of the round-robin counter. - New stunnel.conf templates are provided for Windows and Unix. * Bugfixes - Fixed compilation against old versions of OpenSSL. - Fixed memory leaks in certificate verification. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 58ff4645eb5d6bd64e6ddedaa683534302f75625c531e8a6364badcac0541cba stunnel-5.15.tar.gz 08316dc39f72f10f7b28a67e25ddf90f3f189208b09562c12d81478c6ca2e782 stunnel-5.15-installer.exe db96edbe66f1c3524e51f21b47cc541953d1659e746765a43d0272cfe60712b0 stunnel-5.15-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVL7wqAAoJEC78f/DUFuAU+30P/Ar197tSUJC0+sLBXwddWkm4 J7d9lFThQFECDDSIqaFYfCuecIgGHk8LUVq8nQHh21H1tvpPp7SnYHkzOLsb2w/y G7rLdA+a8BgRTUF3rMxTyghL78Yor88OLI8J93U7pkQkl0bIZpiITn838R5x9/NP +nGTgqy3U5tNoXALBQ/tLZCNML/XaEyxfrbdStOslV5Ay3m23RPw9wqgD4tJoWqe 5x52sMmLh0nhE5lX3xAKxzabVcioAaqVlBEgK1/ZKJj709Olcv14HZcOWzWhWkka MR0ItrZMkYf3lLk/StDm3s2BakKRraRustxlK8wAV4ci7t/IBnWshIpYIij9Nzct HNOT10GjWpN6pwwixNcMBUn7/wDNjiRVw/1n/keL84qSYry54Czo1LpBra1lMCmg 8WENkpJbaNFHvXI4rEzZkiPdlG16tXHF33CcYxwrT8bCXa+Uk4i8c98TJ2jfOaUv VFVLWxFtK4ydoppgOo2eRuymVPNK4HbLZnLPL874xPlHpYjRl5ndClLeDpkDzgJv 8y6zdYwJLFbinWGGHTZIVlyQQfKzB1NDCfXxknsbxtCpZt5Ja0Ka+oS6kcOMZz6f CjYpmd52wjEtAoxxxsjGGrYsO3q0sn0UU3Kc97lGGS/MsgbXFYDnSGqP+p8lzDoq urHG9EjMxXNMcnmKp9JQ =XLyZ -----END PGP SIGNATURE-----

1 0

Re: [stunnel-users] Understanding communication
by josealf＠rocketmail.com 16 Apr '15

16 Apr '15

Claudia, Yes, to create a tunnel you need to configure stunnel on both sides, except in those cases when one of the extremes already supports TLS. Looks like yours is not one of those cases. Regards, Jose -----Original Message----- From: "Claudia Porta" <claudia.porta(a)bancaakros.it> Sender: "stunnel-users" <stunnel-users-bounces(a)stunnel.org> Date: Wed, 15 Apr 2015 14:51:07 To: <stunnel-users(a)stunnel.org> Subject: [stunnel-users] Understanding communication _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

1 0

Verifying TLS authentication via stunnel logs
by shanmuganathan sedukumar 16 Apr '15

16 Apr '15

We have a requirement to send emails via a SMTP server which requires TLS authentication. Going through some logs we tried changing the parameter "SSLversion = TLSv1", but still getting authentication failure. So, we would like to verify if stunnel is trying to sending request via TLS method before looking for any issues at SMTP end. Is there a way we can verify from stunnel logs if the request is sent via TLS? Thanks & Regards,Shanmu

1 0

Session is active but I cannot connect
by daninho dj 09 Apr '15

09 Apr '15

Hi guys, I am struggling with a problem for some time. I searched about this problem in the stunnel mails archives and also on Google but couldn't find a solution and I ran out of ideas so I was thinking to write you about it. I am using Eclipse to access and manipulate the data from a linux server. I want to use stunnel when I connect to the server via Eclipse, so I installed and configured everything as it follows: The server I am using is SuSE Linux and the stunnel version which I installed is this one: *stunnel 4.27 on x86_64-suse-linux-gnu with OpenSSL 0.9.8j-fips 07 Jan 2009* The stunnel version on Windows 7 is: *stunnel version 5.10* In the conf file from linux (server) I have the following configuration for stunnel.conf: *client = no* *chroot = /var/lib/stunnel/* *setuid = root* *setgid = root* *pid = /var/run/stunnel.pid* *debug = 7* *output = /var/log/stunnel/stunnel.log* *cert = /etc/ssl/certs/stunnel.pem* *sslVersion = SSLv3* *[test]* *accept = 2404* *connect = 2406* In the conf file from windows (client) I have the following configuration in stunnel.conf: *debug = 7* *output = C:\Program Files (x86)\stunnel\stunnel.log* *cert = C:\Program Files (x86)\stunnel\stunnel.pem* *sslVersion = SSLv3* *[test]* *client = yes* *accept = 127.0.0.1:2404 <http://127.0.0.1:2404>* *connect = xx.xxx.xxx.xxx:2406* In the log I have this: 2015.04.09 13:48:04 LOG5[11060]: Configuration successful 2015.04.09 13:48:04 LOG7[11060]: Listening file descriptor created (FD=452) 2015.04.09 13:48:04 LOG7[11060]: Service [test] (FD=452) bound to 127.0.0.1:2404 2015.04.09 13:48:07 LOG7[11060]: Service [test] accepted (FD=496) from 127.0.0.1:56675 2015.04.09 13:48:07 LOG7[11060]: Creating a new thread 2015.04.09 13:48:07 LOG7[11060]: New thread created 2015.04.09 13:48:07 LOG7[2088]: Service [test] started 2015.04.09 13:48:07 LOG5[2088]: Service [test] accepted connection from 127.0.0.1:56675 2015.04.09 13:48:07 LOG6[2088]: s_connect: connecting xx.xxx.xxx.xxx:2406 2015.04.09 13:48:07 LOG7[2088]: s_connect: s_poll_wait xx.xxx.xxx.xxx:2406: waiting 10 seconds 2015.04.09 13:48:07 LOG5[2088]: s_connect: connected xx.xxx.xxx.xxx:2406 2015.04.09 13:48:07 LOG5[2088]: Service [test] connected remote server from 127.0.0.1:56676 2015.04.09 13:48:07 LOG7[2088]: Remote socket (FD=516) initialized 2015.04.09 13:48:07 LOG6[2088]: SNI: sending servername: *my_server_name* 2015.04.09 13:48:07 LOG7[2088]: SSL state (connect): before/connect initialization 2015.04.09 13:48:07 LOG7[2088]: SSL state (connect): SSLv3 write client hello A 2015.04.09 13:48:08 LOG3[2088]: SSL_connect: Peer suddenly disconnected 2015.04.09 13:48:08 LOG5[2088]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.04.09 13:48:08 LOG7[2088]: Remote socket (FD=516) closed 2015.04.09 13:48:08 LOG7[2088]: Local socket (FD=496) closed 2015.04.09 13:48:08 LOG7[2088]: Service [test] finished (0 left) Although in the stunnel log it's showing *s_connect: connected* I cannot connect at all. When I try to connect via port 2406, the stunnel icon shows that the server is idle and I have nothing in the log about it. When I try to connect via port 2404, the stunnel icon shows that the there are 2 active sessions but I cannot connect to the server. I tried switching the ports (2404 with 2406 and 2406 with 2404 in the stunnel.conf file) but stunnel doesn't even open in that case. Do you have any idea what might could be the problem and how could I solve it? Thanks in advance! Best Regards, Daninho --

3 6

Stunnel 5.0x compile issues
by Michael Curran 06 Apr '15

06 Apr '15

Hello -- I am running the following commands to compile openssl (with FIPS support) and stunnel * Base config for FIPS cd openssl-fips-2.0.9 echo "./config" ./config * OpenSSL with shared and custom install location cd openssl-1.0.1m echo "./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib" ./config fips shared --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ * Stunnel with FIPs (autodetect is working , I just added it to force it) cd stunnel-5.09 echo "make clean" make clean echo "./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap --enable-fips" ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap --enable-fips You can see that my custom OpenSSL is reporting that it is built with -fips root@host:/var/tmp# /usr/local/openssl-100/bin/openssl version OpenSSL 1.0.1m-fips 19 Mar 2015 But when I'm done with all the compile options -- I only see the base version of OpenSSL 1.0.1m , and this same script with Stunnel 4.53 shows OpenSSL 1.0.1m-fips Is there something I am missing during the configure for Stunnel that is causing it to NOT see openssl is compiled with FIPs? root@host:/var/tmp# stunnel -version stunnel 5.09 on x86_64-unknown-linux-gnu platform Compiled with OpenSSL 1.0.1m 19 Mar 2015 Running with OpenSSL 1.0.1 14 Mar 2012 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none

1 0

Disconnect immediately after sending a message successfully
by Swallow 02 Apr '15

02 Apr '15

Hi, Can you give me a hand? We sent messages to a server over SSL. But stunnel showed disconnect from remote server as soon as we sent out logon message correctly. We close down the fire wall. Dose we misunderstand the mechanism of stunnel? Could someone help me? Thank you very much. Regards, Yan

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users April 2015