stunnel-users May 2015

stunnel-users@stunnel.org

10 participants
16 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: … [View More]

5 9

stunnel and hosts.allow
by Yousef Alhashemi 05 Jul '16

05 Jul '16

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, … [View More]

3 6

Rework "Honor --sysconfdir and --localstatedir in stunnel.conf-sample.in"
by Dagobert Michelsen 01 Jun '15

01 Jun '15

Hi, I took the liberty of reworking the patch presented in http://www.stunnel.org/pipermail/stunnel-users/2010-July/002711.html to fix the issues raised in http://www.stunnel.org/pipermail/stunnel-users/2010-August/002719.html The main reason why the substitution didn't work is because it should not be done during configure-time but inside the Makefile as described in the Autoconf manual http://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/htm… The patch is attached … [View More]

2 6

Incompatibility - Content-length parsing
by Marcin Gryszkalis 25 May '15

25 May '15

Hi, I noticed that parsing of HTTP header fields is not robust enough and not RFC compliant - and that way it casues incompatibility with Microsoft TMG proxy with NTLM authentication. The symptom is "Proxy-Authenticate: Invalid Content-Length" message while the header received is "Content-Length: 0 " <- note trailing spaces. The responsible piece of code is in protocol.c: if(tmpstr==line+16 || *tmpstr || content_length<0) { (tmpstr contains trailing spaces in this case). … [View More]

2 3

Compiling for Android
by Pio Tofanelli 21 May '15

21 May '15

Hi, I'm new to stunnel and I'd like to compile it to ARM and x86 platforms. I downloaded the stunnel-5.17 package and I'm using the build-android.sh and android-ndk-r10e script to compile it: ../../configure --with-sysroot=/home/ptofanelli/android-ndk-r10e/platforms/android-18/arch-arm/ --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local I'm getting the message "The C compiler cannot create executables" and checking the logs I've found that the problem is this: … [View More]

1 0

Stunnel not working with Office 365
by Hannu Viitala 19 May '15

19 May '15

Hi, We cannot get stunnel SMTP to work with Office 365 mail server. We are using Stunnel 5.13 and below are the config file content and the the client PC logs. The mail server logs do not reveal anything more. Two observations of the test setup: 1) Using e.g. Mozilla Firebird mail client directly SLL/SMTP on the same PC connection to same Office 365 mail server works ok, but via Stunnel it outputs the error log below. 2) Also, on the same PC, SSL/SMTP connection via stunnel to … [View More]Gmail server works ok. Stunnel conf-file: ============== output = stunnel_log.txt debug = debug cert = tstunnel.pem client = yes [SSMTP] accept = 127.0.0.1:54500 connect = xxx.xxx.xxx.xxx:587 (Hannu V: removed IP address from this mail) protocol = smtp Client PC logs: =========== 2015.04.28 09:17:36 LOG7[ui]: No limit detected for the number of clients 2015.04.28 09:17:36 LOG5[ui]: stunnel 5.13 on x86-pc-msvc-1500 platform 2015.04.28 09:17:36 LOG5[ui]: Compiled/running with OpenSSL 1.0.2a 19 Mar 2015 2015.04.28 09:17:36 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2015.04.28 09:17:36 LOG7[ui]: errno: (*_errno()) 2015.04.28 09:17:36 LOG5[ui]: Reading configuration from file tstunnelSmtp_SAUX1_0.conf 2015.04.28 09:17:36 LOG5[ui]: UTF-8 byte order mark not detected 2015.04.28 09:17:36 LOG5[ui]: FIPS mode disabled 2015.04.28 09:17:36 LOG7[ui]: Compression disabled 2015.04.28 09:17:36 LOG7[ui]: PRNG seeded successfully 2015.04.28 09:17:36 LOG6[ui]: Initializing service [SSmtp] 2015.04.28 09:17:36 LOG6[ui]: Loading certificate from file: tstunnel.pem 2015.04.28 09:17:36 LOG6[ui]: Loading key from file: tstunnel.pem 2015.04.28 09:17:36 LOG7[ui]: Private key check succeeded 2015.04.28 09:17:36 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.04.28 09:17:36 LOG5[ui]: Configuration successful 2015.04.28 09:17:36 LOG7[ui]: Listening file descriptor created (FD=448) 2015.04.28 09:17:36 LOG7[ui]: Service [SSmtp] (FD=448) bound to 127.0.0.1:8030 2015.04.28 09:17:36 LOG7[ui]: Service [SSmtp] accepted (FD=456) from 127.0.0.1:54500 2015.04.28 09:17:36 LOG7[ui]: Creating a new thread 2015.04.28 09:17:36 LOG7[ui]: New thread created 2015.04.28 09:17:36 LOG7[0]: Service [SSmtp] started 2015.04.28 09:17:36 LOG5[0]: Service [SSmtp] accepted connection from 127.0.0.1:54500 2015.04.28 09:17:36 LOG6[0]: s_connect: connecting xxx.xxx.xxx.xxx:587 (Hannu V: removed IP address from this mail) 2015.04.28 09:17:36 LOG7[0]: s_connect: s_poll_wait connecting xxx.xxx.xxx.xxx:587 : waiting 10 seconds (Hannu V: removed IP address from this mail) 2015.04.28 09:17:37 LOG5[0]: s_connect: connected connecting xxx.xxx.xxx.xxx:587 (Hannu V: removed IP address from this mail) 2015.04.28 09:17:37 LOG5[0]: Service [SSmtp] connected remote server from yyy.yyy.yyy.yyy:54503 (Hannu V: removed IP address from this mail) 2015.04.28 09:17:37 LOG7[0]: Remote socket (FD=472) initialized 2015.04.28 09:17:37 LOG7[0]: <- 220 NNN.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Apr 2015 14:17:38 +0000 2015.04.28 09:17:37 LOG7[0]: -> 220 NNN.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Apr 2015 14:17:38 +0000 2015.04.28 09:17:37 LOG7[0]: -> EHLO localhost 2015.04.28 09:17:37 LOG7[0]: <- 250-NNN.outlook.office365.com Hello [xxx.xxx.xxx.161] (Hannu V: removed IP address from this mail) 2015.04.28 09:17:37 LOG7[0]: <- 250-SIZE 157286400 2015.04.28 09:17:37 LOG7[0]: <- 250-PIPELINING 2015.04.28 09:17:37 LOG7[0]: <- 250-DSN 2015.04.28 09:17:37 LOG7[0]: <- 250-ENHANCEDSTATUSCODES 2015.04.28 09:17:37 LOG7[0]: <- 250-STARTTLS 2015.04.28 09:17:37 LOG7[0]: <- 250-8BITMIME 2015.04.28 09:17:37 LOG7[0]: <- 250-BINARYMIME 2015.04.28 09:17:37 LOG7[0]: <- 250 CHUNKING 2015.04.28 09:17:37 LOG7[0]: -> STARTTLS 2015.04.28 09:17:37 LOG7[0]: <- 220 2.0.0 SMTP server ready 2015.04.28 09:17:37 LOG6[0]: SNI: sending servername: NNN.office365.com 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): before/connect initialization 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 read server hello A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 read server certificate A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 read server key exchange A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 read server certificate request A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 read server done A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 write client certificate A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 write client key exchange A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 write certificate verify A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 write change cipher spec A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 write finished A 2015.04.28 09:17:37 LOG7[0]: SSL state (connect): SSLv3 flush data 2015.04.28 09:17:37 LOG3[0]: SSL_connect: Peer suddenly disconnected 2015.04.28 09:17:37 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.04.28 09:17:37 LOG7[0]: Remote socket (FD=472) closed 2015.04.28 09:17:37 LOG7[0]: Local socket (FD=456) closed 2015.04.28 09:17:37 LOG7[0]: Service [SSmtp] finished (0 left) --- Hannu [View Less]

2 1

Authentication methods
by Michal Trojnara 14 May '15

14 May '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, While reading various 3rd party stunnel tutorials I noticed that they either don't configure authentication, or they recommend insecure configurations. I wrote a short overview of authentication methods available in stunnel: https://www.stunnel.org/auth.html Proper authentication is essential to TLS security. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ … [View More]

1 0

Stunnel4 not working?
by David H. Durgee 13 May '15

13 May '15

Given a lack of other suggestions here and elsewhere that yielded any progress, I decided to download the current source and attempt to build it on my system. I didn't see a routine to check for prerequisites being met, so I wound up running ./configure several times and adding the libssl-dev, libwrap0-dev and libsystemd-daemon-dev packages based on what I saw in the output. Perhaps a check routine could be added later? I then ran make and the output contains neither errors nor warnings, … [View More]

2 1

Re: [stunnel-users] Stunnel 5.17 on AIX
by Eckert, Doug 13 May '15

13 May '15

Thanks! I applied the patch to tls.c and I'm able to create sessions with no problem. The version of OpenSSL provided by IBM is built off the 1.0.1e codebase, with backported security fixes via "iFixes" for announced CVEs. They apparently don't backport new functionality or maybe even non-CVE bugfixes. I'm guessing an un-patched stunnel 5.17 would work once/if they release OpenSSL built off 1.0.1j or later. > On Tue, May 12, 2015 at 3:40 PM, Michal Trojnara <Michal.Trojnara(a)mirt.… [View More]

1 0

Stunnel 5.17 on AIX
by Eckert, Doug 12 May '15

12 May '15

I've gotten v5.17 compiled on AIX 5.3 & 6.1 with the following xlccmp.13.1.0 13.1.0.3 COMMITTED XL C compiler openssl.base 1.0.1.513 COMMITTED Open Secure Socket Layer IV71446m9a Ifix for Openssl CVE Everything seems to have compiled fine. I packaged it up, installed, and set up a quick config. The server side aborts on me. Debug output follows. Need some direction on where to look next. Thanks in advance! 2015.05.06 12:08:03 LOG7[ui]: Clients … [View More]allowed=31999 2015.05.06 12:08:03 LOG5[ui]: stunnel 5.17 on powerpc-ibm-aix5.3.0.0 platform 2015.05.06 12:08:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2015.05.06 12:08:03 LOG5[ui]: Threading:PTHREAD Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2015.05.06 12:08:03 LOG7[ui]: errno: (*_Errno()) 2015.05.06 12:08:03 LOG5[ui]: Reading configuration from file /opt/freeware/etc/stunnel/stunnel.conf 2015.05.06 12:08:03 LOG5[ui]: UTF-8 byte order mark not detected 2015.05.06 12:08:03 LOG7[ui]: Compression disabled 2015.05.06 12:08:03 LOG7[ui]: Snagged 64 random bytes from //.rnd 2015.05.06 12:08:03 LOG7[ui]: Wrote 1024 new random bytes to //.rnd 2015.05.06 12:08:03 LOG7[ui]: PRNG seeded successfully 2015.05.06 12:08:03 LOG6[ui]: Initializing service [client] 2015.05.06 12:08:03 LOG6[ui]: Loading certificate from file: /usr/share/ssl/certs/skdkgesaix53-client-cert.pem 2015.05.06 12:08:03 LOG6[ui]: Loading key from file: /usr/share/ssl/certs/skdkgesaix53-client-key.pem 2015.05.06 12:08:03 LOG7[ui]: Private key check succeeded 2015.05.06 12:08:03 LOG7[ui]: Verify directory set to /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: Added /usr/share/ssl/certs revocation lookup directory 2015.05.06 12:08:03 LOG6[ui]: Peer certificate location /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: SSL options: 0x01000004 (+0x03000000, -0x02000000) 2015.05.06 12:08:03 LOG6[ui]: Initializing service [server] 2015.05.06 12:08:03 LOG6[ui]: Loading certificate from file: /usr/share/ssl/certs/skdkgesaix53-server-cert.pem 2015.05.06 12:08:03 LOG6[ui]: Loading key from file: /usr/share/ssl/certs/skdkgesaix53-server-key.pem 2015.05.06 12:08:03 LOG7[ui]: Private key check succeeded 2015.05.06 12:08:03 LOG7[ui]: Verify directory set to /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: Added /usr/share/ssl/certs revocation lookup directory 2015.05.06 12:08:03 LOG6[ui]: Peer certificate location /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: DH initialization 2015.05.06 12:08:03 LOG7[ui]: Could not load DH parameters from /usr/share/ssl/certs/skdkgesaix53-server-cert.pem 2015.05.06 12:08:03 LOG7[ui]: Using hardcoded DH parameters 2015.05.06 12:08:03 LOG7[ui]: DH initialized with 2048-bit key 2015.05.06 12:08:03 LOG7[ui]: ECDH initialization 2015.05.06 12:08:03 LOG7[ui]: ECDH initialized with curve prime256v1 2015.05.06 12:08:03 LOG7[ui]: SSL options: 0x01004004 (+0x03004000, -0x02000000) 2015.05.06 12:08:03 LOG5[ui]: Configuration successful 2015.05.06 12:08:03 LOG7[ui]: Listening file descriptor created (FD=7) 2015.05.06 12:08:03 LOG7[ui]: Service [client] (FD=7) bound to 127.0.0.1:22 2015.05.06 12:08:03 LOG7[ui]: Listening file descriptor created (FD=8) 2015.05.06 12:08:03 LOG7[ui]: Service [server] (FD=8) bound to 172.26.85.13:2222 2015.05.06 12:08:04 LOG7[main]: Created pid file /var/pid/stunnel.pid 2015.05.06 12:08:29 LOG7[main]: Service [server] accepted (FD=3) from 172.26.85.14:52649 2015.05.06 12:08:29 LOG7[0]: Service [server] started 2015.05.06 12:08:29 LOG5[0]: Service [server] accepted connection from 172.26.85.14:52649 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): before/accept initialization 2015.05.06 12:08:29 LOG7[0]: SNI: no virtual services defined 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 read client hello A 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 write server hello A 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 write certificate A INTERNAL ERROR: Bad magic at tls.c, line 182 --Doug [View Less]

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2015