stunnel-users June 2015

stunnel-users@stunnel.org

17 participants
21 discussions

Generate CONNECT
by reiner otto 22 Jun '15

22 Jun '15

I have following problem: I want to avoid the user to explicitly specify a https-proxy in his browser. Let me explain: For http, a transparent proxy can be interfaced via iptables DNAT, for example.Same for https will not work, without certificates installed etc.However, I only want some basic info about the https-session, like traffic volume or destination domain. In case, there is an explicit https-proxy defined in the browser, I can get this info from the connect request, preceding the secure data exchange.But I want to avoid this explicit declararion. Most likely I will need some custom programming for this, but may be there is a specialist here to give some direction.

2 2

Default Ciphers
by Clayton Keller 17 Jun '15

17 Jun '15

Looking at the Changelog I see the following from the 5.15 info: "MEDIUM ciphers (currently SEED and RC4) are removed from the default cipher list." And this from the 5.00 info: "Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites." Given these to comments would it be accurate to say that the current default "ciphers" value is: "HIGH:+3DES:+DH:!aNULL:!SSLv2" Also, some of the docs indicate what the default value currently is. Is there an easier way to determine that value via CLI or other means? Thanks Clay

2 1

stunnel 5.18 may keep high CPU usage
by Dod 17 Jun '15

17 Jun '15

Hello, I use sTunnel for years and ujpdated from 5.17 to 5.18 on my Win7 64bits. I use sTunnel for POP-SSL and SMTP-SSL for 12 accounts (gmail, yahoo ...) but I noticed that after a few connexions sTunnel may keep high CPU, 25% as reported by TaskManager (50% on core 1 and 3 on my Core-i5 quad-core). The problem, may appear after 10 cnx sometime more. The reading order the POP-S accounts that are checked do not matter. The POP accounts are never high loaded I mean I do not receive tons of e-mails and they are not oversized. Sometime the 25% CPU usage disappear by its own, sometime it can stay forever. Never noticed such problem on previous versions. Standard logs show nothing special. regards.

3 10

Stunnel 5.17 builds, 5.18 does not - AIX 6.1 - pod2man does not accept "-v"
by Rob Lockhart 17 Jun '15

17 Jun '15

Michal, I was able to build Stunnel 5.17 on AIX 6.1 using the "build" command, after completely removing the entire section for "-fstack-protector" in "configure" (my "stunnel-5.17.patch" file below). I used the following commands: mkdir $HOME/stunnel-bin-5.17 gzip -dc stunnel-5.17.tar.gz | tar xvf - patch -p0 <stunnel-5.17.patch cd stunnel-5.17 chmod 755 configure; ./configure --prefix=$HOME/stunnel-bin-5.17 make; make install However, for 5.18, those same commands (and patch file) no longer result in a successful compile due to AIX 6.1 not accepting the "-u" (Unicode) for pod2man. I looked into 5.17 and it looks like the same Makefiles are used in both (doc/Makefile.in and doc/Makefile.am) so perhaps the top-level Makefile for 5.18 adds the ".pod.8" file to the build process. Removing the "-u" in both files enables the build to complete. I just tested against Stunnel 5.19 but it looks like the step that ran "pod2html" was skipped by default (i.e., just "make") so I am able to compile stunnel correctly. Thanks for fixing this in Stunnel 5.19! For those that need the .pod.8 man pages on AIX 6.1, you'll need to remove the "-u" in the pod2man command. Regards, -Rob

2 1

stunnel 5.19 release
by Michal Trojnara 16 Jun '15

16 Jun '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.19 of stunnel. The ChangeLog entry: Version 5.19, 2015.06.16, urgency: MEDIUM: * New features - OpenSSL DLLs updated to version 1.0.2c. - Added a runtime check whether COMP_zlib() method is implemented in order to improve compatibility with the Debian OpenSSL build. * Bugfixes - Improved socket error handling. - Cron thread priority on Win32 platform changed to THREAD_PRIORITY_LOWEST to improve portability. - Makefile bugfixes for stunnel 5.18 regressions. - Fixed some typos in docs and scripts (thx to Peter Pentchev). - Fixed a log level check condition (thx to Peter Pentchev). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 0b543242cf26649acfdd9f00de564c3e8de7ac2237d53935ffdc7eb24f4d556d stunnel-5.19.tar.gz 310fb015c3884dd19a1905ed84d5fbcd1579507c98ee2ba43955aa45311bc056 stunnel-5.19-installer.exe 990e636a869f4de8a55c43e7f2fa24ebbf81c1c221473106e8e6b5d89d720627 stunnel-5.19-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVgCeVAAoJEC78f/DUFuAUi98P/1cPUAg1ehgZkDXIxwIxTt/t sxYOWEmX/ajmimornRygim9HHGPB4HzDMFu1B1qCT01GE4uR+ogYZMYJAdZ+LRua J0wuDawuKgnJvWpdDGnX4Mfz/zUcV8L4T4iJvBnC8xXTQeto7+qU9YTmbYhms4xy u1CPpAXUHnwrNMkI5nqBtB8TSIEeHgmfS456/7oe9Kl+0F8hq7FkZ+1/IYxQOAPC 0drl8A8tfUroBiw+aI2aWJAq2gUoQFVpyAYi7IUBXnmGZ7H1CMcO+KpG+33L0glH oz5DxsuzHyYZYWD1NiKfre4QxMHrT9xXWoNQIHkwgEjDlQXTAqd5rhz9b13TjMmn hiHG3XtF+FvSwFJeTNk/yVYe8ZvjbXUS3BWS65HqTiRKx0iEtkkf2Z1VsieVMUGO LiWvxztz9Z4OSIUWxOFcC8WLTlIDTcIqMM79JLC33o22YSwIRqsE7u5mGiG6yZBN s78ILkqXauxQ1MSDXPArOIZr6iJIqHtuAJbnZvmAQwSKbks/gnzY4WAX0SAw9M64 hhbEnr+zsiRSq30uGrU7fxFHr4MynagEiNaAbNG2kQEJ4nSgHoY0W59dXAuVVYFM UtYgsEeMnPlaBij+ecgmk/xfpEZDQ/phaHtTKzTQUE3JWLkB/VsLz1gwZO1poH8e dOuvm5RULY29YlHcEoM+ =V456 -----END PGP SIGNATURE-----

1 0

Re: [stunnel-users] stunnel 5.18 may keep high CPU usage
by Dod 14 Jun '15

14 Jun '15

Hello Michal, MT> for developers, so don't worry if you don't understand all of the output. After 5 hours of 25% CPU I decided to stunnel (again) with debug=info 2015.06.14 19:15:10 LOG6[cron]: Executing cron jobs 2015.06.14 19:19:39 LOG5[cron]: DH parameters updated 2015.06.14 19:19:39 LOG6[cron]: Cron jobs completed in 269 seconds This time DH calculation ran for 4 minutes, which is the expected behavior. btw I am developer too so no problem with the log file ;-) regards. MT> -----BEGIN PGP SIGNED MESSAGE----- MT> Hash: SHA1 MT> Hi Dod, >> 2015.06.14 10:55:06 LOG5[cron]: DH parameters updated >> >> btw if there is some message to tell about DH calculation >> ended, shouldn't be one to say that DH calculation started ? >> this could be usefull. MT> I have added logging it while replying the previous email. 8-) >> Is there some interesting higher log level I could activate to >> get more (but not too much) logs that may help me to >> understand this strange behavior ? MT> Yes. Use "debug = info" or "debug = debug". The latter is intended MT> for developers, so don't worry if you don't understand all of the output. MT> Best regards, MT> Mike MT> -----BEGIN PGP SIGNATURE----- MT> Version: GnuPG v1 MT> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ MT> iQIcBAEBAgAGBQJVfasGAAoJEC78f/DUFuAU78MP/2WTHetqYubWkhEC9OykxVji MT> rTcps69fyE+904T/sSkRWoEiZFX2MFkQQuIwHsVuRdQecxhfqOGmj5R8xpDJQPBB MT> HsT/G/xgCRqCmWbO0HlQg2Tz5td9gsfIRJi9g1T8dHkImUXQUNC2gcqRowmMvcKx MT> Ly2YF8opHZZwA/p305hjuKM6+ziXn7eLdW0yp24LTfXxZigr0QiWvmMjtxhhJ7P0 MT> UgywVTKFBJ1/mJw1TXArOrk/sFiynooLLbYIEhS2rsyXo9m2UHCIRnbvwI9iXCuz MT> foiTPjFRtkWKSsKkcFXHIRpXD3WP07XjtaIzP2XyyK7JVFAsUQNhIBJBBUATJ18r MT> GtzyRIU/zHbmbL/jem9AJkyuw+eQ5E65QhA5eTI8fAKcceFmCq7Pu/HsN1Zk3enV MT> l6NbHSuY0eyvChQ44dzM4UyiNNMBFJczfmPbM5KdwbvLHHtxvbdlLH81HAe7TmVK MT> JuxHVYHZma9PZ/+19dhScl785Ae1TxoCRab9HeShhC6SFdPZ4HV4mZHleYMNCZvP MT> f7d75qDHQZYxZhunP9xqcsoHdhY1rTO0AWZC9TMER+0jbqCcpdEzMaD2L2F8glP2 MT> PUR2StD1EHlVlpzVZL63EJK0vi91dwI/AUiuoolhPkSRtxEwGUc+eNYKcBru8Ca+ MT> O+3Sq6GcWknVd6xu+fNs MT> =ucCs MT> -----END PGP SIGNATURE----- mailto:dodfr@yahoo.com

1 0

stunnel 5.18 release
by Michal Trojnara 12 Jun '15

12 Jun '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.18 of stunnel. The ChangeLog entry: Version 5.18, 2015.06.12, urgency: MEDIUM: * New features - OpenSSL DLLs updated to version 1.0.2b. https://www.openssl.org/news/secadv_20150611.txt - Added "include" configuration file option to include all configuration file parts located in a specified directory. - Log file is reopened every 24 hours. With "log = overwrite" this feature can be used to prevent filling up disk space. - Temporary DH parameters are refreshed every 24 hours, unless static DH parameters were provided in the certificate file. - Unique initial DH parameters are distributed with each release. - Warnings are logged on potentially insecure authentication. - Improved compatibility with the current OpenSSL 1.1.0-dev tree: removed RLE compression support, etc. - Updated stunnel.spec (thx to Bill Quayle). * Bugfixes - Fixed handling of dynamic connect targets. - Fixed handling of trailing whitespaces in the Content-Length header of the NTLM authentication. - Fixed --sysconfdir and --localstatedir handling (thx to Dagobert Michelsen). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 0532c0a2f8de3da1ab625e384146501ce5936fac63d01561c3a9bf652b692317 stunnel-5.18.tar.gz 9b9a64f30d4dc72f19a2f6482f5bcf76bb67cf3dd859bdd615e0345e1bb8dd41 stunnel-5.18-installer.exe a73befed476f423dee0ff25f38449570fb9f6a07ab90321d9c38e3962f833939 stunnel-5.18-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVeuE3AAoJEC78f/DUFuAU88wP/jfyOCsCBwCcIxNoQhEU5k4d mczXvWtaw0gBrOivrzgBZS0w621D66DGoXt6yMwMp1suWY9spTWZ+VjQJM8oFCul iFwYWyFyxiTOGRFXGCPEff8f4OGbGoxHfDaIrHR5AGvTzguznKTDXzM7cjixqWF9 vL/t08ZjoDWOZIVJuN8M9sVQWn7gzPnyJpvpW2D240aITBx348ZWt/QGqX4yOSzL tQCojXRO6W+rOq0WUdeDFp7CAMB7IZgZsZljqOUn4Q0wHgzuar0Kq1ZLQEkgoX5V lGJ99yZ74/H1RUDcVKGrdksX0atuf6SfzbTvZ/Osp0z7/NlWzhbCt6emYpSLxyzr 2IMX4T8Y593rDovT6AjOb2D4W0sJqAMfUMrs7+T43lYvEbQY8CoEBOH2St5h6X7Y 2ZIa1XMvMmaN08/QyUq6WqxEz0se9BPtUCC+oFjDlGw0oWrqKs1zzJAIpg0HHPOy j1NpBVPnuZz1WlTT/oGLIIVm6w8wATSKthIXstNtofXpSvJ1J94UntC3+0xga7KD SzaOm9w9kpDEtD0EwArLwak5cSevzdXQR4xfmU5OK/UohsdyTLBOab6iY3htmokk JOWIKZztATN7dq8YGvMfJvIiM1ij8Eg14wsahlwfwMZ+eGSvS5lTWvYsSirnnNFi XTrCfpnrKgrfLkUXhbtH =CdmE -----END PGP SIGNATURE-----

1 0

TLS version
by Deepak Subbanarasimha 11 Jun '15

11 Jun '15

Does Stunnel version 4.1 support sslVersion "TLSv1.2 " and above? If not, what version of stunnel supports "TLSv1.2" Thanks, DEEPAK SUBBANARASIMHA Kewill DDI: +00 (1) 978 482 2625 Email: deepak.subbanarasimha(a)kewill.com<mailto:deepak.subbanarasimha@kewill.com> www.kewill.com<http://www.kewill.com/> Tel: +00 (1) 978 482 2500 | Fax: +00 (1) 978 482 2501 1 Executive Drive, Chelmsford, MA 01824, USA IMPORTANT NOTICE: This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone at (978) 482-2500 and return the original message to us at the listed email address. In accordance with Kewill policy, emails sent and received may be monitored. Kewill accepts no responsibility for any loss or damage should this email contain any virus, or similar destructive or mischievous code. Thank You. Copyright (c) 2013 by Kewill Inc IMPORTANT NOTICE: This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately return the original message to the sender at the listed email address. In accordance with Kewill policy, emails sent and received may be monitored. Although Kewill takes reasonable precautions to minimize the risk, Kewill accepts no responsibility for any loss or damage should this email contain any virus, or similar destructive or mischievous code.

2 1

INTERNAL ERROR: s_poll_wait returned 1, but no descriptor is ready
by Florian Gossin 10 Jun '15

10 Jun '15

HI, I'm trying to setup a connection from JDBC to pgbouncer through stunnel. Unfortunately, I get the above error message when I try to connect. Here are the logs from stunnel: 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 read client certificate A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 read client key exchange A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 read certificate verify A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 read finished A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 write change cipher spec A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 write finished A 2015.06.09 16:56:13 LOG7[3]: SSL state (accept): SSLv3 flush data 2015.06.09 16:56:13 LOG7[3]: 4 server accept(s) requested 2015.06.09 16:56:13 LOG7[3]: 4 server accept(s) succeeded 2015.06.09 16:56:13 LOG7[3]: 0 server renegotiation(s) requested 2015.06.09 16:56:13 LOG7[3]: 0 session reuse(s) 2015.06.09 16:56:13 LOG7[3]: 3 internal session cache item(s) 2015.06.09 16:56:13 LOG7[3]: 0 internal session cache fill-up(s) 2015.06.09 16:56:13 LOG7[3]: 0 internal session cache miss(es) 2015.06.09 16:56:13 LOG7[3]: 0 external session cache hit(s) 2015.06.09 16:56:13 LOG7[3]: 0 expired session(s) retrieved 2015.06.09 16:56:13 LOG6[3]: SSL accepted: new session negotiated 2015.06.09 16:56:13 LOG6[3]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption) 2015.06.09 16:56:13 LOG7[3]: Compression: null, expansion: null 2015.06.09 16:56:13 LOG6[3]: Failover strategy: round-robin 2015.06.09 16:56:13 LOG6[3]: s_connect: connecting 127.0.0.1:46432 2015.06.09 16:56:13 LOG7[3]: s_connect: s_poll_wait 127.0.0.1:46432: waiting 10 seconds 2015.06.09 16:56:13 LOG5[3]: s_connect: connected 127.0.0.1:46432 2015.06.09 16:56:13 LOG5[3]: Service [pgbouncer-client] connected remote server from 127.0.0.1:54633 2015.06.09 16:56:13 LOG7[3]: Remote socket (FD=9) initialized 2015.06.09 16:56:13 LOG6[3]: Read socket closed (read hangup) 2015.06.09 16:56:13 LOG7[3]: Sending close_notify alert 2015.06.09 16:56:13 LOG7[3]: SSL alert (write): warning: close notify 2015.06.09 16:56:13 LOG6[3]: SSL_shutdown successfully sent close_notify alert 2015.06.09 16:56:13 LOG3[3]: INTERNAL ERROR: s_poll_wait returned 1, but no descriptor is ready 2015.06.09 16:56:13 LOG5[3]: Connection reset: 58 byte(s) sent to SSL, 164 byte(s) sent to socket 2015.06.09 16:56:13 LOG7[3]: Remote socket (FD=9) closed 2015.06.09 16:56:13 LOG7[3]: Local socket (FD=8) closed 2015.06.09 16:56:13 LOG7[3]: Service [pgbouncer-client] finished (0 left) In pgbouncer, I get the following error: Pooler Error: bad packet header: '70' And in JDBC, the following exception: GRAVE: ERROR: bad packet header: '70' org.postgresql.util.PSQLException: ERROR: bad packet header: '70' Where might be the problem ? Does the stunnel parameter protocol=pgsql work with JDBC ? Thank you

2 1

How to tell what Ciphers are supported?
by Del Benjamin 06 Jun '15

06 Jun '15

I am using the pre-compiled windows binary version of stunnel in client mode, how do I tell on that version what cipher versions I can use? Essentially the equivalent of this command in openssl *openssl* *ciphers* [*-s*] [*-v*] [*-V*] [*-ssl3*] [*-tls1*] [*-stdname*] [ *cipherlist*]

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users June 2015