March 2017 - stunnel-users

stunnel FIPS mode 140-2/ Other Modes
by mehmet ozisik 19 Sep '25

19 Sep '25

Hi All, I would like to ask a question about stunnel fips mode. There are lots of question and answers on the internet related with this, but I could not find any answer related with mine. I am compiling with openssl (auto detecting fips) . Here is a part of confgiure output : checking for FIPS_mode_set... yes configure: FIPS mode detected So I am thinking that fips also is being included. Then I try to run stunnel on target platform (in stunnel.conf fips=yes) and it gives below error : Compiled/running with OpenSSL 0.9.8w-fips 23 Apr 2012 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Reading configuration from file stunnel.conf FIPS_mode_set: 2D06906E: error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match there are lots of information about this errror on internet. Then when I configure stunnel.conf with fips=no, stunnel is running successfully. I know that fips=yes means that enables FIPS 140-2 mode and I guess my fips canister does not supoort fips 140-2 mode (I do not know which fips mode it has supported). Now my question is coming : When I set fips=no, stunnel also starts with other available fips modes which the canister included? Or it skips running fips mode completely? Plase inform me if anyone has any idea? Regards

2 1

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net) But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net) make sure it's using http/1.1, etc?

4 3

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Stunnel & Gmail security
by BOXI31 TEST 16 Oct '20

16 Oct '20

Hi all, To make "Stunnel 5.31" work with Gmail, I have to go in security settings of Gmail and "allow less secure apps to access my account". Is it mandatory ? Is it possible to set Stunnel to access Gmail without lowering it security level ? How ? I checked in log file TLS v1.2 is used by Stunnel but Gmail still consider it as a "less secure app." ! Regards, Steve

2 1

Stunnel Version Vulnerability-Currently using 5.04
by Tracy Drake - IQGC-C 28 Mar '17

28 Mar '17

Hello Stunnel Users Forum! I wonder if anyone may have suggestions of what, if anything can be done to surmount a reported vulnerability for Stunnel versions prior to 5.34. I have limited savvy in this arena so please excuse this "Stunnel for Dummies" question. The following statements surfaced in a "security vulnerabilities" report... The version of stunnel installed on the remote host is 4.46 or later but prior to 5.34. It is, therefore, affected by a security bypass vulnerability related to the validation of level 4 peer certificates. An unauthenticated, remote attacker can exploit this to have an impact on confidentiality, integrity, and/or availability. No other details are available. I am of the mind that perhaps an entry in Stunnel.conf until we can deploy an upgrade? Thanks in advance for any feedback! Upgrade to stunnel version 5.34 or later. -- Tracy Drake CSM Senior Consultant GSA-FAS CAMEO Contractor URSA & INFOConnect Support & Training Team Lead 704-987-1211 tracy.drake(a)gsa.gov

1 0

Multi source VPN connectivity
by Aykut SAY 24 Mar '17

24 Mar '17

Hi, We are working on a integration project and we need to connect our application to three different sources. These three sources have their own VPN. Can stunnel connect to three different vpn from one server? If yes, which version of stunnel we need to install to our server? Thanks, Aykut

1 0

stunnel public private key authentication like ssh
by Michael Power 23 Mar '17

23 Mar '17

Is there a way to configure stunnel just to check the public key of the provided certificate? I want authentication between the server and the client to take place by public key only, no PKI just like ssh. Is this possible? Is this verify level 4, or does that still check the CN against the host that I am connecting to? Michael Power

1 0

update stunnel with engine pkcs11
by Heinsbroek, Peter 20 Mar '17

20 Mar '17

Hallo, I’m a newbee in C programming. I have to upgrade stunnel 5.31 with engine_pkcs11 (0.1.8) for windows to the latest versions. (5.40 & 0.2.2) My engine_pkcs.c contains an subroutine my_get_pin (see attachment line 707) that reads a pin from a file in the windows folder. After reading it ,it transforms the pin to hexadecimal, if not already done, and writes it back in the file. After adjusting the new source it compiles without errors, but when executing it doesn’t work anymore. I also attached the old engine_pkcs11.c as we used it. Can someone help me with this problem. After compairing the old and new source I noticed that there have been major improvements to the source With regards, Peter Heinsbroek Application manager NT / SQL20xx Tel. +31 (0)88 265 9869 Mob. +31 6 5375 3244 Werner von Siemensstraat 3 2712 PN Zoetermeer, Nederland Org. unit PS Central Fin Services Unit 02 SI NL Email peter.heinsbroek(a)atos.net<mailto:peter.heinsbroek@atos.netm> Web www.nl.atos.net<UrlBlockedError.aspx> Atos IT Solutions and Services B.V. Comm. Register The Hague no. 27380688 This e-mail is intended exclusively for the addressee(s), and may not be forwarded or made available for use to any person other than the addressee(s). If you are not the intended recipient, please notify the sender thereof and destroy/delete the message. The sender disclaims any liability as regards (the content of) this e-mail. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, Atos’ liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. On all offers and agreements under which Atos Nederland B.V. supplies goods and/or services of whatever nature, the Terms of Delivery from Atos Nederland B.V. exclusively apply. The Terms of Delivery shall be promptly submitted to you on your request.

1 0

Fwd: Stunnel Performance strangeness
by Scott McKeown 10 Mar '17

10 Mar '17

Hi All, We have been doing some throughput testing and are wondering of you can help explain some of the results we have been getting. We are trying to establish the maximum number of handshakes per second our appliances can do when using Stunnel. Our tests have been done on a 4 core Intel(R) Xeon(R) CPU E3-1230 v5 @ 3.40GHz machine with 8Gb ram. Using stunnel 5.33 openssl 1.0.2j (We use stunnel 5.33 here, but this was also tested with stunnel 5.40 and we got the same issue) Stunnel was compiled with - ./configure --enable-fips --enable-ipv6 --with-threads=pthread --sysconfdir=/etc --with-ssl=/usr/src/built/OpenSSL_1_0_2j-no_march/usr/local/ --disable-libwrap --disable-systemd I was using a python script of my own design for load testing when I noticed the problem we then switched to an open source package called vegeta https://github.com/tsenart/vegeta the command I was using to run it was - echo "GET https://10.10.10.10:443" | ./vegeta attack -workers=30 -rate=3000 -duration=300s -insecure > test.out We are essentially seeing a degradation in throughput at a fixed point in time. I am seeing the problem when using 3000 transactions per second. We are doing https gets through stunnel to a http backend, 1 transaction is an ssl handshake the http get and waiting for the response. Interestingly if I try 5.06 it works fine I get a smooth constant loading. Please take a look at 30worker3000rate5.33-300s.png where you can see after about 55 seconds there is a jump in latency. I get the same issue if I run the test with 2000 transactions. Please see 30worker20005.33-700s.png but with the lower transaction rate the issue takes longer to rear its head. The issue doesnt happen if I run the test with 3000 transaction using 5.06. Please see 30worker3000rate5.06-300s.png >From looking at the graphs our thoughts were that we were hitting some sort of cache limit and used that as a starting point. We have taken a look at the code changes between versions we know were working and the problematic version and the main thing that stands out is the changes to the leak detection. Previously this was partially based on the number of clients but has been changed to use the sections. This led to the decision to try a different limit value and found the number of connections we saw before seeing an issue corresponds to the change of the limit value. We think we have identified the code that is causing the problem/doing something funny it was added in 5.33 NOEXPORT long leak_threshold() { long limit; limit=10000*((int)number_of_sections+1); #ifndef USE_FORK limit+=100*num_clients; #endif return limit; } its src/str.c when increasing the limit number so limit=10000*((int)number_of_sections+1) to limit=20000*((int)number_of_sections+1) This still results in an increase in response time but at a later time in the test, please see 30worker3000rate5.33-ben-highlimit.png Interestingly once I end up in this state I am stuck with high latencies until I restart stunnel. (The box I am testing on was left over night to make sure its not any hanging tcp connections or anything like that) I must admit we are at the limit of our C understanding and your imput would be welcomed. -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 <0330%20380%201064> (24x7) Tel (US) - +1 888.867.9504 <+1%20888-867-9504> (Toll Free)(24x7)

1 0