March 2018 - stunnel-users

[PATCH] TLS 1.3 Compatibility
by Nitin Mutkawoa 13 Mar '18

13 Mar '18

Hello, To add TLS 1.3 compatibility on Stunnel, the following patch was applied and tested. --- options.c.orig 2018-03-13 04:06:01.410477727 +0000 +++ options.c 2018-03-13 05:42:51.883782519 +0000 @@ -2675,6 +2675,18 @@ NOEXPORT char *parse_service_option(CMD #else /* defined(OPENSSL_NO_TLS1_2) */ return "TLSv1.2 not supported"; #endif /* !defined(OPENSSL_NO_TLS1_2) */ + } else if(!strcasecmp(arg, "TLSv1.3")) { +#ifndef OPENSSL_NO_TLS1_3 + section->client_method=(SSL_METHOD *)TLS_client_method(); + section->server_method=(SSL_METHOD *)TLS_server_method(); + section->ssl_options_set|= SSL_OP_NO_SSLv2; + section->ssl_options_set|= SSL_OP_NO_SSLv3; + section->ssl_options_set|= SSL_OP_NO_TLSv1; + section->ssl_options_set|= SSL_OP_NO_TLSv1_1; + section->ssl_options_set|= SSL_OP_NO_TLSv1_2; +#else /* defined(OPENSSL_NO_TLS1_3) */ + return "TLSv1.3 not supported"; +#endif #endif /* OPENSSL_API_COMPAT<0x10100000L */ } else return "Incorrect version of TLS protocol"; Please see this link for more info about the test for TLS 1.3 https://gist.github.com/jmutkawoa/c97f5d67ded592f6ad04389a3ade623e Regards Nitin J Mutkawoa https://tunnelix.com https://hackers.mu Twitter: @TheTunnelix

1 0

basic usage question
by Mark Foley 10 Mar '18

10 Mar '18

I'm trying to set up an ssl tunnel for VNC per the instructions at https://www.ibm.com/developerworks/library/l-sslvnc/index.html. I've not gotten very far into the steps. I tried: # stunnel -d 5905 -r 5900 -p /root/combined.pem [ ] Clients allowed=500 [.] stunnel 5.35 on x86_64-slackware-linux-gnu platform [.] Compiled with OpenSSL 1.0.2h 3 May 2016 [.] Running with OpenSSL 1.0.2n 7 Dec 2017 [.] Update OpenSSL shared libraries or rebuild stunnel [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP [ ] errno: (*__errno_location ()) [!] Invalid configuration file name "-d" [!] realpath: No such file or directory (2) [ ] Cron thread initialized I find nothing on the -d, -r or -p options in the manpage. This is my 1st posting to this list. I have very rudimentary skills with ssl, ssh, and certificates, mainly limited to getting certificates from a provider and installing for web and email; and creating public keys for ssh login using ssh-keygen. That's about it, so I'm pretty much a certified newbie. Help getting past the starting gate would be greatly appreciated. THX --Mark

1 0

[PATCH] Spectre v2 Vulnerability Mitigations
by Nitin Mutkawoa 07 Mar '18

07 Mar '18

Hello To prevent any leakage (Spectre v2) from a compromised VM on same physical host, this patch would mitigate the impact. --- configure.ac.orig 2018-03-04 01:46:55.877067173 +0400 +++ configure.ac 2018-03-04 01:49:26.422625147 +0400 @@ -101,6 +101,11 @@ if test "$GCC" = yes; then fi AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2]) +# Spectre v2 mitigations +AX_APPEND_COMPILE_FLAGS([-mfunction-return=thunk]) +AX_APPEND_COMPILE_FLAGS([-mindirect-branch=thunk]) + AC_MSG_NOTICE([**************************************** libtool]) LT_INIT([disable-static]) AC_SUBST([LIBTOOL_DEPS]) Kind regards, Nitin J Mutkawoa https://tunnelix.com https://hackers.mu

1 0

Re: [stunnel-users] Connect using TLS with public Web Server
by peter＠easthope.ca 06 Mar '18

06 Mar '18

From: Carlos Castro <carlos.castro.guerrero(a)gmail.com> Date: Fri, 2 Feb 2018 12:04:08 +0100 > I have older application and now I need connect with external server HTTPS > using TLS . My application doesn't support with TLS and I think use Stunnel > to connect with this Server HTTPS. Same requirement here. Have you tried this configuration? ; yourhost:/etc/stunnel4/stunnel.conf ... [https] client = yes accept = 443 transparent = destination Regards, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 Tel: +1 360 639 0202 Pender Is.: +1 250 629 3757 http://easthope.ca/Peter.html Bcc: peter at easthope. ca https://en.wikibooks.org/wiki/Medical_Suction_Machines https://en.wikibooks.org/wiki/Oberon

3 6

Stunnel in server mode with certificate from the Windows Certificate Store
by merlin＠mp3merlin.net 06 Mar '18

06 Mar '18

Hello, I'm trying to use stunnel in server mode with certificates from the Windows Certificate Store. I have a basic configuration which is working with a PEM certificate file and I'm trying to get it to use a cert via the CAPI engine. Here is my basic (working) config: debug = debug output = C:\stunnel\stunnel.log options = -NO_SSLv3 [https] accept = 443 connect = 80 cert = stunnel.pem Here is my config using the CAPI engine: debug = debug output = C:\stunnel\stunnel.log engine = capi engineCtrl = debug_level:2 engineCtrl = debug_file:c:\stunnel\capi.log engineCtrl = store_flags:1 engineCtrl = list_certs options = -NO_SSLv3 [https] accept = 443 connect = 80 engineId = capi However stunnel does not seem to find a certificate to use: [...] 2018.03.06 10:22:05 LOG7[main]: Enabling support for engine "capi" 2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_level:2 2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_file:c:\stunnel\capi.log 2018.03.06 10:22:05 LOG7[main]: Executing engine control command store_flags:1 2018.03.06 10:22:05 LOG7[main]: Executing engine control command list_certs 2018.03.06 10:22:05 LOG7[main]: Initializing engine #1 (capi) 2018.03.06 10:22:05 LOG6[main]: Engine #1 (capi) initialized [...] 2018.03.06 10:22:05 LOG6[main]: Initializing service [https] 2018.03.06 10:22:05 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2 2018.03.06 10:22:05 LOG7[main]: TLS options: 0x01004004 (+0x03004000, -0x02000000) 2018.03.06 10:22:05 LOG7[main]: No certificate or private key specified [...] And I have no certificates listed in the CAPI debug log: Setting debug level to 2 Setting debug file to c:\stunnel\capi.log Setting flags to 1 Listing certs for store MY Opening certificate store MY capi_cert_get_fname When I load the engine via OpenSSL, I can see that a certificate is present in the store: C:\stunnel\bin>openssl.exe engine -t dynamic -pre "SO_PATH:C:\stunnel\engines\capi.dll" -pre LOAD -post store_flags:1 -post store_name:MY -post list_certs WARNING: can't open config file: /devel/win32/openssl/openssl.cnf (dynamic) Dynamic engine loading support [Success]: SO_PATH:C:\stunnel\engines\capi.dll [Success]: LOAD Loaded: (capi) CryptoAPI ENGINE [ available ] [Success]: store_flags:1 Certificate 0 Friendly Name "test" Subject: CN = test Issuer: CN = test [Success]: list_certs This certificate (and the associated private key) has been generated via the IIS Manager console and I have imported it in the Local Computer Store (with the private key). Does anybody have any idea what I am missing to get this to work ? I can provide more logs and run more tests if necessary. I'm using Stunnel 5.44 on Windows 2008 R2. I tried with an older version (5.40) but same problem. Thanks. Kevin

1 0

Re: [stunnel-users] Re: Connect using TLS with public Web Server
by Carlos Castro 06 Mar '18

06 Mar '18

Hi All , it's mandatory for use stunnel wich the infrastructure has client stunnel and server stunnel ?? Or I can have client stunnel vs Web server HTTPS without stunnel server , only web server https . I newbie in stunnel , but i think is mandatory install stunnel in both sites , that's is correct? Regards On 05/03/18 20:23, Carlos Castro wrote: > > Thanks @Mike > > If possible use Squid + stunnel to solve the problem with host > header? The application is very very old . > > Thanks > > > On 05/03/18 20:06, Mike Spooner wrote: >> >> The problem is the "Host: ..." header that is being sent to the >> remote server. You need to configure 127.0.0.1:19021 as a proxy in >> your app (and curl) and then have the app (curl) fetch >> https://ctm.omego.net >> >> >> Not sure how to do that in curl, but search the curl manpage for any >> mentions of "proxy". >> >> -- Mike Spooner >> >> --------- Original Message --------- >> *From*: Carlos Castro >> *Date*: Mon Mar 05 12:28:15 GMT+00:00 2018 >> *Subject*: Re: [stunnel-users] Connect using TLS with public Web Server >> Hello >> >> Thanks @Peter >> >> >> Yes , my application not support TLS and I need the application connect >> using TLS , for this i using stunnel (i hope) >> >> When I make curl -v http://127.0.0.1:19021 : >> >> curl -v http://127.0.0.1:19201 >> * Rebuilt URL to: http://127.0.0.1:19201/ >> * Trying 127.0.0.1... >> * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0) >> > GET / HTTP/1.1 >> > Host: 127.0.0.1:19201 >> > User-Agent: curl/7.47.0 >> > Accept: */* >> > >> * HTTP 1.0, assume close after body >> < HTTP/1.0 400 Bad Request >> < Server: AkamaiGHost >> < Mime-Version: 1.0 >> < Content-Type: text/html >> < Content-Length: 208 >> < Expires: Mon, 05 Mar 2018 12:25:53 GMT >> < Date: Mon, 05 Mar 2018 12:25:53 GMT >> < Connection: close >> >> The web ctm.omgeo.net only works in mode HTTPS , . >> >> Thanks Peter >> >> >> On 05/03/18 13:22, Peter Pentchev wrote: >> > On Mon, Mar 05, 2018 at 12:32:41PM +0100, Carlos Castro wrote: >> >> Hello , >> >> >> >> Thanks @Peter >> >> >> >> I'm trying to configure to connect with my PC to this Public server >> >> https://ctm.omgeo.net using TLS1.2 but i don't can. >> >> >> >> I'm need setup stunnel for old application doesn't support TLS , >> and this >> >> application need connect with this public server to send data. >> >> >> >> >> >> I'm using the Peter config , but nothing . I try this config : >> >> >> >> [omgeo] >> >> client = yes >> >> accept = 127.0.0.1:19201 >> >> connect = ctm.omgeo.net:443 >> >> verify = 2 >> >> CApath = /etc/ssl/certs/ >> >> >> >> >> >> I'm using Curl to try connect , I'm recive this error >> >> >> >> /etc/ssl/certs# curl -v https://127.0.0.1:19201 >> > Maybe I'm reading this wrong, but if your client application does not >> > support TLS, then it won't speak HTTPS, it would speak plain HTTP. >> > That's what the configuration you're using does - it tells stunnel to >> > run in client mode, i.e. something will connect to stunnel using >> > an unencrypted connection and stunnel will connect to a TLS server >> > (in this case an HTTPS server). >> > >> > So what happens when you try almost the same query, but with the "http" >> > scheme instead of the "https" one? >> > >> > curl -v http://127.0.0.1:19201 >> > >> > G'luck, >> > Peter >> > >> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users(a)stunnel.org >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >

2 1