stunnel-users May 2018

stunnel-users@stunnel.org

19 participants
21 discussions

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?

4 3

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Stunnel & Gmail security
by BOXI31 TEST 17 Oct '20

17 Oct '20

Hi all, To make "Stunnel 5.31" work with Gmail, I have to go in security settings of Gmail and "allow less secure apps to access my account". Is it mandatory ? Is it possible to set Stunnel to access Gmail without lowering it security level ? How ? I checked in log file TLS v1.2 is used by Stunnel but Gmail still consider it as a "less secure app." ! Regards, Steve

2 1

port-only accept value binds to 127.0.0.1, instead of the wildcard address
by Poor Yorick 30 May '18

30 May '18

The stunnel 6.45 documentation for "accept" states, "If no host specified, defaults to all IPv4 addresses for the local host." In this case, stunnel actually binds to 127.0.0.1. Indeed, inspection of the relevant code paths reveals that addr_list->passive is never set to 1 in this case. To get stunnel to bind to all addresses, 0.0.0.0 must be explicitly specified. Furthermore, inspection of the code path for the "local" option reveals that addr_list->passive is set to 1 in this case, which seems to be backwards: The documentation for getaddrinfo states that AI_PASSIVE is ignored in this case. The logic for these two cases seems to be reversed. -- Yorick

1 0

stunnel 5.46 released
by Michal Trojnara 28 May '18

28 May '18

Dear Users, I have released version 5.46 of stunnel. Version 5.46, 2018.05.28, urgency: MEDIUM * New features - The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". * Bugfixes - Default accept address restored to INADDR_ANY. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 76aab48c28743d78e4b2f6b2dfe49994b6ca74126046c179444f699fae7a84c7 stunnel-5.46.tar.gz 721cc4d7c385743df767a32a53c11477def2440ae20ad4538d8e685f7b7d6538 stunnel-5.46-win32-installer.exe d08a3b3598868064db08d6f0e3a97e3c49dedbf6c8d7f348a613b832eca16dd6 stunnel-5.46-android.zip Best regards, Mike

1 0

Stunnel stopps in Windows Failover Cluster
by Tobias Gillstöm 28 May '18

28 May '18

Hi, I'm having problems with Stunnel in a Windows Failover Cluster. When a failover happens and the stunnel service changes node that it's running on, the service changes node just fine but the stunnel service dosen't appear to be doing anything? If anyone has some prior knowledge about Stunnel in a Windows Failover Cluster i would appreciate the help :)

1 0

stunnel and CAPI on Windows
by Brian Ipsen 23 May '18

23 May '18

Hi I am trying to use the Microsoft certificate store/API for client validation of Windows hosts towards an F5. Everything works, when we use file-based certificates - but for security purposes I would prefer to use the windows certificate store, and set the private key on the client as non-exportable... I have enabled the engineId = capi in the global section of stunnel.conf - and for the required client/service I have: [F5CertAdmin] client=yes accept = 127.0.0.1:1679 connect = w.x.y.z:443 delay = yes sni = ssl79admpki.xxxx.com CApath = C:\Program Files (x86)\stunnel\config\certs CAFile = C:\Program Files (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem verify = 2 engineId = capi key = BaaSClientCertificateCP cert = BaaSClientCertificateCP I have a certificate in the local computer certificate store with the supplied name - but stunnel is not able to locate it... Is it because it will look under the user account? If yes, will it look under the local machine when running as local system ? The output from stunnel says: [ ] Initializing service [F5CertAdmin] [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) [ ] Client certificate engine (capi) enabled [ ] Loading certificate from engine ID: BaaSClientCertificateCP [!] ENGINE_ctrl_cmd: Peer suddenly disconnected [ ] Initializing private key on engine ID: BaaSClientCertificateCP [!] ENGINE_load_private_key: 26096080: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key [ ] Loading certificate from file: BaaSClientCertificateCP [!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory [!] Service [F5CertAdmin]: Failed to initialize TLS context @am6pr03mb3813.eurprd03.prod.outlook.com>Any advice appreciated... Thanks Brian

1 0

stunnel 5.45 released
by Michal Trojnara 21 May '18

21 May '18

Dear Users, I have released version 5.45 of stunnel. Version 5.45, 2018.05.21, urgency: MEDIUM * New feature sponsored by https://loadbalancer.org/ - Implemented delayed deallocation of service sections after configuration file reload. * Other new features - OpenSSL DLLs updated to version 1.0.2o. - Deprecated the sslVersion option. - The "socket" option is now also available in service sections. - Implemented try-restart in the SysV init script (thx to Peter Pentchev). - TLS 1.3 compliant session handling for OpenSSL 1.1.1. - Default "failover" value changed from "rr" to "prio". - New "make check" tests. * Bugfixes - A service no longer refuses to start if binding fails for some (but not all) addresses:ports. - Fixed compression handling with OpenSSL 1.1.0 and later. - _beginthread() replaced with safer _beginthreadex(). - Fixed exception handling in libwrap. - Fixed exec+connect services. - Fixed automatic resolver delaying. - Fixed a Gentoo cross-compilation bug (thx to Joe Harvell). - A number of "make check" framework fixes. - Fixed false postive memory leak logs. - Build fixes for OpenSSL versions down to 0.9.7. - Fixed (again) round-robin failover in the FORK threading model. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 548244839b8a4bf4dffea46c97893b203d1b9eed118c3dd6a9ac4d8d02592ee3 stunnel-5.45.tar.gz fc13a224c7ec1290035efe8317c53d62a0980a5ab2efe8930b06aae269fbe873 stunnel-5.45-win32-installer.exe 29025eaed007c62856f16c7a8a22f9713eee9762ed95009f6f91f729c35c0bc0 stunnel-5.45-android.zip Best regards, Mike

1 0

configuring Stunnel
by support 20 May '18

20 May '18

The config as described hereby did work properly a few times giving a secured connection. All of a sudden this is no longer working? Any suggestions? Namens IMS evba Paul Waegemans +32475341310 <mailto:support@imseuro.be> support(a)imseuro.be <http://eu.ntrsupport.com/inquiero/web/digisign/digisign.asp?login=I23EBF509 C6B51A9E700D43&lang=nl>

1 0

UTF8 BOM in PSKsecrets file
by Jakob Hirsch 17 May '18

17 May '18

Hi! I just found out (after a while of troubleshooting) that stunnel does not handle UTF-8 BOM in the PSKsecrets file, i.e. the BOM is considered part of the identity (tested with 5.44, 5.45b4 and 5.45b6 on Windows 10 1709). It was a little tricky to figure this out, as the BOM is apparently filtered out in the logs, e.g. the server just says 'No key found for PSK identity "client1"'. Ok, nobody says that this is supported or that you should do it, it just happens automatically when you click "Edit Configuration" in the Windows GUI and click "Save as" (out of convenience, because you will already be in the config directory then), because the sample config has a BOM and Notepad will also insert a BOM in the new file. I don't know how much work it would be to handle the BOM correctly or at least print a warning (didn't look at the code, sorry), a warning in the manual would probably sufficient, as it could be that I'm the first one to stumble over this (at least I didn't find anything about it on the net). Regards (and thanks for this nice piece of software) Jakob

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2018