May 2018 - stunnel-users

stunnel FIPS mode 140-2/ Other Modes
by mehmet ozisik 19 Sep '25

19 Sep '25

Hi All, I would like to ask a question about stunnel fips mode. There are lots of question and answers on the internet related with this, but I could not find any answer related with mine. I am compiling with openssl (auto detecting fips) . Here is a part of confgiure output : checking for FIPS_mode_set... yes configure: FIPS mode detected So I am thinking that fips also is being included. Then I try to run stunnel on target platform (in stunnel.conf fips=yes) and it gives below error : Compiled/running with OpenSSL 0.9.8w-fips 23 Apr 2012 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Reading configuration from file stunnel.conf FIPS_mode_set: 2D06906E: error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match there are lots of information about this errror on internet. Then when I configure stunnel.conf with fips=no, stunnel is running successfully. I know that fips=yes means that enables FIPS 140-2 mode and I guess my fips canister does not supoort fips 140-2 mode (I do not know which fips mode it has supported). Now my question is coming : When I set fips=no, stunnel also starts with other available fips modes which the canister included? Or it skips running fips mode completely? Plase inform me if anyone has any idea? Regards

2 1

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net) But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net) make sure it's using http/1.1, etc?

4 3

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Stunnel & Gmail security
by BOXI31 TEST 16 Oct '20

16 Oct '20

Hi all, To make "Stunnel 5.31" work with Gmail, I have to go in security settings of Gmail and "allow less secure apps to access my account". Is it mandatory ? Is it possible to set Stunnel to access Gmail without lowering it security level ? How ? I checked in log file TLS v1.2 is used by Stunnel but Gmail still consider it as a "less secure app." ! Regards, Steve

2 1

port-only accept value binds to 127.0.0.1, instead of the wildcard address
by Poor Yorick 30 May '18

30 May '18

The stunnel 6.45 documentation for "accept" states, "If no host specified, defaults to all IPv4 addresses for the local host." In this case, stunnel actually binds to 127.0.0.1. Indeed, inspection of the relevant code paths reveals that addr_list->passive is never set to 1 in this case. To get stunnel to bind to all addresses, 0.0.0.0 must be explicitly specified. Furthermore, inspection of the code path for the "local" option reveals that addr_list->passive is set to 1 in this case, which seems to be backwards: The documentation for getaddrinfo states that AI_PASSIVE is ignored in this case. The logic for these two cases seems to be reversed. -- Yorick

1 0

stunnel 5.46 released
by Michal Trojnara 28 May '18

28 May '18

Dear Users, I have released version 5.46 of stunnel. Version 5.46, 2018.05.28, urgency: MEDIUM * New features - The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". * Bugfixes - Default accept address restored to INADDR_ANY. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 76aab48c28743d78e4b2f6b2dfe49994b6ca74126046c179444f699fae7a84c7 stunnel-5.46.tar.gz 721cc4d7c385743df767a32a53c11477def2440ae20ad4538d8e685f7b7d6538 stunnel-5.46-win32-installer.exe d08a3b3598868064db08d6f0e3a97e3c49dedbf6c8d7f348a613b832eca16dd6 stunnel-5.46-android.zip Best regards, Mike

1 0

Stunnel stopps in Windows Failover Cluster
by Tobias Gillstöm 28 May '18

28 May '18

Hi, I'm having problems with Stunnel in a Windows Failover Cluster. When a failover happens and the stunnel service changes node that it's running on, the service changes node just fine but the stunnel service dosen't appear to be doing anything? If anyone has some prior knowledge about Stunnel in a Windows Failover Cluster i would appreciate the help :)

1 0

stunnel and CAPI on Windows
by Brian Ipsen 23 May '18

23 May '18

Hi I am trying to use the Microsoft certificate store/API for client validation of Windows hosts towards an F5. Everything works, when we use file-based certificates - but for security purposes I would prefer to use the windows certificate store, and set the private key on the client as non-exportable... I have enabled the engineId = capi in the global section of stunnel.conf - and for the required client/service I have: [F5CertAdmin] client=yes accept = 127.0.0.1:1679 connect = w.x.y.z:443 delay = yes sni = ssl79admpki.xxxx.com CApath = C:\Program Files (x86)\stunnel\config\certs CAFile = C:\Program Files (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem verify = 2 engineId = capi key = BaaSClientCertificateCP cert = BaaSClientCertificateCP I have a certificate in the local computer certificate store with the supplied name - but stunnel is not able to locate it... Is it because it will look under the user account? If yes, will it look under the local machine when running as local system ? The output from stunnel says: [ ] Initializing service [F5CertAdmin] [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) [ ] Client certificate engine (capi) enabled [ ] Loading certificate from engine ID: BaaSClientCertificateCP [!] ENGINE_ctrl_cmd: Peer suddenly disconnected [ ] Initializing private key on engine ID: BaaSClientCertificateCP [!] ENGINE_load_private_key: 26096080: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key [ ] Loading certificate from file: BaaSClientCertificateCP [!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory [!] Service [F5CertAdmin]: Failed to initialize TLS context @am6pr03mb3813.eurprd03.prod.outlook.com>Any advice appreciated... Thanks Brian

1 0

stunnel 5.45 released
by Michal Trojnara 21 May '18

21 May '18

Dear Users, I have released version 5.45 of stunnel. Version 5.45, 2018.05.21, urgency: MEDIUM * New feature sponsored by https://loadbalancer.org/ - Implemented delayed deallocation of service sections after configuration file reload. * Other new features - OpenSSL DLLs updated to version 1.0.2o. - Deprecated the sslVersion option. - The "socket" option is now also available in service sections. - Implemented try-restart in the SysV init script (thx to Peter Pentchev). - TLS 1.3 compliant session handling for OpenSSL 1.1.1. - Default "failover" value changed from "rr" to "prio". - New "make check" tests. * Bugfixes - A service no longer refuses to start if binding fails for some (but not all) addresses:ports. - Fixed compression handling with OpenSSL 1.1.0 and later. - _beginthread() replaced with safer _beginthreadex(). - Fixed exception handling in libwrap. - Fixed exec+connect services. - Fixed automatic resolver delaying. - Fixed a Gentoo cross-compilation bug (thx to Joe Harvell). - A number of "make check" framework fixes. - Fixed false postive memory leak logs. - Build fixes for OpenSSL versions down to 0.9.7. - Fixed (again) round-robin failover in the FORK threading model. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 548244839b8a4bf4dffea46c97893b203d1b9eed118c3dd6a9ac4d8d02592ee3 stunnel-5.45.tar.gz fc13a224c7ec1290035efe8317c53d62a0980a5ab2efe8930b06aae269fbe873 stunnel-5.45-win32-installer.exe 29025eaed007c62856f16c7a8a22f9713eee9762ed95009f6f91f729c35c0bc0 stunnel-5.45-android.zip Best regards, Mike

1 0

configuring Stunnel
by support 20 May '18

20 May '18

The config as described hereby did work properly a few times giving a secured connection. All of a sudden this is no longer working? Any suggestions? Namens IMS evba Paul Waegemans +32475341310 <mailto:support@imseuro.be> support(a)imseuro.be <http://eu.ntrsupport.com/inquiero/web/digisign/digisign.asp?login=I23EBF509 C6B51A9E700D43&lang=nl>

1 0