stunnel-users December 2020

stunnel-users@stunnel.org

10 participants
16 discussions

EHLO localhost causing problem in smtp-relay.gmail.com
by sreyas-n＠hcl.com 11 Dec '20

11 Dec '20

We note that always EHLO command sent by sTunnel to SMTP server always been populated as "localhost". Note some well know SMTP server (or) SMTP relay servers such as smtp-relay.gmail.com, etc reject further communication with SMTP clients (as here sTunnel), if they receive initial handshake EHLO request itself as LOCALHOST. Please refer this link on why SMTP servers/ relay servers reject EHLO command with LOCALHOST - https://support.google.com/a/answer/2956491. Note because of this reason, we could use sTunnel as our encryption channel to communicate with SMTP server/relay server. Is there any specific reason behind in hardcoding the EHLO command with LOCALHOST always even in latest version of sTunnel - 5.57 version..? Always what would be in sTunnel functionality, if we change the EHLO command to populate as hostname (or) FQDN instead.

1 0

EHLO localhost
by sreyas-n＠hcl.com 11 Dec '20

11 Dec '20

1 0

Segmentation fault on the stunnel 5.57 running on RHEL7
by paulrbk＠gmail.com 11 Dec '20

11 Dec '20

Hi All we have a segmentation fault on the stunnel 5.57 running on RHEL7 Dec 10 16:54:32 prod001 kernel: stunnel[1572]: segfault at 278 ip 00007f3fdca229c2 sp 00007f3fd9011a28 error 6 in libssl.so.1.0.2k[7f3fdc9da000+67000] $ uname -a Linux prod001 3.10.0-1160.2.1.el7.x86_64 #1 SMP Mon Sep 21 21:00:09 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa|grep openssl openssl-devel-1.0.2k-19.el7.x86_64 xmlsec1-openssl-1.2.20-7.el7_4.x86_64 openssl-1.0.2k-19.el7.x86_64 openssl-libs-1.0.2k-19.el7.x86_64 below is the configuration =================================== pid = /home/admin/run/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 #debug = 2 debug = 7 output = /home/admin/log/stunnel.log ######################################################## ### ### INSTANCE 1: program1 ### ### Tunnel for remote connection (Server_aaS) ### [program1-remote-to-local] cert = /home/admin/config/certs/prod001.crt key = /home/admin/config/certs/prod001.key accept = 192.168.1.33:7011 connect = 192.168.1.33:7001 ### Tunnel for local connection ### [program1-local-to-local] client = yes CAfile = /home/admin/config/certs/prod001.crt accept = 127.0.0.1:7011 connect = 192.168.1.33:7011 ### Tunnel to connect remote Tunnel ### SERVER-02 192.168.1.34:7021 ### [program1-01-to-02] client = yes CAfile = /home/admin/config/certs/prod002.crt accept = 192.168.1.33:7021 connect = 192.168.1.34:7021 ========================================== $ ./stunnel -help Initializing inetd mode configuration stunnel 5.57 on x86_64-pc-linux-gnu platform Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Global options: chroot = directory to chroot stunnel process compression = compression type EGD = path to Entropy Gathering Daemon socket engine = auto|engine_id engineCtrl = cmd[:arg] engineDefault = TASK_LIST fips = yes|no FIPS 140-2 mode foreground = yes|quiet|no foreground mode (don't fork, log to stderr) log = append|overwrite log file output = file to append log messages pid = pid file RNDbytes = bytes to read from random seed files RNDfile = path to file with random seed data RNDoverwrite = yes|no overwrite seed datafiles with new random data syslog = yes|no send logging messages to syslog Service-level options: accept = [host:]port accept connections on specified host:port CApath = CA certificate directory for 'verify' option CAfile = CA certificate file for 'verify' option cert = certificate chain checkEmail = peer certificate email address checkHost = peer certificate host name pattern checkIP = peer certificate IP address ciphers = permitted ciphers for TLS 1.2 or older client = yes|no client mode (remote service uses TLS) config = command[:parameter] to execute connect = [host:]port to connect CRLpath = CRL directory CRLfile = CRL file curves = ECDH curve names debug = [facility].level (e.g. daemon.info) delay = yes|no delay DNS lookup for 'connect' option engineId = ID of engine to read the key from engineNum = number of engine to read the key from exec = file execute local inetd-type program execArgs = arguments for 'exec' (including $0) failover = rr|prio failover strategy ident = username for IDENT (RFC 1413) checking include = directory with configuration file snippets key = certificate private key local = IP address to be used as source for remote connections logId = connection identifier type OCSP = OCSP responder URL OCSPaia = yes|no check the AIA responders from certificates OCSPflag = OCSP responder flags OCSPnonce = yes|no send and verify the OCSP nonce extension options = TLS option to set/reset protocol = protocol to negotiate before TLS initialization currently supported: cifs, connect, imap, nntp, pgsql, pop3, proxy, smtp, socks protocolAuthentication = authentication type for protocol negotiations protocolDomain = domain for protocol negotiations protocolHost = host:port for protocol negotiations protocolPassword = password for protocol negotiations protocolUsername = username for protocol negotiations PSKidentity = identity for PSK authentication PSKsecrets = secrets for PSK authentication pty = yes|no allocate pseudo terminal for 'exec' option redirect = [host:]port to redirect on authentication failures renegotiation = yes|no support renegotiation requireCert = yes|no require client certificate reset = yes|no send TCP RST on error retry = yes|no retry connect+exec section service = service name setgid = groupname for setgid() setuid = username for setuid() sessionCacheSize = session cache size sessionCacheTimeout = session cache timeout (in seconds) sessiond = [host:]port use sessiond at host:port sni = master_service:host_name for an SNI virtual service socket = a|l|r:option=value[:value] set an option on accept/local/remote socket sslVersion = all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2 TLS method stack = thread stack size (in bytes) ticketKeySecret = secret key for encryption/decryption TLSv1.3 tickets ticketMacSecret = key for HMAC operations on TLSv1.3 tickets TIMEOUTbusy = seconds to wait for expected data TIMEOUTclose = seconds to wait for close_notify TIMEOUTconnect = seconds to connect remote host TIMEOUTidle = seconds to keep an idle connection transparent = none|source|destination|both transparent proxy mode verify = level of peer certificate verification verifyChain = yes|no verify certificate chain verifyPeer = yes|no verify peer certificate

1 0

Stunnel and CAPI engine: Issues after OpenSSL upgrade on server side
by Brent Kimberley 10 Dec '20

10 Dec '20

It looks like IBM might have been able to get MS CAPI to work with TLS1.2. That said, I think it would make more sense to switch to CNG API.

2 2

Cannot connect using PKI
by Greg Sanders 09 Dec '20

09 Dec '20

Hello, we have been connecting to a test API site where we specified a PEM cert saved locally, and succeeded. I believe this is the 'certificate pinning' approach. Now we are transitioning to the production API, where the tech documentation says there is no certificate needed, "the certificate is sent during the handshake". So a PKI client connection, I guess. But we can't connect. Any suggestions would be appreciated. Our stunnel config is below. Thanks. STUNNEL CONFIG FILE: debug = 7 output = stunnel.log sslVersion = all options = NO_SSLv2 ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM [ice_client] client = yes accept = 127.0.0.1:8080 connect = 63.nnn.nnn.207:443 checkHost = *.xxxxx.com CAfile = ca-certs.pem ; CAPath = certs verifyChain = yes -- Greg Sanders Database Architect Yes Energy

1 0

Stunnel and CAPI engine: Issues after OpenSSL upgrade on server side
by Christian Keck 07 Dec '20

07 Dec '20

Hi there, we just upgraded a system that is used as a TLS-proxy for incoming connections using client-ssl-handshake from an old CentOS 6 to a recent Ubuntu LTS. By doing so, the OpenSSL was updated from 1.0.1e to 1.1.1f. Right after installation, the new OpenSSL complained about "too weak ca cypher", so I had to add a line "CipherString = DEFAULT:@SECLEVEL=1" to the openssl.conf to make things work again. After applying the changes, connections via browsers do work again using TLS 1.3. (We will generate a new host-CA some day, but for now we need a running system) Before the upgrade, Stunnel in CAPI-mode worked wih TLS 1.2 encryption. Now after updating the server, it refused to connect at all. Using version 5.56 of Stunnel, I see the following lines in the log: error queue: ssl/statem/statem_lib.c:298: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib SSL_connect: engines/e_capi.c:814: error:8006F074:lib(128):capi_rsa_priv_enc:function not supported If I nail the protocol setting to TLS1.1 in the apache2-config, the connection is possible again with version 5.56. Any later versions of Stunnel completely refuse to work, I always get lines like: SSL_read: ssl/ssl_rsa.c:36: error:140C618E:SSL routines:SSL_use_certificate:ca md too weak I tried several things I found in the net regarding tweaking openssl.conf and/or stunnel.conf, but I can't get it running with version 5.57 or later. So my questions is: What can I do to get Stunnel working again with at least TLS1.2 (or even better TLS1.3 like I get in most browsers)? Re-generating the host-CA (and thus needing to re-create all client certs) is unfortunately no option for the moment. Many thanks in advance! Cheers, Christian Keck

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users December 2020