stunnel-users May 2020

stunnel-users@stunnel.org

16 participants
27 discussions

Stunnel 5.57b2 OpenSSL 1.1.1g
by Olaf Brandt 19 May '20

19 May '20

Hi, I have an issue with stunnel since OpenSSL was updated to 1.1.1g. Stunnel has been build from scratch after the update and gives those errors: [ ] Clients allowed=500 [.] stunnel 5.57 on x86_64-pc-linux-gnu platform [.] Compiled/running with OpenSSL 1.1.1g 21 Apr 2020 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [.] Reading configuration from file /etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [dns_local] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) [ ] No certificate or private key specified [!] error queue: crypto/x509/by_file.c:205: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib [!] error queue: crypto/pem/pem_info.c:196: error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib [!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error [!] error queue: crypto/asn1/tasn_dec.c:1118: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header [!] SSL_CTX_load_verify_locations: crypto/asn1/asn1_lib.c:91: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long [!] Service [dns_local]: Failed to initialize TLS context [ ] Deallocating section defaults [ ] Deallocating section [dns_local] [ ] Deallocating section defaults Config: chroot=/var/lib/stunnel pid=/var/run/stunnel.pid debug = debug [dns_local] sslVersion = TLSv1.3 client = yes accept = localhost:1053 connect = 185.95.218.42:853 checkHost = dns.digitale-gesellschaft.ch verifyPeer = yes CAfile = /etc/stunnel/cf.crt [dns_local_fallback] sslVersion = TLSv1.3 client = yes accept = localhost:1054 connect = 185.95.218.43:853 checkHost = dns.digitale-gesellschaft.ch verifyPeer = yes CAfile = /etc/stunnel/cf43.crt OpenSSL check of the cert files seems OK: openssl x509 -text -noout -in /etc/stunnel/cf.crt Certificate: Data: Version: 3 (0x2) Serial Number: 03:16:19:87:62:ac:be:ec:92:7b:6e:75:b8:a3:2e:ba:ea:28 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: May 17 21:00:22 2020 GMT Not After : Aug 15 21:00:22 2020 GMT Subject: CN = dns.digitale-gesellschaft.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c0:01:03:42:24:5b:07:7e:46:06:fc:e0:21:56: 93:c4:6a:3c:88:c8:df:be:91:d6:d8:7a:b7:fc:3f: 8c:f1:b9:74:ec:c1:3b:2b:02:fe:27:93:1e:d6:d3: a1:95:31:ed:c7:06:26:28:74:60:7e:70:53:39:4b: e5:43:c2:81:dc:50:f3:d7:9e:0b:87:5b:2c:e8:a8: eb:71:bc:7b:04:92:d5:be:66:ba:0e:d8:9f:27:28: 77:9f:7c:68:2f:2f:64:2d:8a:86:f7:cf:c6:3a:c1: 1b:d4:e9:95:d6:c0:f3:77:f3:cd:79:16:40:86:ce: d5:dc:be:b2:c6:5b:7c:fe:e3:68:8d:25:61:41:a8: 99:b3:f4:62:60:19:bf:96:32:46:ef:e4:6a:c2:3d: 00:f6:44:b9:63:94:50:0e:fb:a0:e1:88:eb:79:cf: b7:a5:d1:29:0c:d6:bf:ee:ad:1b:9b:8e:7c:94:4f: f8:5a:0e:a7:5e:62:e7:67:61:9e:83:cb:a0:f7:56: f6:bc:ec:df:4d:60:6a:fe:08:fa:1c:ae:17:05:54: 0f:b0:f8:1f:6c:78:ca:a0:99:ec:4b:06:b3:79:97: 88:d1:7e:c8:93:cf:15:6b:9d:ea:d2:ef:88:da:1b: e8:2b:dd:0d:6e:f2:7e:f3:75:60:03:6a:87:64:79: e6:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 9C:E3:0E:F4:F1:60:60:EC:21:7D:D8:D6:5F:0E:7B:FF:90:DB:68:01 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA: E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C Timestamp : May 17 22:00:22.318 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:3D:7F:5A:57:E3:CE:42:A0:2A:16:FD:59: AE:7A:11:19:AE:BE:BE:AA:5A:4A:B0:1E:66:8E:D6:21: A8:35:F8:CB:02:21:00:DB:06:63:54:26:03:76:28:CD: 05:BF:08:8B:1B:95:2B:D2:A1:B3:AC:63:6A:DD:84:E7: 84:3A:70:A6:54:31:2B Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : May 17 22:00:22.412 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:EA:BC:2D:B6:B1:71:0B:CE:75:A7:15: 86:D2:C0:05:49:08:38:CC:B9:EF:DA:1F:23:53:1A:5F: BD:31:19:A5:0A:02:20:21:2F:94:08:61:D0:A8:CA:3F: 71:D3:54:4D:E3:56:50:91:51:A6:01:16:77:9E:AE:31: 2E:43:E1:68:C0:CE:F2 Signature Algorithm: sha256WithRSAEncryption 9b:b8:24:f8:30:fc:77:5d:67:91:40:c7:bf:58:cf:64:67:7f: 87:33:8e:04:19:93:98:bb:35:cb:4e:b3:78:c0:04:5c:48:f4: 74:38:f2:57:02:38:3b:84:19:aa:9b:39:08:1d:f9:62:f4:c7: af:e4:17:40:02:99:7a:c5:24:fc:ee:b1:d5:95:b0:a2:58:f0: db:44:0f:50:3c:92:81:e8:8f:81:4d:e1:eb:e4:86:5d:d0:c8: 31:d2:30:07:7f:56:48:65:bd:a0:01:38:19:81:e4:80:38:21: 1f:ae:13:96:54:cd:9f:b1:cb:b2:47:00:f0:8b:d4:0d:61:29: 99:cb:71:ee:f6:53:ab:27:45:33:7b:0c:f4:e4:85:58:a7:8e: 58:8e:88:04:0d:e8:03:18:41:e6:8f:b5:c1:c1:9d:da:57:0a: 85:d7:19:05:4f:f9:8f:8c:b5:60:3f:67:f0:d8:fd:10:98:ad: de:25:88:7b:67:0f:bd:e1:7c:21:fb:35:8c:b2:26:78:de:b1: 54:a4:e9:9f:e0:48:d6:1a:0e:60:a6:f6:21:8c:b3:df:21:a1: 0c:16:d4:ab:93:3a:5d:94:22:34:40:5b:7e:ef:ea:f8:a1:15: d6:8d:69:aa:40:fe:ae:6f:79:dd:49:49:1a:88:0f:15:61:19: 00:f8:41:6c openssl x509 -text -noout -in /etc/stunnel/cf43.crt Certificate: Data: Version: 3 (0x2) Serial Number: 03:2b:84:39:5e:99:3d:2d:85:52:63:3a:d2:fa:bc:2e:60:4b Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Mar 16 22:01:15 2020 GMT Not After : Jun 14 22:01:15 2020 GMT Subject: CN = dns.digitale-gesellschaft.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bc:0e:73:84:9c:89:7c:f8:2a:db:79:5f:78:ac: 39:a8:c5:25:b4:86:5b:9e:1c:3c:14:a6:17:ae:67: f1:02:17:0b:dc:36:ea:a1:9c:57:91:5b:5a:91:6b: df:7b:4c:74:7e:6c:e2:eb:5f:a5:95:02:25:43:c1: 3e:f0:67:5d:80:27:6f:37:72:0e:1f:b7:c3:13:e2: 3a:a5:13:b6:41:d0:01:aa:d0:7f:68:d4:5e:10:95: ee:17:bb:8d:8b:77:a3:7e:c8:9e:7a:8a:35:8a:09: 00:82:80:67:70:34:ac:f5:bc:24:4a:b9:c4:df:1f: 1e:e4:48:66:a8:76:60:d8:a3:d5:64:3b:9d:7e:7b: 18:99:f7:31:a5:28:4e:a4:47:24:25:af:18:32:d5: f9:98:67:21:f7:49:23:c2:72:00:73:e5:25:ca:af: a5:ae:df:00:62:d8:f2:5e:1e:8a:26:5a:63:5b:22: e1:eb:2d:b4:e9:57:de:16:8c:a0:72:db:ff:82:46: b8:d8:55:ad:55:84:e5:65:b5:86:8b:47:00:ea:85: 0d:74:c6:9d:9f:95:e4:3a:19:fe:3d:8f:5f:4b:f8: ed:a5:93:3f:ea:31:fd:41:74:7e:6b:ae:bf:98:9a: 70:85:d8:9f:51:85:fc:5e:11:eb:b9:60:6a:c3:bf: 81:f7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: DE:64:78:2F:E4:81:84:C3:C9:3F:5C:01:DB:D0:42:E2:0D:CB:48:B8 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32: 7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58 Timestamp : Mar 16 23:01:15.249 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:04:32:96:55:70:AB:40:41:3B:E2:6C:E3: 8E:78:1E:82:F7:84:57:6A:76:2C:11:2B:24:A6:BB:72: 59:F1:F9:8A:02:20:67:12:DB:64:C1:D8:15:5D:3F:ED: 8B:8F:01:68:B8:A1:D2:B0:20:2B:32:54:11:14:82:72: 06:B8:E6:1C:1C:69 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA: E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C Timestamp : Mar 16 23:01:15.303 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:1B:C7:5B:F2:A9:04:12:6A:62:E8:33:F9: BD:08:39:1D:0F:F3:39:8D:F2:F8:37:E3:C8:05:CC:1B: E7:31:F7:83:02:20:12:47:02:D3:E3:93:48:9A:F3:5A: B9:F4:12:85:87:0F:D4:F2:B7:79:F5:8C:DD:77:D4:5E: BE:D0:95:27:83:9C Signature Algorithm: sha256WithRSAEncryption 82:30:ea:0a:6f:45:53:e7:f8:a0:80:69:47:a4:7d:ee:6a:78: a3:34:00:f1:bb:0d:c8:3a:1f:37:8e:25:f9:9d:cc:a5:e0:15: 03:a5:da:2a:28:af:89:97:f9:d6:20:61:ae:1e:16:80:f4:1a: 2c:08:ac:74:f3:80:2f:ae:17:f7:f4:b4:1c:b7:f1:59:f9:73: fd:12:cb:e3:48:36:bd:fe:99:38:69:44:7f:3b:dc:38:98:54: 75:f5:00:d0:de:93:eb:5a:4d:5e:65:d0:99:9e:64:75:8f:cd: e4:6f:1e:22:d5:8f:cb:4d:78:ef:0e:70:38:b7:f0:af:4d:30: 7b:9a:ea:1d:6c:b7:cb:18:2b:de:5a:18:d2:4b:bb:e6:79:b2: 45:8b:01:dc:d1:15:45:cc:cc:f0:5d:a6:98:10:90:72:d2:da: ef:7a:3c:1c:af:42:f0:7f:85:5b:49:53:e8:b3:51:11:e4:93: fc:b3:8a:dc:bc:5c:40:8d:bb:36:be:36:87:09:de:23:19:29: 1d:f3:7e:70:5b:43:43:ad:6e:a4:b4:55:ac:9e:f5:10:05:31: a7:a5:00:66:8a:e7:67:4e:02:2a:2d:40:d4:2c:e8:f1:bb:35: 8d:b7:cf:52:b0:71:04:72:d0:ab:fb:e6:f6:c7:45:33:db:88: d5:90:f0:32 Any suggestions? Thanks.

1 0

client with two source IPs and one destination
by Daniele Basaldella 12 May '20

12 May '20

Dear group, I've to configure a couple of tunneled connections (call them TC1 and TC2), client side, on a linux system. The target of both such connections is the same (destination ip and port are the same, call it DST). At source side (my server) I have a two IP addresses (call them IP1 and IP2) assigned and currently working to its unique NIC. I normally use iptables SNAT to split the traffic between IP1 and IP2 depending on destination addresses but in this case I've to distinguish it at application level (TC1 and TC2). I'd like to get TC1 to set the outgoing traffic with source address IP1 and TC2 to set outgoing traffic with source address IP2. Tunnel Tunnel Client Server TC1: IP1 --\ >--> DST TC2: IP2 --/ I'm thinking to set one entry in stunnel.conf for each TC1 and TC2 and use *transparent* = source clause to set the source address but it seems my case is not so common and I didn't find documentation. Please could you suggest a solution. Thanks

3 3

iOS 13.4.1 Blue Iris now working
by John McClymont 12 May '20

12 May '20

After more research, stunnel and blue iris now working on IOS 13.4.1 sslVersion = TLSv1.2 <--- added this to stunnel.conf [BlueIris] accept=1440 connect=192.168.0.2:8080 <---- tried 8080 failed, tried 127.0.0.1 failed cert = stunnel.pem Like I said not an expert,

1 0

client with two source IPs and one destination
by Brent Kimberley 11 May '20

11 May '20

Hi Daniele.I haven't looked at exact scenario. Have you considered stunnel+HAproxy? Dear group, I've to configure a couple of tunneled connections (call them TC1 and TC2), client side, on a linux system. The target of both such connections is the same (destination ip and port are the same, call it DST). At source side (my server) I have a two IP addresses (call them IP1 and IP2) assigned and currently working to its unique NIC. I normally use iptables SNAT to split the traffic between IP1 and IP2 depending on destination addresses but in this case I've to distinguish it at application level (TC1 and TC2). I'd like to get TC1 to set the outgoing traffic with source address IP1 and TC2 to set outgoing traffic with source address IP2. Tunnel Tunnel Client Server TC1: IP1 --\ >--> DST TC2: IP2 --/ I'm thinking to set one entry in stunnel.conf for each TC1 and TC2 and use *transparent* = source clause to set the source address but it seems my case is not so common and I didn't find documentation. Please could you suggest a solution. Thanks

1 0

iOS 13.4.1 Blue Iris
by John McClymont 11 May '20

11 May '20

Hi I have been using stunnel or a number of years to create a secure connect to CCTV recording software. Today after upgrading to IOS 13.4.1 I can no longer connect I ran generate self signed certificate, still fails. Searching I found others with similar problem, some have created a cert using other providers. I would prefer to generate from stunnel as I have always done config [BlueIris] accept=1440 connect=8080 cert = stunnel.pem I am no expert, basically followed a simple setup read few comments that it maybe due to IOS no longer supporting certain version of ssl Hopefully you can help Log 2020.05.11 22:59:04 LOG5[main]: stunnel 5.56 on x64-pc-mingw32-gnu platform 2020.05.11 22:59:04 LOG5[main]: Compiled/running with OpenSSL 1.1.1c 28 May 2019 2020.05.11 22:59:04 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2020.05.11 22:59:04 LOG5[main]: Reading configuration from file stunnel.conf 2020.05.11 22:59:04 LOG5[main]: UTF-8 byte order mark detected 2020.05.11 22:59:04 LOG6[main]: Initializing service [BlueIris] 2020.05.11 22:59:04 LOG6[main]: Loading certificate from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Certificate loaded from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Loading private key from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Private key loaded from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: DH initialization not needed 2020.05.11 22:59:04 LOG6[main]: Initializing service [gmail-pop3] 2020.05.11 22:59:04 LOG6[main]: Initializing service [gmail-imap] 2020.05.11 22:59:04 LOG6[main]: Initializing service [gmail-smtp] 2020.05.11 22:59:04 LOG6[main]: Initializing service [meinberg-smtp] 2020.05.11 22:59:04 LOG6[main]: Loading certificate from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Certificate loaded from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Loading private key from file: stunnel.pem 2020.05.11 22:59:04 LOG6[main]: Private key loaded from file: stunnel.pem 2020.05.11 22:59:04 LOG4[main]: Service [meinberg-smtp] needs authentication to prevent MITM attacks 2020.05.11 22:59:04 LOG5[main]: Configuration successful 2020.05.11 22:59:04 LOG6[main]: Service [BlueIris] (FD=564) bound to 0.0.0.0:1440 2020.05.11 22:59:04 LOG6[main]: Service [gmail-pop3] (FD=728) bound to 127.0.0.1:110 2020.05.11 22:59:04 LOG6[main]: Service [gmail-imap] (FD=732) bound to 127.0.0.1:143 2020.05.11 22:59:04 LOG6[main]: Service [gmail-smtp] (FD=736) bound to 0.0.0.0:25 2020.05.11 22:59:04 LOG6[main]: Service [meinberg-smtp] (FD=740) bound to 192.168.0.2:2525 2020.05.11 22:59:04 LOG6[cron]: Executing cron jobs 2020.05.11 22:59:04 LOG6[cron]: Cron jobs completed in 0 seconds 2020.05.11 22:59:55 LOG5[0]: Service [BlueIris] accepted connection from 192.168.0.142:58797 2020.05.11 22:59:55 LOG6[0]: Peer certificate not required 2020.05.11 22:59:55 LOG3[0]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[1]: Service [BlueIris] accepted connection from 192.168.0.142:58798 2020.05.11 22:59:55 LOG6[1]: Peer certificate not required 2020.05.11 22:59:55 LOG3[1]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[2]: Service [BlueIris] accepted connection from 192.168.0.142:58799 2020.05.11 22:59:55 LOG6[2]: Peer certificate not required 2020.05.11 22:59:55 LOG3[2]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:55 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[3]: Service [BlueIris] accepted connection from 192.168.0.142:58800 2020.05.11 22:59:55 LOG6[3]: Peer certificate not required 2020.05.11 22:59:55 LOG3[3]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[4]: Service [BlueIris] accepted connection from 192.168.0.142:58801 2020.05.11 22:59:55 LOG6[4]: Peer certificate not required 2020.05.11 22:59:55 LOG3[4]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[4]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[5]: Service [BlueIris] accepted connection from 192.168.0.142:58802 2020.05.11 22:59:55 LOG6[5]: Peer certificate not required 2020.05.11 22:59:55 LOG3[5]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:55 LOG5[5]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[6]: Service [BlueIris] accepted connection from 192.168.0.142:58803 2020.05.11 22:59:55 LOG6[6]: Peer certificate not required 2020.05.11 22:59:55 LOG3[6]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[7]: Service [BlueIris] accepted connection from 192.168.0.142:58804 2020.05.11 22:59:55 LOG6[7]: Peer certificate not required 2020.05.11 22:59:55 LOG3[7]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[7]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[8]: Service [BlueIris] accepted connection from 192.168.0.142:58805 2020.05.11 22:59:55 LOG6[8]: Peer certificate not required 2020.05.11 22:59:55 LOG3[8]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:55 LOG5[8]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[9]: Service [BlueIris] accepted connection from 192.168.0.142:58806 2020.05.11 22:59:55 LOG6[9]: Peer certificate not required 2020.05.11 22:59:55 LOG3[9]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[9]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[10]: Service [BlueIris] accepted connection from 192.168.0.142:58807 2020.05.11 22:59:55 LOG6[10]: Peer certificate not required 2020.05.11 22:59:55 LOG3[10]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[10]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[11]: Service [BlueIris] accepted connection from 192.168.0.142:58808 2020.05.11 22:59:55 LOG6[11]: Peer certificate not required 2020.05.11 22:59:55 LOG3[11]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:55 LOG5[11]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[12]: Service [BlueIris] accepted connection from 192.168.0.142:58809 2020.05.11 22:59:55 LOG6[12]: Peer certificate not required 2020.05.11 22:59:55 LOG3[12]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[12]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[13]: Service [BlueIris] accepted connection from 192.168.0.142:58810 2020.05.11 22:59:55 LOG6[13]: Peer certificate not required 2020.05.11 22:59:55 LOG3[13]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:55 LOG5[13]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:55 LOG5[14]: Service [BlueIris] accepted connection from 192.168.0.142:58811 2020.05.11 22:59:55 LOG6[14]: Peer certificate not required 2020.05.11 22:59:55 LOG3[14]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:55 LOG5[14]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:56 LOG5[15]: Service [BlueIris] accepted connection from 192.168.0.142:58812 2020.05.11 22:59:56 LOG6[15]: Peer certificate not required 2020.05.11 22:59:56 LOG3[15]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:56 LOG5[15]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:56 LOG5[16]: Service [BlueIris] accepted connection from 192.168.0.142:58813 2020.05.11 22:59:56 LOG6[16]: Peer certificate not required 2020.05.11 22:59:56 LOG3[16]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 22:59:56 LOG5[16]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 22:59:56 LOG5[17]: Service [BlueIris] accepted connection from 192.168.0.142:58814 2020.05.11 22:59:56 LOG6[17]: Peer certificate not required 2020.05.11 22:59:56 LOG3[17]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 22:59:56 LOG5[17]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[18]: Service [BlueIris] accepted connection from 192.168.0.142:58815 2020.05.11 23:00:04 LOG6[18]: Peer certificate not required 2020.05.11 23:00:04 LOG3[18]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[18]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[19]: Service [BlueIris] accepted connection from 192.168.0.142:58816 2020.05.11 23:00:04 LOG6[19]: Peer certificate not required 2020.05.11 23:00:04 LOG3[19]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[19]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[20]: Service [BlueIris] accepted connection from 192.168.0.142:58817 2020.05.11 23:00:04 LOG6[20]: Peer certificate not required 2020.05.11 23:00:04 LOG3[20]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[20]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[21]: Service [BlueIris] accepted connection from 192.168.0.142:58818 2020.05.11 23:00:04 LOG6[21]: Peer certificate not required 2020.05.11 23:00:04 LOG3[21]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[21]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[22]: Service [BlueIris] accepted connection from 192.168.0.142:58819 2020.05.11 23:00:04 LOG6[22]: Peer certificate not required 2020.05.11 23:00:04 LOG3[22]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[22]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[23]: Service [BlueIris] accepted connection from 192.168.0.142:58820 2020.05.11 23:00:04 LOG6[23]: Peer certificate not required 2020.05.11 23:00:04 LOG3[23]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[23]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[24]: Service [BlueIris] accepted connection from 192.168.0.142:58821 2020.05.11 23:00:04 LOG6[24]: Peer certificate not required 2020.05.11 23:00:04 LOG3[24]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[24]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[25]: Service [BlueIris] accepted connection from 192.168.0.142:58822 2020.05.11 23:00:04 LOG6[25]: Peer certificate not required 2020.05.11 23:00:04 LOG3[25]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[25]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[26]: Service [BlueIris] accepted connection from 192.168.0.142:58823 2020.05.11 23:00:04 LOG6[26]: Peer certificate not required 2020.05.11 23:00:04 LOG3[26]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[26]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[27]: Service [BlueIris] accepted connection from 192.168.0.142:58824 2020.05.11 23:00:04 LOG6[27]: Peer certificate not required 2020.05.11 23:00:04 LOG3[27]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[27]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[28]: Service [BlueIris] accepted connection from 192.168.0.142:58825 2020.05.11 23:00:04 LOG6[28]: Peer certificate not required 2020.05.11 23:00:04 LOG3[28]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[28]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[29]: Service [BlueIris] accepted connection from 192.168.0.142:58826 2020.05.11 23:00:04 LOG6[29]: Peer certificate not required 2020.05.11 23:00:04 LOG3[29]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[29]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[30]: Service [BlueIris] accepted connection from 192.168.0.142:58827 2020.05.11 23:00:04 LOG6[30]: Peer certificate not required 2020.05.11 23:00:04 LOG3[30]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[31]: Service [BlueIris] accepted connection from 192.168.0.142:58828 2020.05.11 23:00:04 LOG6[31]: Peer certificate not required 2020.05.11 23:00:04 LOG3[31]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[31]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[32]: Service [BlueIris] accepted connection from 192.168.0.142:58829 2020.05.11 23:00:04 LOG6[32]: Peer certificate not required 2020.05.11 23:00:04 LOG3[32]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[32]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[33]: Service [BlueIris] accepted connection from 192.168.0.142:58830 2020.05.11 23:00:04 LOG6[33]: Peer certificate not required 2020.05.11 23:00:04 LOG3[33]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[33]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[34]: Service [BlueIris] accepted connection from 192.168.0.142:58831 2020.05.11 23:00:04 LOG6[34]: Peer certificate not required 2020.05.11 23:00:04 LOG3[34]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter 2020.05.11 23:00:04 LOG5[34]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.05.11 23:00:04 LOG5[35]: Service [BlueIris] accepted connection from 192.168.0.142:58832 2020.05.11 23:00:04 LOG6[35]: Peer certificate not required 2020.05.11 23:00:04 LOG3[35]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback 2020.05.11 23:00:04 LOG5[35]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

1 0

Solution: REDIR not Working in Chrome, Edge (new), Opera
by Joe Sterk 08 May '20

08 May '20

I found the solution to the REDIR issue posted in April. You can find more information at https://support.google.com/chrome/forum/AAAAP1KN0B02tttvx4VCDQ/?hl=en&gpf=%…. The issue is going from https --> http or https. Our software company added an additional CRLR at the end so it looks like this now: "HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://www.abc.com<https://www.abc.com/>" + http.req.url.path_and_query.http_url_safe + "\r\n\r\n". Joe Sterk

1 0

Stunnel 4 with Shoutcast 2.6
by Ali 02 May '20

02 May '20

I am trying to add ssl to my shoutcast stream. I get the messages below when I try to start or restart shoutcast. I have purchased an ssl cert and key for this and it did not work via the shoutcast config, so I gave this a shot. The key and certs with combined into the stunnel.pem. See below and thanks for the help. I also added the stunnel config below. client=no [shoutcast] accept=8002 (I also tried 443) connect=localhost:8000 cert = /etc/stunnel/stunnel.pem pid=/etc/stunnel/stunnel.pid -permissions are set to chmod 600 Stunnel Dir root@kwaxstreamserver:/etc/stunnel# l cert.pem key.pem README stunnel.conf stunnel.pem Stunnel on START Clients allowed=500 stunnel 4.53 on x86_64-pc-linux-gnu platform Compiled with OpenSSL 1.0.1e 11 Feb 2013 Running with OpenSSL 1.0.1f 6 Jan 2014 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 Reading configuration from file stunnel.conf Compression not enabled Snagged 64 random bytes from /root/.rnd Wrote 1024 new random bytes to /root/.rnd PRNG seeded successfully Line 6: "pid = /etc/stunnel/stunnel.pid": Specified option name is not valid here str_stats: 7 block(s), 1063 data byte(s), 406 control byte(s) Stunnel on RESTART root@kwaxstreamserver:/etc/stunnel# /etc/init.d/stunnel4 restart Restarting SSL tunnels: Clients allowed=500 stunnel 4.53 on x86_64-pc-linux-gnu platform Compiled with OpenSSL 1.0.1e 11 Feb 2013 Running with OpenSSL 1.0.1f 6 Jan 2014 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 Reading configuration from file /etc/stunnel/stunnel.conf Compression not enabled Snagged 64 random bytes from /root/.rnd Wrote 1024 new random bytes to /root/.rnd PRNG seeded successfully Line 6: "pid = /etc/stunnel/stunnel.pid": Specified option name is not valid here str_stats: 7 block(s), 1076 data byte(s), 406 control byte(s) [Failed: /etc/stunnel/stunnel.conf] You should check that you have specified the pid= in you configuration file

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2020