stunnel-users May 2022

stunnel-users@stunnel.org

9 participants
12 discussions

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?

4 3

Re: [stunnel-users] CPU 100%
by Eric Eberhard 06 Nov '24

06 Nov '24

Long ago I had a server with a bad network card. Every once in a while it would spew uncontrollable bytes onto the network. If you open a stunnel connection and it does that this could very well be the problem. If it cheap, try changing the network card. If not, you should be able to look in your firewall/router and it will tell you who is sending what bytes to whomever. See if that machine is indeed streaming the bytes in massive quantities. If not, I would suspect your stunnel is getting stuck in it's own loop. There are a million reasons this can happen (well a few less than a million) - such as maybe a bad library in the FreeBSD or a bad choice in the Makefile - such as doing threads or something in a way your O/S does not like (I use threads=fork or whatever it is, instead of actual threading). You might tinker with some of the options that make the stunnel build and try different ones. Especially if stunnel was compiled on a different version of the O/S - could be differences in bytes in things and who knows what. That is all I can suggest beyond setting the debug level to 7 (I think is highest) and then watching the log file. Eric From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Murrey, Brian J. Sent: Wednesday, October 17, 2018 10:57 AM To: stunnel-users(a)stunnel.org Subject: [stunnel-users] CPU 100% We are running stunnel 5.49 on FreeBSD 11.2 and we're running into a problem once in a while. CPU pegs at 100% when we get an stunnel connection from one of our external devices. This affects 100% of all cores and we can't even log in to console. To mitigate this temporarily, we have a script running in the background to watch when stunnel begins to spike and restarts the daemon. It doesn't happen 100% of the time, and so far I have been unable to distinguish what makes the connection do this to the CPU. Have any of you run in to this issue? Sincerely, Brian Murrey System Engineer II, IT Infrastructure _____ NOTICE: This message may contain privileged and confidential information and/or protected health information intended solely for the use of the named recipient and may be privileged or otherwise protected by law. If you are not the intended recipient of this message, you should immediately notify the sender and delete this message. Do not disseminate, reproduce, or review this message or attachments if you are not the intended recipient. The sender or others may have legal rights restricting the dissemination of the information contained in this message and, as a result, remedies against you in the event of the improper dissemination of confidential information, trade secrets, personal information or privileged communications. This message is the work of the sender and does not necessarily reflect the position, views, or policies of TriMedx LLC or its affiliates. WARNING: The integrity and security of this message cannot be guaranteed and may contain or transmit a virus or other illicit code. Neither TriMedx LLC or its affiliates accept liability for any damage attributable to viruses or illicit code transmitted through this message or an attachment.

2 1

older browsers, stunnel and privoxy
by kovacs janos 04 Mar '24

04 Mar '24

sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443 stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost 127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262 and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks but it doesnt give an error or anything. with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally.

8 41

TPM based mutual tls authentication
by Nyiri, Gabor (Nokia - HU/Budapest) 07 Nov '23

07 Nov '23

Hi, Can you help me how to configure stunnel client to use TPM for mutual TLS authentication? I want to connect with mTLS to a remote server then make this connection available for localhost without mTLS. Thanks for your help in advance! Here is my configuration so far without TPM: debug = debug output = /tmp/stunnel.log foreground = yes [mtls_client] client = yes accept = 127.0.0.1:12019 sni = server-with-mtls.example.com checkHost = server-with-mtls.example.com connect = 1.2.3.4:443 verifyChain = yes CApath = /etc/ssl/certs/ cert = client.crt key = client.key Thanks & br, Gábor Nyíri,

2 1

stunnel log
by Phillip Parker 29 May '22

29 May '22

I just installed the latest version of stunnel (5.64) but there is no log file. Log file is enabled in .conf but when I run a program I don't get any log output. Help

1 0

recent Problem sending email via Blat
by Phillip Parker 25 May '22

25 May '22

I have been using stunnel and Blat for several years to send emails. Recently all the emails stopped. Interestingly I also use PowerShell to send emails and they all stopped as well. That would seem to point to something external but I have no clue what that might be. I have searched the web and have found several posts talking about (Error: Not a Socket) from Blat log but I have been unable to find a solution. In any event for stunnel I have added below the config file and the log file with debug = 7 enabled and a screen shot of netstat -an. I also believe I am running the latest version of Stunnel and Blat. Just for additional info I have attached my powershell program and the resultant error. Any help on this issue would be greatly appreciated. Incidentally I am not a stunnel or Blat person I just want things to work like they were. ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration sslversion = all ;[Protocol] protocol = smtp [ssmtp] accept = 127.0.0.1:25 connect = smtp.live.com:587 =============================================== 2022.05.21 15:03:04 LOG5[5916:5920]: Reading configuration from file stunnel.conf 2022.05.21 15:03:04 LOG7[5916:5920]: PRNG seeded successfully 2022.05.21 15:03:05 LOG7[5916:5920]: SSL context initialized for service ssmtp 2022.05.21 15:03:05 LOG5[5916:5920]: Configuration successful 2022.05.21 15:03:05 LOG5[5916:5920]: No limit detected for the number of clients 2022.05.21 15:03:05 LOG7[5916:5920]: accept socket: FD=700 allocated (non-blocking mode) 2022.05.21 15:03:05 LOG7[5916:5920]: Option SO_REUSEADDR set on accept socket 2022.05.21 15:03:05 LOG7[5916:5920]: Service ssmtp bound to 127.0.0.1:25 2022.05.21 15:03:05 LOG7[5916:5920]: Service ssmtp opened FD=700 2022.05.21 15:03:05 LOG5[5916:5920]: stunnel 4.36 on x86-pc-mingw32-gnu with OpenSSL 1.0.0d 8 Feb 2 2022.05.21 15:03:05 LOG5[5916:5920]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT, IPv6 2022.05.21 15:39:56 LOG7[5916:7748]: local socket: FD=692 allocated (non-blocking mode) 2022.05.21 15:39:56 LOG7[5916:7748]: Service ssmtp accepted FD=692 from 127.0.0.1:62680 2022.05.21 15:39:56 LOG7[5916:7748]: Creating a new thread 2022.05.21 15:39:56 LOG7[5916:7748]: New thread created 2022.05.21 15:39:56 LOG7[5916:11272]: Service ssmtp started 2022.05.21 15:39:56 LOG7[5916:11272]: Option TCP_NODELAY set on local socket 2022.05.21 15:39:56 LOG5[5916:11272]: Service ssmtp accepted connection from 127.0.0.1:62680 2022.05.21 15:39:56 LOG7[5916:11272]: remote socket: FD=740 allocated (non-blocking mode) 2022.05.21 15:39:56 LOG6[5916:11272]: connect_blocking: connecting 204.79.197.212:587 2022.05.21 15:39:56 LOG7[5916:11272]: connect_blocking: s_poll_wait 204.79.197.212:587: waiting 10 seconds 2022.05.21 15:40:06 LOG3[5916:11272]: connect_blocking: s_poll_wait 204.79.197.212:587: TIMEOUTconnect exceeded 2022.05.21 15:40:06 LOG5[5916:11272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket Partial screen shot of netstat -an TCP 127.0.0.1:25 0.0.0.0:0 LISTENING TCP 127.0.0.1:4444 0.0.0.0:0 LISTENING TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING TCP 127.0.0.1:5354 127.0.0.1:53941 ESTABLISHED TCP 127.0.0.1:5354 127.0.0.1:58943 ESTABLISHED TCP 127.0.0.1:8884 0.0.0.0:0 LISTENING TCP 127.0.0.1:9012 0.0.0.0:0 LISTENING TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING TCP 127.0.0.1:33555 0.0.0.0:0 LISTENING TCP 127.0.0.1:42424 0.0.0.0:0 LISTENING TCP 127.0.0.1:53941 127.0.0.1:5354 ESTABLISHED TCP 127.0.0.1:58943 127.0.0.1:5354 ESTABLISHED TCP 127.0.0.1:60485 0.0.0.0:0 LISTENING TCP 127.0.0.1:60961 0.0.0.0:0 LISTENING TCP 127.0.0.1:62433 0.0.0.0:0 LISTENING 2022.05.21 15:40:06 LOG7[5916:11272]: Service ssmtp finished (0 left) 2022.05.21 15:40:06 LOG7[5916:11272]: str_stats: 0 blocks, 0 bytes Blat Log 2022.05.21 15:39:56 (Sat)------------Start of Session----------------- Blat v3.2.19 (build : Nov 18 2017 03:14:35) 32-bit Windows, Full, Unicode Error: Connection to server was dropped. *** Error *** SMTP server error Error: Not a socket. Error: Not a socket. 2022.05.21 15:40:06 (Sat)-------------End of Session------------------

2 1

Unexpected EOF while Reading
by Joe Sterk 24 May '22

24 May '22

Stunnel User, When we upgrade from 5.60 to 5.63 or 5.64 we start to get the unexpected eof while reading on the SSL_accept log. I re-loaded 5.60 and the error went away. Does anyone have any ideas on what to review to solve this issue? [cid:image001.png@01D86ECE.E6D97940] Joe Sterk CIO (Chief Information Officer) [Description: Description: cid:image004.jpg@01CD22BD.40F8C160] Insurance Services Corp. ? (972) 896-0384 (Mobile) * (707) 303-8105 (Work) * joes(a)QuieTrack.com<mailto:joes@QuieTrack.com>

1 0

Stunnel - TLS error unexpected eof while reading
by rick.gregson＠gmail.com 19 May '22

19 May '22

Hi All, I have recently configured stunnel on a Windows Server, it has been configured using a certificate from our internal CA and appears to be functioning ok. However we have a load balancer that is doing a health check against the service and is polling S-Tunnel availability every 5 seconds each time a poll occurs I am seeing the error posted below in the logs. 2022.05.12 10:22:55 LOG3[4113]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.05.12 10:22:55 LOG5[4113]: Connection reset: 217 byte(s) sent to TLS, 49 byte(s) sent to socket Can I please have some advice on how to stop this error? Thank you Rick

2 3

Getting error "CERT: Pre-verification error: self signed certificate"
by Christopher Schultz 14 May '22

14 May '22

All, I'm running stunnel 4.56 as a server on Linux, as I have been doing for a while. I require clients to connect using their own client certs and yesterday one of them expired. The client generated a new certificate and sent it to me to install, and I'm getting the error in the subject. Version details: $ sudo stunnel -help stunnel 4.56 on x86_64-koji-linux-gnu platform Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP I have set verify=4 because I expect to place the exact certificate for every client into my CAFile. This has been working for years, and when I connect using openssl s_client, I can see which client certificates the server advertises it will allow to connect, and they reflect what I expect. The server certificate is also self-signed, so I copied that into the CAFile and I'm able to connect with openssl s_client using that certificate. So I think the problem can't be that the client's certificate is self-signed. So, to recap: 1. stunnel in server mode 2. CAFile points to a collection of PEM certs 3. verify=4 4. I can connect with my own valid, trusted, self-signed certificate 5. Client cannot connect with their valid, trusted, self-signed cert Any ideas? (Note: the client DOES appear to be using their new certificate, though I can only see the subject text which could be the same, yet with a different actual certificate.) Here is the debug(7) output from an attempted connection: : Starting certificate verification: depth=0, [subject] : CERT: Pre-verification error: self signed certificate : Certificate check failed: depth=0, [subject] : SSL alert (write): fatal: unknown CA : SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed : Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket Thanks, -chris

1 1

Is stunnel really compliant with RFC 2487 / RFC 3207 ?
by Javier 13 May '22

13 May '22

Hi, first of all, I still use a 32-bit release (the latest, I think), so maybe things have changed on Stunnel since. But the statement that the protocol smtp option for a service is compliant with RFC 2487, should be 3207 (it is from 2002!), has been in the docs for ages, even in the latest version, 5.64: *** smtp Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS *** Long ago I tested the protocol=smtp options as both, clients and server service, and I noticed that, and I think I told here to the list confirming it (maybe for some user using it on client mode), the option implied STARTTLS. Back then I didn't pay much attention to it. BUT the other day I was re-testing for a server service (own mail server sometimes I run) and... I said to my self that this shouldn't be like it was and well, I read the RFC and what tells is the following: *** A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address. *** https://datatracker.ietf.org/doc/html/rfc3207#section-4 So, if we use Stunnel to provide THE OPTION of secure TLS connections to other MTAs (MTA to MTA, or server to server) we are against the RFC itself as every connection to port 25 must be encrypted, or nothing, because, as Stunnel is the door to the port and only accepts the STARTTLS command, without redirecting any data to the mail server, no traffic on plain text reaches the server. Acting as a MSA (users - servers) there is no problem because, even if it hadn't/hasn't been widely supported, there are two ports 587 for plain text and 465 for TLS. So Stunnel could be set up to listen on 465 port only, directly accepting TLS sessions or after STARTTLS command (rejecting, in this case, those that don't want a secure channel). We have told several times, specially to newcomers (asking for http proxy, basically), that Stunnel isn't proxy, and it isn't, but in the case of a mail server it should act as is if we use it for a MTA mail server. It acts as is sending the welcome message from the mail server to the other MTA, but once the other MTA doesn't send a STARTTLS command, it closes the connection when, actually, what should do is pass all the dialog between MTAs. I think that is what Stunnel should do. And when just passing messages from mail server to the other MTA, just disable the logging for that connection. After all, the mail severs have already their own logs and there is no reason to log it on Stunnel, nor on the log screen/Stunnel window. Maybe just a line like "redirecting connection to the mail server". Said all the above, do latest versions behave differently? Do you think is a change that should be made to Stunnel to comply with the RFC, if on latest versions don't do yet, or am I wrong somewhere in my statement? Regards. P.S.: MTA: Mail Transfer Agent MSA: Mail Submission Agent MUA: Mail User Agent

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2022