stunnel-users May 2023

stunnel-users@stunnel.org

7 participants
13 discussions

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?

4 3

Re: [stunnel-users] CPU 100%
by Eric Eberhard 06 Nov '24

06 Nov '24

Long ago I had a server with a bad network card. Every once in a while it would spew uncontrollable bytes onto the network. If you open a stunnel connection and it does that this could very well be the problem. If it cheap, try changing the network card. If not, you should be able to look in your firewall/router and it will tell you who is sending what bytes to whomever. See if that machine is indeed streaming the bytes in massive quantities. If not, I would suspect your stunnel is getting stuck in it's own loop. There are a million reasons this can happen (well a few less than a million) - such as maybe a bad library in the FreeBSD or a bad choice in the Makefile - such as doing threads or something in a way your O/S does not like (I use threads=fork or whatever it is, instead of actual threading). You might tinker with some of the options that make the stunnel build and try different ones. Especially if stunnel was compiled on a different version of the O/S - could be differences in bytes in things and who knows what. That is all I can suggest beyond setting the debug level to 7 (I think is highest) and then watching the log file. Eric From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Murrey, Brian J. Sent: Wednesday, October 17, 2018 10:57 AM To: stunnel-users(a)stunnel.org Subject: [stunnel-users] CPU 100% We are running stunnel 5.49 on FreeBSD 11.2 and we're running into a problem once in a while. CPU pegs at 100% when we get an stunnel connection from one of our external devices. This affects 100% of all cores and we can't even log in to console. To mitigate this temporarily, we have a script running in the background to watch when stunnel begins to spike and restarts the daemon. It doesn't happen 100% of the time, and so far I have been unable to distinguish what makes the connection do this to the CPU. Have any of you run in to this issue? Sincerely, Brian Murrey System Engineer II, IT Infrastructure _____ NOTICE: This message may contain privileged and confidential information and/or protected health information intended solely for the use of the named recipient and may be privileged or otherwise protected by law. If you are not the intended recipient of this message, you should immediately notify the sender and delete this message. Do not disseminate, reproduce, or review this message or attachments if you are not the intended recipient. The sender or others may have legal rights restricting the dissemination of the information contained in this message and, as a result, remedies against you in the event of the improper dissemination of confidential information, trade secrets, personal information or privileged communications. This message is the work of the sender and does not necessarily reflect the position, views, or policies of TriMedx LLC or its affiliates. WARNING: The integrity and security of this message cannot be guaranteed and may contain or transmit a virus or other illicit code. Neither TriMedx LLC or its affiliates accept liability for any damage attributable to viruses or illicit code transmitted through this message or an attachment.

2 1

older browsers, stunnel and privoxy
by kovacs janos 04 Mar '24

04 Mar '24

sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443 stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost 127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262 and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks but it doesnt give an error or anything. with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally.

8 41

TPM based mutual tls authentication
by Nyiri, Gabor (Nokia - HU/Budapest) 07 Nov '23

07 Nov '23

Hi, Can you help me how to configure stunnel client to use TPM for mutual TLS authentication? I want to connect with mTLS to a remote server then make this connection available for localhost without mTLS. Thanks for your help in advance! Here is my configuration so far without TPM: debug = debug output = /tmp/stunnel.log foreground = yes [mtls_client] client = yes accept = 127.0.0.1:12019 sni = server-with-mtls.example.com checkHost = server-with-mtls.example.com connect = 1.2.3.4:443 verifyChain = yes CApath = /etc/ssl/certs/ cert = client.crt key = client.key Thanks & br, Gábor Nyíri,

2 1

Config stunnel for outgoing mails to Ionos
by a.franken＠management-kommunikation.de 22 Aug '23

22 Aug '23

In these days, our provider Ionos/1&1 starts to accept only encrypted access to its mail server and at least TLS 1.2. There are no problems with incoming mails. In order to be on the safe side with our Win SBS Server 2008 (no comments please!) with outgoing mails, I now have interposed stunnel as recommended many times on the web. This works in principle. Unfortunate exception: In some cases - expecially if the mail recipient has a Microsoft address like @hotmail.de, @live.de, @outlook.com -, sending aborts with error 503 5.5.2 ("Need mail command"). Unfortunately, I'm quite innocent with SMTP, SSL and certificates, but worked hard to create the following stunnel configuration file: socket = l:TCP_NODELAY=0 socket = r:TCP_NODELAY=0 client = yes output = C:\Program Files (x86)\stunnel\stunnel.log [smtpionos] accept = localhost:465 connect = smtp.ionos.de:465 verifyChain = yes verifyPeer = yes CAfile = C:\Program Files (x86)\stunnel\config\amakor2022.pem checkHost = remote.management-kommunikation.de protocolHost = smtp.ionos.de protocolAuthentication = login protocolUsername = OUR_USERNAME protocolPassword = OUR_PASSWORD sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2 delay = yes protocol = smtp amakor2022.pem is the "PositiveSSL" certificate that we acquired for our subdomain remote.management-kommunikation.de. "Our_Username" and "Our_Password" are of course our correct access data. After spending hours searching the web for a solution, does anyone have a tip what's wrong and what to do?

1 2

Reading HSM Pincode from file and passing it to Stunnel/OpenSSL
by Andreas Heijdendael 30 May '23

30 May '23

Hi there, I'm running into an issue. I'm trying to run stunnel on my new Ubuntu 22.04 system whereas before I was running it on Windows. Thing is, on the Windows system I had to compile stunnel manually as I need to read an encrypted file on the filesystem that contains the user-pin for my HSM. On Windows, that worked. On Ubuntu I'm having issues with the C11 _s functions (like sscanf_s and the likes). ChatGTP suggested using clang compiler, but I have not clue on how to do that. Of enabling C11 Annex K support in Ubuntu (no such thing, apparently).... Is there anybody here that makes use of these _s functions in their code on Ubuntu 22.04? Or explain how to use these functions in gcc? Or compile stunnel (+ additional code) using Clang. Thanks!! Andreas

1 0

ssl3 wrong version number
by trashrap22＠gmail.com 18 May '23

18 May '23

I get the following error running 'sudo service stunnel4 status' : LOG3[0]: SSL_accept: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number is that merely a mismatch between openSSL versions used by client and server? I have tried changing the config file options, also with no specification since the default according to stunnel.org is: options = NO_SSLv2 options = NO_SSLv3 I have tried (service level option): sslVersion = TLSv1 Same error. When running sudo service stunnel4 status after start: May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP May 12 08:22:45 user-Linux stunnel4[16616]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: started May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf May 12 08:22:45 user-Linux systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons). May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: UTF-8 byte order mark not detected May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: FIPS mode disabled May 12 08:22:45 user-Linux stunnel[16630]: LOG4[ui]: Insecure file permissions on /var/lib/stunnel4/psk.txt May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: Configuration successful May 12 08:22:45 user-Linux stunnel[16630]: LOG5[ui]: Switched to chroot directory: /var/lib/stunnel4/ May 12 08:22:45 user-Linux stunnel[16632]: LOG5[cron]: Updating DH parameters After trying to make a connection via FIX connection: May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: Service [**redacted**] started May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: Setting local socket options (FD=3) May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: Option TCP_NODELAY set on local socket May 12 08:28:04 user-Linux stunnel[16798]: LOG5[0]: Service [**redacted**] accepted connection from 127.0.0.1:51954 May 12 08:28:04 user-Linux stunnel[16798]: LOG6[0]: Peer certificate not required May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: TLS state (accept): before SSL initialization May 12 08:28:04 user-Linux stunnel[16798]: LOG3[0]: SSL_accept: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number May 12 08:28:04 user-Linux stunnel[16798]: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: Local descriptor (FD=3) closed May 12 08:28:04 user-Linux stunnel[16798]: LOG7[0]: Service [**redacted**] finished (0 left)

2 1

TLS alert (read): warning: close notify
by trashrap22＠gmail.com 18 May '23

18 May '23

Hi All, Hopefully the last question with my struggles! Stunnel connects and the initial TLS connection works - but then it seems the client or server (I am client) does not trust the psk key? Any ideas? Note - part of the previous issue was creating a 64B/512b PSK and NOT a 32/B/256b psk. I created that key and shared it with the server. See below line referencing 256bit encryption? May 18 16:34:38 user-Linux stunnel: LOG5[0]: Service [** redacted **] connected remote server from ** redacted ** May 18 16:34:38 user-Linux stunnel: LOG7[0]: Setting remote socket options (FD=11) May 18 16:34:38 user-Linux stunnel: LOG7[0]: Option TCP_NODELAY set on remote socket May 18 16:34:38 user-Linux stunnel: LOG7[0]: Remote descriptor (FD=11) initialized May 18 16:34:38 user-Linux stunnel: LOG6[0]: SNI: sending servername: ** redacted ** May 18 16:34:38 user-Linux stunnel: LOG6[0]: Peer certificate not required May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): before SSL initialization May 18 16:34:38 user-Linux stunnel: LOG7[0]: Initializing application specific data for session authenticated May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange May 18 16:34:38 user-Linux stunnel: LOG6[0]: Client certificate not requested May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server done May 18 16:34:38 user-Linux stunnel: LOG6[0]: PSK client configured for identity "client" May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write finished May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write finished May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server session ticket May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read finished May 18 16:34:38 user-Linux stunnel: LOG7[0]: New session callback May 18 16:34:38 user-Linux stunnel: LOG6[0]: No peer certificate received May 18 16:34:38 user-Linux stunnel: LOG6[0]: Session id: ***** redacted **** May 18 16:34:38 user-Linux stunnel: LOG7[0]: 1 client connect(s) requested May 18 16:34:38 user-Linux stunnel: LOG7[0]: 1 client connect(s) succeeded May 18 16:34:38 user-Linux stunnel: LOG7[0]: 0 client renegotiation(s) requested May 18 16:34:38 user-Linux stunnel: LOG7[0]: 0 session reuse(s) May 18 16:34:38 user-Linux stunnel: LOG6[0]: TLS connected: new session negotiated May 18 16:34:38 user-Linux stunnel: LOG6[0]: TLSv1.2 ciphersuite: ECDHE-PSK-CHACHA20-POLY1305 (256-bit encryption) May 18 16:34:38 user-Linux stunnel: LOG7[0]: Compression: null, expansion: null May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS alert (read): warning: close notify May 18 16:34:38 user-Linux stunnel: LOG6[0]: TLS closed (SSL_read) May 18 16:34:38 user-Linux stunnel: LOG7[0]: Sent socket write shutdown May 18 16:34:38 user-Linux stunnel: LOG6[0]: Read socket closed (readsocket) May 18 16:34:38 user-Linux stunnel: LOG7[0]: Sending close_notify alert May 18 16:34:38 user-Linux stunnel: LOG7[0]: TLS alert (write): warning: close notify May 18 16:34:38 user-Linux stunnel: LOG6[0]: SSL_shutdown successfully sent close_notify alert May 18 16:34:38 user-Linux stunnel: LOG5[0]: Connection closed: 98 byte(s) sent to TLS, 0 byte(s) sent to socket May 18 16:34:38 user-Linux stunnel: LOG7[0]: Remote descriptor (FD=11) closed May 18 16:34:38 user-Linux stunnel: LOG7[0]: Local descriptor (FD=3) closed May 18 16:34:38 user-Linux stunnel: LOG7[0]: Service [*redacted*]finished (0 left)

1 0

chroot jail on debian 11 for stunnel steps?
by trashrap22＠gmail.com 11 May '23

11 May '23

Does someone have all the steps in order to setup a chroot jail on debian 11 OS - I have followed [this](https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole. Anyone have done it on Debian 11 care to share the steps?

3 3

Re: stunnel not starting
by Christopher Schultz 10 May '23

10 May '23

Hello, On 5/10/23 00:28, d3rIIIe15ter Tier wrote: > Please advise why you strongly advise running stunnel in a chroot jail? Because: 1. It's insanely easy to do (it literally IS just "chroot=/path/to/jail") and 2. If there is a problem with stunnel (e.g. security issue), the amount of damage an attacker can do is significantly limited -chris > On Tue, May 9, 2023 at 5:59 PM Christopher Schultz > <chris(a)christopherschultz.net <mailto:chris@christopherschultz.net>> wrote: > > Hello, > > On 5/9/23 11:13, d3rIIIe15ter Tier wrote: > > After giving access to var/log/secure/stunnel.log, I now get logs! > > > > There I get the following error: > > > > Cannot create pid file /var/run/stunnel4.pid > > create: Permission denied (13) > > What is the euid of the stunnel process? Does it have access to that > path? Are you using a chroot jail? (You should be.) Does that path > exist > in the chroot jail? Can the stunnel user write to that path? > > -chris > > > On Tue, May 9, 2023 at 4:34 PM d3rIIIe15ter Tier > <trashrap22(a)gmail.com <mailto:trashrap22@gmail.com> > > <mailto:trashrap22@gmail.com <mailto:trashrap22@gmail.com>>> wrote: > > > > You are right... bad mistake. > > > > Now I get: cannot open log file - which I am sure is a > permission > > thing since I need to use sudo to be able to write to that file. > > Any ideas further? > > > > On Tue, May 9, 2023 at 4:21 PM Christopher Schultz > > <chris(a)christopherschultz.net > <mailto:chris@christopherschultz.net> > <mailto:chris@christopherschultz.net > <mailto:chris@christopherschultz.net>>> > > wrote: > > > > Hello, > > > > On 5/9/23 10:17, d3rIIIe15ter Tier wrote: > > > I have tried changing the location to > > > > > > var/log/stunnel4/stunnel.log > > > var/log/stunnel4/stunnelLog > > > var/log/secure/ > > > var/log/secure/stunnel.log > > > etc/stunnel/stunnel.log > > > etc/stunnel/stunnelLog > > > > > > don't know how to fix it yet... > > I don't think the *value* is the problem. The problem is that > > you have > > defined "output" somewhere that isn't valid, such as within a > > specific > > service's section instead of as a global setting. > > > > -chris > > > > > On Tue, May 9, 2023 at 3:54 PM Christopher Schultz > > > <chris(a)christopherschultz.net > <mailto:chris@christopherschultz.net> > > <mailto:chris@christopherschultz.net > <mailto:chris@christopherschultz.net>> > > <mailto:chris@christopherschultz.net > <mailto:chris@christopherschultz.net> > > <mailto:chris@christopherschultz.net > <mailto:chris@christopherschultz.net>>>> wrote: > > > > > > Hello, > > > > > > On 5/9/23 09:40, trashrap22(a)gmail.com > <mailto:trashrap22@gmail.com> > > <mailto:trashrap22@gmail.com > <mailto:trashrap22@gmail.com>> <mailto:trashrap22@gmail.com > <mailto:trashrap22@gmail.com> > > <mailto:trashrap22@gmail.com <mailto:trashrap22@gmail.com>>> > > > wrote: > > > > Hi, I am on Debian - when I run "sudo stunnel > > stunnel.conf" I > > > get the following output: > > > > > > > > [ ] Clients allowed=500 > > > > [.] stunnel 5.56 on x86_64-pc-linux-gnu platform > > > > [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021 > > > > [.] Running with OpenSSL 1.1.1n 15 Mar 2022 > > > > [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD > > > TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP > > > > [ ] errno: (*__errno_location ()) > > > > [.] Reading configuration from file > > /etc/stunnel/stunnel.conf > > > > [.] UTF-8 byte order mark not detected > > > > [.] FIPS mode disabled > > > > [ ] Compression disabled > > > > [ ] No PRNG seeding was required > > > > [!] /etc/stunnel/stunnel.conf:24: "output = > > /tmp/stunnel.log": > > > Specified option name is not valid here > > > > [ ] Deallocating section defaults > > > > > > > > When I run "sudo netstat -tulnp | grep -i > stunnel" I > > also get no > > > output - which means that stunnel is not starting up? > > > > > > The log message seems pretty specific to me. Maybe you > > should fix that? > > > > > > -chris > > > _______________________________________________ > > > stunnel-users mailing list -- > stunnel-users(a)stunnel.org <mailto:stunnel-users@stunnel.org> > > <mailto:stunnel-users@stunnel.org > <mailto:stunnel-users@stunnel.org>> > > > <mailto:stunnel-users@stunnel.org > <mailto:stunnel-users@stunnel.org> > > <mailto:stunnel-users@stunnel.org > <mailto:stunnel-users@stunnel.org>>> > > > To unsubscribe send an email to > > stunnel-users-leave(a)stunnel.org > <mailto:stunnel-users-leave@stunnel.org> > > <mailto:stunnel-users-leave@stunnel.org > <mailto:stunnel-users-leave@stunnel.org>> > > > <mailto:stunnel-users-leave@stunnel.org > <mailto:stunnel-users-leave@stunnel.org> > > <mailto:stunnel-users-leave@stunnel.org > <mailto:stunnel-users-leave@stunnel.org>>> > > > > > _______________________________________________ > > stunnel-users mailing list -- stunnel-users(a)stunnel.org > <mailto:stunnel-users@stunnel.org> > > <mailto:stunnel-users@stunnel.org > <mailto:stunnel-users@stunnel.org>> > > To unsubscribe send an email to > stunnel-users-leave(a)stunnel.org <mailto:stunnel-users-leave@stunnel.org> > > <mailto:stunnel-users-leave@stunnel.org > <mailto:stunnel-users-leave@stunnel.org>> > > > _______________________________________________ > stunnel-users mailing list -- stunnel-users(a)stunnel.org > <mailto:stunnel-users@stunnel.org> > To unsubscribe send an email to stunnel-users-leave(a)stunnel.org > <mailto:stunnel-users-leave@stunnel.org> >

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2023