September 2023 - stunnel-users

stunnel events
by noel_melvin＠neimanmarcus.com 11 Sep '23

11 Sep '23

We have stunnel running on Windows machine. Just would like to know whether the below events is anything abnormal/critical to be addressed. 2023.09.07 10:10:16 LOG5[7]: Service [Application1] accepted connection from x.x.x.x:1234 2023.09.07 10:10:16 LOG6[7]: Peer certificate not required 2023.09.07 10:10:16 LOG6[7]: No peer certificate received 2023.09.07 10:10:16 LOG6[7]: Session id: (Alphanumeric) 2023.09.07 10:10:16 LOG6[7]: TLS accepted: new session negotiated 2023.09.07 10:10:16 LOG6[7]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-SHA256 (128-bit encryption) 2023.09.07 10:10:16 LOG6[7]: s_connect: connecting x.x.x.x:1234 2023.09.07 10:10:16 LOG5[7]: s_connect: connected x.x.x.x:1234 2023.09.07 10:10:16 LOG6[7]: persistence: x.x.x.x:1234 cached

1 1

Stunnel hangs with static build with openssl 1.1.1c
by eklein＠triple-eye.nl 07 Sep '23

07 Sep '23

I successfully cross compiled and built a static version of stunnel for ARM. It works with stunnel 5.70 and openssl 1.1.1b If however, I try to use openssl 1.1.1c, stunnel hangs. I narrowed the problem down to the following call in compression_init in ssl.c: comp_methods[COMP_NONE]=sk_SSL_COMP_new_null(); The program does not get past this point. I also tried to build with openssl 1.1.1v and 3.0.0, to no avail. I am using the following commands: To build openssl: ./Configure linux-armv4 --prefix=/home/erik/Documents/openssl-1.1.1b/install --openssldir=/home/erik/Documents/openssl-1.1.1b/install threads shared make CC=arm-linux-gnueabi-gcc make install To build stunnel: sed -i 's/^stunnel_LDFLAGS = /&-all-static /' src/Makefile.in export CFLAGS='-Os -fomit-frame-pointer -pipe' ./configure --with-ssl=/home/erik/Documents/openssl-1.1.1b/install --disable-fips --disable-shared --enable-static --disable-silent-rules --build x86_64-pc-linux-gnu --host arm-linux-gnueabi make What is the difference between openssl1.1.1b and 1.1.1c which causes this problem?

1 1

Failover configuration using a proxy
by Daphne Shaw 06 Sep '23

06 Sep '23

Hello! I have a configuration question around failover with stunnel as a https client (that is, "client=yes"). The end goal here is a "Try to connect to host A, if that fails, connect to host B, etc." type of setup. I can do that with multiple connect= options, one per host, and it works as expected: connect=x.x.x.x connect=y.y.y.y connect=z.z.z.z The question I have is around doing the same thing with a proxy. In a proxy configuration, connect= specifies the proxy (https in my case, so "protocol=connect"), and protocolHost= specifies the host that I want to connect to via that proxy. Unfortunately, it seems that protocolHost only allows a single host and cannot be used multiple times, so I can't specify the hosts to failover to. connect=my.proxy.ip protocol=connect protocolhost=x.x.x.x protocolhost=y.y.y.y protocolhost=z.z.z.z That always attempts to connect to z.z.z.z (the last specified host) via the proxy. I am using stunnel 4.56 (stock stunnel from Centos 7), but happy to upgrade if a newer version makes this possible (the manual suggests the latest version works the same way). Any suggestions? I'm sure I could accomplish this by wrapping stunnel in a script that generates a new config file for each failover, but well, I'm hoping to not have to do that. Thanks, Daphne

2 2

Connection abend between Stunnel and multiple clients
by arunprasanna_dhayalavel＠neimanmarcus.com 06 Sep '23

06 Sep '23

Hello All!! We are experiencing multiple transactions initiated from the different clients towards the Stunnel getting reset. We are trying to identify if the below events relate to the issue. If yes, kindly suggest how we can rectify the below. 2023.09.05 09:10:43 LOG6[210]: transfer: s_poll_wait: TIMEOUTidle exceeded: sending reset 2023.09.05 09:10:43 LOG5[210]: Connection reset: 2505 byte(s) sent to TLS, 59 byte(s) sent to socket

1 0

error:0A000126 on windows 10
by Stewart Anderson 02 Sep '23

02 Sep '23

Hi, First apologies I posted this question on a google stunnel group, but I realise that does not have much activity, so posting here also. I am trying to get stunnel up and running and getting the error in the subject. The full error text is: "SSL_accept: ssl/record/ssl3_record.c:354: error:0A00010B:SSL routines::wrong version number" I have a simple service which seems to load fine. I have stunnel up at the "server side" on a VM in azure and if I telnet to the VM public address I can see the activity in the stunnel logs on the VM, so I know at least a pipe is open. I can hit the port server side and see the log activity in stunnel also. If I try a telnet to the local stunnel accept port. I see the error above. This is the full log. 2023.08.23 11:01:04 LOG7[service]: Found 1 ready file descriptor(s) 2023.08.23 11:01:04 LOG7[service]: FD=604 ifds=r-x ofds=--- 2023.08.23 11:01:04 LOG7[service]: FD=664 ifds=r-x ofds=r-- 2023.08.23 11:01:04 LOG7[service]: Service [dev-dev-testHarness] accepted (FD=708) from 127.0.0.1:10756 2023.08.23 11:01:04 LOG7[service]: Creating a new thread 2023.08.23 11:01:04 LOG7[service]: New thread created 2023.08.23 11:01:04 LOG7[4]: Service [dev-dev-testHarness] started 2023.08.23 11:01:04 LOG7[4]: Setting local socket options (FD=708) 2023.08.23 11:01:04 LOG7[4]: Option TCP_NODELAY set on local socket 2023.08.23 11:01:04 LOG5[4]: Service [dev-dev-testHarness] accepted connection from 127.0.0.1:10756 2023.08.23 11:01:04 LOG6[4]: Peer certificate not required 2023.08.23 11:01:04 LOG7[4]: TLS state (accept): before SSL initialization 2023.08.23 11:01:04 LOG7[4]: TLS alert (write): fatal: decode error 2023.08.23 11:01:04 LOG3[4]: SSL_accept: ssl/record/rec_layer_s3.c:303: error:0A000126:SSL routines::unexpected eof while reading 2023.08.23 11:01:04 LOG5[4]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2023.08.23 11:01:04 LOG7[4]: Local descriptor (FD=708) closed 2023.08.23 11:01:04 LOG7[4]: Service [dev-dev-testHarness] finished (0 left) What am I missing, I haven't used stunnel for quite a while and previous effort were on linux and I did not see this problem then. Using telnet/TNC as the local test tools and stunnel was installed with bare default installation. The only thing I have done different is to set a config fragment folder to separate services on the sever side and they report as loading fine. any help greatly appreciated. Stu

1 1

Re: Need help setting up new stunnel config
by Mark Foley 01 Sep '23

01 Sep '23

I think I'm confused here. My objective is for requests sent to port 3389 on the Windows 10 machine to be "validated" by stunnel, then passed on to the service listening on that port. Am I mistaken about what stunnel is supposed to do? If not, what would my config look like to accomplish this? I don't see how changing the RDC port would help. Regardless of what port RDC listens on, it's still going to be used by RDC and therefore I don't see why the 'accept' wouldn't continue to fail. Sorry to be so obtuse on this. I just don't get it and haven't found any examples for stunneling to RDC. --Mark -----Original Message----- From: Michael Curran <mike_curran(a)hotmail.com> To: Mark Foley <mfoley(a)novatec-inc.com>, "stunnel-users(a)stunnel.org" <stunnel-users(a)stunnel.org> Subject: Re: [stunnel-users] Re: Need help setting up new stunnel config Date: Fri, 1 Sep 2023 17:39:25 +0000 Mark -- Your full stanza should look like this [dbserver] accept = <some port> connect = 3389 CAfile = stunnel.pem The IP:PORT was a suggestion for the RDC connection string. If you cannot start RDC with an IP:PORT, then you can change the internal RDC port from 3389 to something else. I have not done this, you will have to review Microsofts site to find out how. If RDC can be changed , but not the RDC connection string then your stanza might look like [dbserver] accept = 3389 connect = <new rdc port> CAfile = stunnel.pem Mike ________________________________ From: Mark Foley <mfoley(a)novatec-inc.com> Sent: Friday, September 1, 2023 1:28 PM To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org> Subject: [stunnel-users] Re: Need help setting up new stunnel config Michael - thanks for your response. I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just use 'port'. Below is the config I tried: [DBSERVER] connect = 3389 CAfile = stunnel.pem When running I got the following errors: [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.70 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.9 30 May 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf [.] UTF-8 byte order mark detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [DBSERVER] [!] Service [DBSERVER]: TLS server needs a certificate [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [DBSERVER] Notice "TLS server needs a certificate". The installation dialog steps me through creating a certificate which it puts in stunnel.pem. So why this message? I also tried the full pathname to stunnel.pem. --Mark -----Original Message----- From: Michael Curran <michael.curran(a)cosocloud.com> To: Mark Foley <mfoley(a)novatec-inc.com>, "stunnel-users(a)stunnel.org" <stunnel-users(a)stunnel.org> Subject: Re: [stunnel-users] Need help setting up new stunnel config Date: Fri, 1 Sep 2023 13:12:30 +0000 accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already connect would be 3389 I think in the connection string for RDC you can just specify ip:port to connect If you cannot , you can also redesignate the port remote desktop answers on -- Michael Curran Systems Architect| CoSo Cloud D 614.568.2285 | C 614.403.6320 | michael.curran(a)cosocloud.com From: Mark Foley <mfoley(a)novatec-inc.com> Date: Thursday, August 31, 2023 at 11:33 AM To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org> Subject: [stunnel-users] Need help setting up new stunnel config I used stunnel about 5 years ago and now I want to use it again, but my notes are terrible and I'm having trouble getting started. I want to create a connection between Windows computer on port 3389. The "client" will be some remote Windows computer, perhaps at someone's home office. The "server" will be a Windows workstation at the office. I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname COMMONW10. I'm at a loss creating the config file on this machine. I have: [COMMONW10] ;client = yes accept = 3389 ;connect = ???:xxxx CAfile = stunnel.pem The stunnel.pem was create when I installed stunnel. I have no idea what the 'connect' line should have. When I run stunnel (clicking on desktop icon) I get: [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [COMMONW10] [ ] Listening file descriptor created (FD=724) [ ] Setting accept socket options (FD=724) [ ] Option SO_EXCLUSIVEADDRUSE set on accept socket [.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013) [!] Binding service [COMMONW10] failed [ ] Unbinding service [COMMONW10] [ ] Service [COMMONW10] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [COMMONW10] [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 Server is down I'm assuming the "Permission denied" is because Remote Desktop is already listening on 3389. So, I'm stuck and feeling quite ignorant! Help appreciated. --Mark _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org To unsubscribe send an email to stunnel-users-leave(a)stunnel.org This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department. _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org To unsubscribe send an email to stunnel-users-leave(a)stunnel.org

2 1

Re: Need help setting up new stunnel config
by Mark Foley 01 Sep '23

01 Sep '23

Michael - thanks for your response. I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just use 'port'. Below is the config I tried: [DBSERVER] connect = 3389 CAfile = stunnel.pem When running I got the following errors: [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.70 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.9 30 May 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf [.] UTF-8 byte order mark detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [DBSERVER] [!] Service [DBSERVER]: TLS server needs a certificate [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [DBSERVER] Notice "TLS server needs a certificate". The installation dialog steps me through creating a certificate which it puts in stunnel.pem. So why this message? I also tried the full pathname to stunnel.pem. --Mark -----Original Message----- From: Michael Curran <michael.curran(a)cosocloud.com> To: Mark Foley <mfoley(a)novatec-inc.com>, "stunnel-users(a)stunnel.org" <stunnel-users(a)stunnel.org> Subject: Re: [stunnel-users] Need help setting up new stunnel config Date: Fri, 1 Sep 2023 13:12:30 +0000 accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already connect would be 3389 I think in the connection string for RDC you can just specify ip:port to connect If you cannot , you can also redesignate the port remote desktop answers on -- Michael Curran Systems Architect| CoSo Cloud D 614.568.2285 | C 614.403.6320 | michael.curran(a)cosocloud.com From: Mark Foley <mfoley(a)novatec-inc.com> Date: Thursday, August 31, 2023 at 11:33 AM To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org> Subject: [stunnel-users] Need help setting up new stunnel config I used stunnel about 5 years ago and now I want to use it again, but my notes are terrible and I'm having trouble getting started. I want to create a connection between Windows computer on port 3389. The "client" will be some remote Windows computer, perhaps at someone's home office. The "server" will be a Windows workstation at the office. I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname COMMONW10. I'm at a loss creating the config file on this machine. I have: [COMMONW10] ;client = yes accept = 3389 ;connect = ???:xxxx CAfile = stunnel.pem The stunnel.pem was create when I installed stunnel. I have no idea what the 'connect' line should have. When I run stunnel (clicking on desktop icon) I get: [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [COMMONW10] [ ] Listening file descriptor created (FD=724) [ ] Setting accept socket options (FD=724) [ ] Option SO_EXCLUSIVEADDRUSE set on accept socket [.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013) [!] Binding service [COMMONW10] failed [ ] Unbinding service [COMMONW10] [ ] Service [COMMONW10] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [COMMONW10] [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 Server is down I'm assuming the "Permission denied" is because Remote Desktop is already listening on 3389. So, I'm stuck and feeling quite ignorant! Help appreciated. --Mark _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org To unsubscribe send an email to stunnel-users-leave(a)stunnel.org This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department.

1 0

Problem TLS connection Outlook 365
by adebelew＠gmail.com 01 Sep '23

01 Sep '23

Hi, I'm trying to connect to Outlook 365 with this setup [office365] client = yes accept = 127.0.0.1:993 connect = outlook.office365.com:993 unfortunately, when from my penthao software, I try to connect with email and password stunnel responds like this: 2023.09.01 09:57:33 LOG5[2]: Service [office365] accepted connection from 127.0.0.1:63027 2023.09.01 09:57:33 LOG5[2]: s_connect: connected 52.98.206.242:993 2023.09.01 09:57:33 LOG5[2]: Service [office365] connected remote server from 192.168.1.228:63028 2023.09.01 09:57:33 LOG5[2]: Connection closed: 258 byte(s) sent to TLS, 160 byte(s) sent to socket could you help me? is it necessary to configure the certificates? How should it be done? Thank you!

1 0