stunnel-users December 2024

stunnel-users@stunnel.org

7 participants
5 discussions

Start a nNew thread

STUNNEL Installation to Windows Failover Cluster
by John Pipolo 19 Dec '24

19 Dec '24

Hi Is there any documentation or how to on installing STUNNEL to a 2 node Windows failover cluster? thx

1 0

[Bug][5.73] stunnel segfault and coredump due to OCSP handling
by stunnel＠benary.org 15 Dec '24

15 Dec '24

Hi everyone, I've recently upgraded from NixOS 24.05 to 24.11 which went from stunnel 5.72 to 5.73 and have since had stunnel crash on me multiple times on different servers (pretty much identical setup however) due to what looks like a memory allocation race? Since 5.73 moved OCSP fetches to a thread, and the problem hasn't ever happened with 5.72 it sounds like an issue specific to that. Someone familiar with the codebase probably has a better idea of what's going on. Given that my updates happened somewhen mid last month and there have been no certificate renewals since (except for one that wouldn't affect the systems that were affected, thanks so much to crt.sh and CT existing) the error message of "OCSP routines::status expired" also seems out of place at least for the certificate itself (the staple may be expired, but stunnel should probably get a new one in that case which may have to do with the error in question). ``` Dec 06 04:43:02 shell stunnel[1124111]: LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:02 shell stunnel[1124111]: 2024.12.06 04:43:02 LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:02 shell stunnel[1124111]: LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:02 shell stunnel[1124111]: 2024.12.06 04:43:02 LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:02 shell stunnel[1124111]: LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:02 shell stunnel[1124111]: 2024.12.06 04:43:02 LOG5[per-minute]: OCSP: Certificate accepted Dec 06 04:43:56 shell stunnel[1124111]: LOG5[ui]: Log file reopened Dec 06 04:43:56 shell stunnel[1124111]: 2024.12.06 04:43:56 LOG5[ui]: Log file reopened Dec 06 04:44:02 shell stunnel[1124111]: LOG3[per-minute]: OCSP: OCSP_check_validity: crypto/ocsp/ocsp_cl.c:351: error:1380007D:OCSP routines::status expired Dec 06 04:44:02 shell stunnel[1124111]: 2024.12.06 04:44:02 LOG3[per-minute]: OCSP: OCSP_check_validity: crypto/ocsp/ocsp_cl.c:351: error:1380007D:OCSP routines::status expired Dec 06 04:44:02 shell stunnel[1124111]: 2024.12.06 04:44:02 LOG4[per-minute]: OCSP: Unknown verification status Dec 06 04:44:02 shell stunnel[1124111]: INTERNAL ERROR: Memory allocated in a different thread at ocsp.c, line 412 Dec 06 04:44:02 shell stunnel[1124111]: LOG4[per-minute]: OCSP: Unknown verification status Dec 06 04:44:02 shell stunnel[1124111]: INTERNAL ERROR: Memory allocated in a different thread at ocsp.c, line 412 Dec 06 04:44:02 shell systemd-coredump[282485]: Process 1124111 (stunnel) of user 988 terminated abnormally with signal 6/ABRT, processing... Dec 06 04:44:02 shell systemd[1]: Started Process Core Dump (PID 282485/UID 0). Dec 06 04:44:02 shell systemd-coredump[282486]: [🡕] Process 1124111 (stunnel) of user 988 dumped core. Module libgcc_s.so.1 without build-id. Module libcap.so.2 without build-id. Module stunnel without build-id. Stack trace of thread 1124120: #0 0x00007f9191c99a9c __pthread_kill_implementation (libc.so.6 + 0x92a9c) #1 0x00007f9191c47576 raise (libc.so.6 + 0x40576) #2 0x00007f9191c2f935 abort (libc.so.6 + 0x28935) #3 0x000056142e23e435 fatal_debug.cold (stunnel + 0xc435) #4 0x000056142e23eebc get_alloc_list_ptr (stunnel + 0xcebc) #5 0x000056142e23f0b9 str_detach_debug.part.0 (stunnel + 0xd0b9) #6 0x000056142e23f856 str_free_debug (stunnel + 0xd856) #7 0x000056142e259635 ocsp_stapling (stunnel + 0x27635) #8 0x000056142e25a18f per_minute_thread (stunnel + 0x2818f) #9 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #10 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 676245: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e241f82 client_run (stunnel + 0xff82) #3 0x000056142e2438fc client_thread (stunnel + 0x118fc) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 1124111: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e25b5f6 daemon_loop (stunnel + 0x295f6) #3 0x000056142e23e680 main (stunnel + 0xc680) #4 0x00007f9191c3127e __libc_start_call_main (libc.so.6 + 0x2a27e) #5 0x00007f9191c31339 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2a339) #6 0x000056142e23e875 _start (stunnel + 0xc875) Stack trace of thread 1124119: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e250acd s_poll_sleep (stunnel + 0x1eacd) #3 0x000056142e25a21c per_second_thread (stunnel + 0x2821c) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 676190: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e241f82 client_run (stunnel + 0xff82) #3 0x000056142e2438fc client_thread (stunnel + 0x118fc) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 1124121: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e250acd s_poll_sleep (stunnel + 0x1eacd) #3 0x000056142e259fab per_day_thread (stunnel + 0x27fab) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 676445: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e241f82 client_run (stunnel + 0xff82) #3 0x000056142e2438fc client_thread (stunnel + 0x118fc) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 676300: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e241f82 client_run (stunnel + 0xff82) #3 0x000056142e2438fc client_thread (stunnel + 0x118fc) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) Stack trace of thread 676491: #0 0x00007f9191d090af __poll (libc.so.6 + 0x1020af) #1 0x000056142e2509f1 s_poll_wait (stunnel + 0x1e9f1) #2 0x000056142e241f82 client_run (stunnel + 0xff82) #3 0x000056142e2438fc client_thread (stunnel + 0x118fc) #4 0x00007f9191c97d02 start_thread (libc.so.6 + 0x90d02) #5 0x00007f9191d173ac __clone3 (libc.so.6 + 0x1103ac) ELF object binary architecture: AMD x86-64 Dec 06 04:44:02 shell systemd[1]: stunnel.service: Main process exited, code=dumped, status=6/ABRT Dec 06 04:44:02 shell systemd[1]: stunnel.service: Failed with result 'core-dump'. Dec 06 04:44:02 shell systemd[1]: stunnel.service: Consumed 2min 11.812s CPU time, 21.6M memory peak, 19.6M memory swap peak, 50.9M read from disk, 47.1M written to disk, 587.2M incoming IP traffic, 588.8M outgoing IP traffic. ``` Note that stunnel is handling mTLS for my prometheus, which means that it is indeed getting hammered by one scrape per exporter at a time, which in this case would make exactly five scrapes per minute but all of them happening at the same time, which, if this is a race, does make me a lot more likely to hit this issue. Also a huge Thank You for building what has been an integral part of my infrastructure for almost a decade now.

3 4

stunnel 5.74 released
by Michał Trojnara 13 Dec '24

13 Dec '24

Dear Users, I have released version 5.74 of stunnel. ### Version 5.74, 2024.12.13, urgency: HIGH * Bugfixes - Fixed a stapling cache deallocation crash. - Fixed "redirect" with protocol negotiation. * Features - "protocolHost" support for "socks" protocol clients. - More detailed logs in OpenSSL 3.0 or later. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 9bef235ab5d24a2a8dff6485dfd782ed235f4407e9bc8716deb383fc80cd6230 stunnel-5.74.tar.gz 8ce19cc782a64b0cacf32356249265ed16b3888e3578454853f5497726778d76 stunnel-5.74-win64-installer.exe 68c3395c1bebcc8b4eee2c7f58190aa2fe39b835dd7a4cce5ad37d5dfc1c5542 stunnel-5.74-android.zip Best regards, Mike

1 0

Stunnel on a windwos 11 pro installation not working
by ron.reijgwart＠gmail.com 09 Dec '24

09 Dec '24

I'm trying to use Stunnel on a windwos 11 pro installation. I tried version 5.56, 5.73 and 5.74b1. On my old pc all was working fine but now I get the following errors: [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.73 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.3.2 3 Sep 2024 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf [.] UTF-8 byte order mark detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [ssmtp] [ ] Initializing context [ssmtp] [ ] OpenSSL security level is used: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: C:\Program Files (x64)\stunnel\config\stunnel.pem [!] error queue: ssl/ssl_rsa.c:472: error:0A080002:SSL routines::system lib [!] error queue: crypto/bio/bss_file.c:300: error:10080002:BIO routines::system lib [!] SSL_CTX_use_certificate_chain_file: crypto/bio/bss_file.c:297: error:80000003:system library::No such process [!] Service [ssmtp]: Failed to initialize TLS context [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Cleaning up context [(null)] [ ] Deallocating section [ssmtp] [ ] Cleaning up context [ssmtp] On a windows 10 Education installation it works fine with this logging: 2024.12.05 13:38:58 LOG5[service]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2024.12.05 13:38:58 LOG5[service]: UTF-8 byte order mark detected 2024.12.05 13:38:58 LOG5[service]: FIPS mode disabled 2024.12.05 13:38:58 LOG4[service]: Service [ssmtp] needs authentication to prevent MITM attacks 2024.12.05 13:38:58 LOG5[service]: Configuration successful My conf-file looks like this: ;use it for client mode client = yes [ssmtp] accept = 1925 cert = C:\Program Files (x64)\stunnel\config\stunnel.pem connect = smtp.bhosted.nl:465 Can you please give me some advice?

2 2

Is it possible for stunnel to reject client connections if the server end cannot connect?
by mohmmad170720＠gmail.com 05 Dec '24

05 Dec '24

Hi all Say we have two machines set up, ClientPC and ServerPC. On ClientPC I run stunnel accepting a connection on a local port and connecting to an stunnel port on ServerPC. On ServerPC I run stunnel accepting a connection on the local stunnel port and connecting to the 'encryption unaware' server on another port on the same ServerPC machine. OK, pretty simple stuff so far. The problem is, when I connect to ClientPC with the 'encryption unaware' client app. then I always get a successful connection, even if there is no server running on ServerPC. Of course once the client has a successful connection, it then performs a write(), and that fails with 'Connection reset by peer'. Really, since there is no server running on ServerPC, I want the connect() to stunnel on ClientPC to fail. Is there a way to do this?

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users December 2024