stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Please allow fips=no even if !USE_FIPS
by Andy Lutomirski 10 Mar '14

10 Mar '14

It's currently impossible to make a stunnel config file that works with reasonable settings on both a USE_FIPS build (e.g. Fedora) and a !USE_FIPS build (e.g. Ubuntu). This is because, if USE_FIPS, fips defaults to "yes" (which is, for most purposes, a serious problem) and, if !USE_FIPS, the setting 'fips=no' prevents stunnel from starting. I've observed this on stunnel 4.53, and it looks like the same issue exists in the source in stunnel 4.56 and 5.00. (Note that, if targetting stunnel 5.00, this is less of an issue, since the default value of 'fips' changed. Nonetheless, it would be nice to accept 'fips=no' to avoid surprises.) Thanks, Andy

1 0

Stunnel Install error on Solaris10 X86
by Ashok Kumar G 10 Mar '14

10 Mar '14

Hi, I am trying to install stunnel-4.56 on my Solaris10 server. configure step completed successfully. But make and make install commands failed miserably. # gzip -dc stunnel-3.8.tar.gz | tar -xvf - # cd stunnel-3.8 # ./configure bash-3.00# make bash: make: command not found bash-3.00# export PATH=/usr/ccs/bin bash-3.00# make bash: line 8: sed: command not found *** Error code 127 The following command caused the error: fail= failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo all-recursive | sed s/-recursive//`; \ list='src doc tools'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" make: Fatal error: Command failed for target `all-recursive' bash-3.00# make install bash: line 8: sed: command not found *** Error code 127 The following command caused the error: fail= failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo install-recursive | sed s/-recursive//`; \ list='src doc tools'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" make: Fatal error: Command failed for target `install-recursive' bash-3.00# bash-3.00# bash-3.00# echo $PATH /usr/ccs/bin ========================================================= * 2nd Try:* ========================================================= bash-3.00# echo $PATH /usr/sbin:/usr/bin bash-3.00# PATH=$PATH:/usr/sbin:/usr/sfw/bin:/usr/ccs/bin bash-3.00# LD_LIBARAY_PATH=/lib:/usr/lib:/usr/local/lib bash-3.00# cd /opt/softwares/stunnel-4.56 bash-3.00# make Making all in src make all-am Making all in doc Making all in tools bash-3.00# make install Making install in src test -z "/usr/local/bin" || ../auto/install-sh -c -d "/usr/local/bin" /bin/bash ../libtool --mode=install ../auto/install-sh -c stunnel '/usr/local/bin' libtool: install: ../auto/install-sh -c stunnel /usr/local/bin/stunnel test -z "/usr/local/bin" || ../auto/install-sh -c -d "/usr/local/bin" ../auto/install-sh -c stunnel3 '/usr/local/bin' test -z "/usr/local/lib/stunnel" || ../auto/install-sh -c -d "/usr/local/lib/stunnel" /bin/bash ../libtool --mode=install ../auto/install-sh -c libstunnel.la'/usr/local/lib/stunnel' libtool: install: ../auto/install-sh -c .libs/libstunnel.so /usr/local/lib/stunnel/libstunnel.so libtool: install: chmod +x /usr/local/lib/stunnel/libstunnel.so libtool: install: ../auto/install-sh -c .libs/libstunnel.lai /usr/local/lib/stunnel/libstunnel.la ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib/stunnel If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - use the `-RLIBDIR' linker flag See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- Making install in doc test -z "/usr/local/share/doc/stunnel" || ../auto/install-sh -c -d "/usr/local/share/doc/stunnel" ../auto/install-sh -c -m 644 stunnel.html stunnel.pl.html stunnel.fr.html '/usr/local/share/doc/stunnel' test -z "/usr/local/share/man/man8" || ../auto/install-sh -c -d "/usr/local/share/man/man8" ../auto/install-sh -c -m 644 stunnel.8 stunnel.pl.8 stunnel.fr.8 '/usr/local/share/man/man8' Making install in tools test -z "/usr/local/etc/stunnel" || ../auto/install-sh -c -d "/usr/local/etc/stunnel" ../auto/install-sh -c -m 644 stunnel.conf-sample '/usr/local/etc/stunnel' if test ! -r /usr/local/etc/stunnel/stunnel.pem; then \ if test -r "/dev/urandom"; then \ dd if="/dev/urandom" of=stunnel.rnd bs=256 count=1; \ RND="-rand stunnel.rnd"; \ else \ RND=""; \ fi; \ /usr//bin/openssl req -new -x509 -days 365 $RND \ -config ./stunnel.cnf \ -out stunnel.pem -keyout stunnel.pem; \ /usr//bin/openssl gendh $RND 1024 >> stunnel.pem; \ /usr//bin/openssl x509 -subject -dates -fingerprint -noout -in stunnel.pem; \ ../auto/install-sh -c -m 600 stunnel.pem /usr/local/etc/stunnel/stunnel.pem; \ rm stunnel.pem; \ fi 1+0 records in 1+0 records out bash: line 7: /usr//bin/openssl: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `install-data-local' Current working directory /opt/softwares/stunnel-4.56/tools *** Error code 1 The following command caused the error: make install-exec-am install-data-am make: Fatal error: Command failed for target `install-am' Current working directory /opt/softwares/stunnel-4.56/tools *** Error code 1 The following command caused the error: fail= failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo install-recursive | sed s/-recursive//`; \ list='src doc tools'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" make: Fatal error: Command failed for target `install-recursive' bash-3.00# Can someone please help to resolve the above error. Thanks, Ashok Kumar G

2 3

Re: [stunnel-users] [Patch] Support multiple X509 client certificates with same CN
by Leon Winter 10 Mar '14

10 Mar '14

On Mon, Mar 10, 2014 at 06:34:14AM -0400, Brian Wilkins wrote: > You will have to attach appropriate software license as well. Michal may > ask for it I hereby declare my two previously sent patches to be licensed under GPL as according to the license of the stunnel project. Regards, Leon Winter

1 0

[Patch] Support multiple X509 client certificates with same CN
by Leon Winter 10 Mar '14

10 Mar '14

Hi, currently stunnel uses the X509_STORE_get_by_subject () API call to OpenSSL to retrieve the x509 client certificate in the cert_check () method (located in verify.c) to gather the client certificate from the whitelist by the common name (CN) the client presented during the TLS handshake. It then proceeds to compare both certificates bit by bit. This all works rather fine until the very moment you have more than one client certificate with the same CN. The OpenSSL API call will then return any of the certificates with the provided CN (according to internal logic). Other implementations using OpenSSL were aware of this issue and introduced logic to further iterate over the remaining certificates, retrieving any further with the same CN. See for example function X509_STORE_CTX_get1_issuer () and its comment: http://www.opensource.apple.com/source/OpenSSL/OpenSSL-12/openssl/crypto/x5… I patched stunnel 4.53 and adapted the patch to upstream version 5.00 to behave in similar fashion and can report that with these changes stunnel then also supports multiple client certificates sharing the same CN. Feel free to adapt indention as my patches aim for minimal changed lines. Best regards, Leon Winter

1 0

stunnel 5.00 released
by Michal Trojnara 10 Mar '14

10 Mar '14

Dear Users, I have released version 5.00 of stunnel. The ChangeLog entry: stunnel 5.00 disables some features previously enabled by default. Users should review whether the new defaults are appropriate for their particular deployments. Packages maintainers may consider prepending the old defaults for "fips" (if supported by their OpenSSL library), "pid" and "libwrap" to stunnel.conf during automated updates. Version 5.00, 2014.03.06, urgency: HIGH: * Security bugfixes - Added PRNG state update in fork threading (CVE-2014-0016). * New global configuration file defaults - Default "fips" option value is now "no", as FIPS mode is only helpful for compliance, and never for actual security. - Default "pid" is now "", i.e. not to create a pid file at startup. * New service-level configuration file defaults - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites. - Default "libwrap" setting is now "no" to improve performance. * New features - OpenSSL DLLs updated to version 1.0.1f. - zlib DLL updated to version 1.2.8. - autoconf scripts upgraded to version 2.69. - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. - New service-level option "redirect" to redirect SSL client connections on authentication failures instead of rejecting them. - New global "engineDefault" configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. - New service-level configuration file option "engineId" to select the engine by identifier, e.g. "engineId = capi". - New global configuration file option "log" to control whether to append (the default), or to overwrite log file while (re)opening. - Different taskbar icon colors to indicate the service state. - New global configuration file options "iconIdle", "iconActive", and "iconError" to select status icon on GUI taskbar. - Removed the limit of 63 stunnel.conf sections on Win32 platform. - Installation of a sample certificate was moved to a separate "cert" target in order to allow unattended (e.g. scripted) installations. - Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time. - Improved readability of error messages printed when stunnel refuses to start due to a critical error. * Bugfixes - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). - Corrected round-robin failover behavior under heavy load. - Numerous fixes in the engine support code. - On Win32 platform .rnd file moved from c:\ to the stunnel folder. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-5.00.tar.gz: 88986d52a7ef1aff0cc26fc0a9830361c991baba7ee591d5cf1cc8baef75bc13 Best regards, Mike

3 5

Weird problem starting stunnel
by Matthew Lunnon 05 Mar '14

05 Mar '14

Hello, Can anyone enlighten me on the following: I have installed stunnel up on my Mac (OS X Lion) and it all runs just fine. When I put this on another machine (OS X Mountain Lion) stunnel refuses to start. I include the output and the stunnel.conf file below. We have some experience of stunnel as we have been using it in both client and server mode on Windows and RedHat for years but none of my colleagues can give me much help here. It looks to me like although stunnel is reporting that it is starting with the correct stunnel.conf file it is actually using something else as: 1) no stunnel.log file is created 2) after successfully seeding the PRNG it seems to be Initializing inetd mode and starting as a service when this should be starting in client mode. (The only way I can get it to do something similar on the machine that works is to remove all the service definitions and put in a line service = SERVICE when it blows up but with a slightly different error about needing an end/connection point (not sure the exact error) and then it fails. Even so in this case it will still create an output log in the correct place) My thoughts are that it might be something to do with the installation process of stunnel that hasn't been followed properly or some kind of permissions issue. Apologies if I am being dim but I am at a bit of a loss to explain what is going on here. I do not have direct access to the second machine and am trying to support it over the phone. Thanks for any help. Matthew ========================================================================== = Here is the output: ========================================================================== Last login: Fri Jan 31 10:44:30 on ttys000 Administrator:~ admin$ cd stunnel Administrator:stunnel admin$ stunnel /Users/admin/stunnel/stunnel.conf Clients allowed=125 stunnel 4.56 on x86_64-apple-darwin11.4.2 platform Compiled with OpenSSL 0.9.8r 8 Feb 2011 Running with OpenSSL 0.9.8y 5 Feb 2013 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD Sockets:SELECT,IPv6 SSL:ENGINE,OCSP Auth:LIBWRAP Reading configuration from file /Users/admin/stunnel/stunnel.conf Compression not enabled Snagged 64 random bytes from /Users/admin/.rnd Wrote 1024 new random bytes to /Users/admin/.rnd PRNG seeded successfully Initializing inetd mode configuration Service [stunnel]: SSL server needs a certificate str_stats: 2 block(s), 45 data byte(s), 116 control byte(s) Administrator:stunnel admin$ ========================================================================== = And here is the stunnel.conf file: ========================================================================== ; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may useful for troubleshooting) debug = 7 ;output = stunnel.log ; Disable FIPS mode to allow non-approved protocols and algorithms ;fips = no client=yes sslVersion=SSLv3 output=/Users/admin/stunnel/stunnel.log pid=/Users/admin/stunnel/stunnel.pid ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode ;cert = rwa2012.clientkeycert.pem ;key = stunnel.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! verify = 2 ;verify = 0 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile CAfile = /Users/admin/stunnel/ca.crt ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** [Gounder] cert = /Users/admin/stunnel/gounder20141401011000.pem accept=8128 connect=311.219.292.173:9876 [Gounder IJ] cert = /Users/admin/stunnel/gounder20141401011000.pem accept=9128 connect=311.219.292.173:9875 -- Matthew Lunnon Technical Consultant RWA Ltd. mlunnon(a)rwa-net.co.uk Tel: +44 (0)29 2081 5056 www.rwa-net.co.uk

2 1

Stunnel use with Juniper VPN
by Nancy Shortall 19 Feb '14

19 Feb '14

Looking for help in planning a point to point VPN between a fixed site and a mobile site. The fixed site currently uses Stunnel and the mobile site must use a Juniper VPN SSG 140 hardware VPN device. Would this configuration be possible?

1 0

Re: [stunnel-users] Compatible with windows 8.1?
by peter 08 Feb '14

08 Feb '14

Is the stunnel compatible with windows 8.1? I am having problems after updating to 8.1 Peter

1 0

DNS SSL tunnel
by Quinn Wood 07 Feb '14

07 Feb '14

Woops, starting with the forwarded ports... 192.168.1.100 UDP/5353 -> VM UDP/53 192.168.1.100 TCP/5353 -> VM TCP/53 192.168.1.100 TCP/5667 -> VM TCP/5667 [...] I am able to get DNS replies using both of dig @192.168.1.100 -p 5353 google.com A dig @192.168.1.100 -p 5353 google.com A +tcp But dig times out when I try to use dig @192.168.1.100 -p 53 google.com A The stunnel server log is here: http://sprunge.us/deLY The stunnel client log is here: http://sprunge.us/ScAC Why this is happening? I notice the three connection attempts which seems like it's relevant to the connection resets.

1 0

DNS SSL tunnel
by Quinn Wood 07 Feb '14

07 Feb '14

I am attempting to tunnel DNS traffic over stunnel using socat. I am following a guide[1] by the German Privacy Foundation. The client is my physical machine and the server is a VirtualBox virtual machine with three ports forwarded: 192.168.1.100 53/UDP My configs for stunnel are an exact match to the ones on the guide, and I am able to get a DNS reply using dig @IP [1] https://www.privacyfoundation.de/wiki/SSL-DNS

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users