- stunnel-users - stunnel.org

public domain [PATCH] to stunnel v456 to clear SSL_OP_LEGACY_SERVER_CONNECT
by Simner, John 25 Jun '14

25 Jun '14

Dear Michal, Dear All, Please find attached a patch to stunnel 4.56 to clear SSL_OP_LEGACY_SERVER_CONNECT. There was a security requirement to ensure that the stunnel client could not connect to unpatched servers. I am aware from OpenSSL (https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html ) that this parameter is currently set by default and has to be manually cleared by calling SSL_CTX_clear_options() or SSL_clear_options()if an OpenSSL client applications wants to ensure they can not connect to unpatched servers (and thus avoid any security issues). The attached patch achieves this. OpenSSL also state "As more servers become patched the option SSL_OP_LEGACY_SERVER_CONNECT will not be set by default in a future version of OpenSSL" so this patch is only required until OpenSSL change the default value. Thanks.. John [Unify: Harmonize your enterprise] John Simner BSc(Hons) MSc CEng. MIET Software Engineer, Devices Development Unify Enterprise Communications Ltd. Tel.: +44 (1908) 817378 (One Number Service) Email: john.simner(a)unify.com <mailto:vorname.name@unify.com> www.unify.co.uk<http://www.unify.co.uk/> Follow us: [Social_media_icons] <http://www.unify.com/social-media> Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ Registered No: 5903714, England. This email contains confidential information and is for the exclusive use of the addressee. If you are not the addressee then any distribution, copying, or use of this email is prohibited. If received in error, please advise the sender and delete immediately. We accept no liability for any loss or damage suffered by any person arising from use of this email.

1 0

Can not get TLS1.2 work in FIPS mode.
by Hui Yu 19 Jun '14

19 Jun '14

Hi all: Base on this link https://www.stunnel.org/sdf_ChangeLog.html, to make TLS 1.2 work, I need to put stunnel in FIPS enable mode. In stunnel config file, I have following to enable FIPS mode and select TLS 1.2. sslVersion=TLSv1.2 FIPS = yes But when my TLS 1.2 client send "client hello" with version TLS 1.2 to stunnel, stunnel still send "server hello" with TLS 1.0 back. Could somebody help on why stunnel does not support TLS 1.2 ? My stunnel is verstion 5.02, compiled with latest OpenSSL version 1.0.1h FIPS mode library. Following is the log file: ################### 2014.06.19 11:09:13 LOG7[15491]: Clients allowed=500 2014.06.19 11:09:13 LOG5[15491]: stunnel 5.02 on i686-pc-linux-gnu platform 2014.06.19 11:09:13 LOG5[15491]: Compiled with OpenSSL 1.1.0-fips-dev xx XXX xxxx 2014.06.19 11:09:13 LOG5[15491]: Running with OpenSSL 1.0.1h-fips 5 Jun 2014 2014.06.19 11:09:13 LOG5[15491]: Update OpenSSL shared libraries or rebuild stunnel 2014.06.19 11:09:13 LOG5[15491]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2014.06.19 11:09:13 LOG7[15491]: errno: (*__errno_location ()) 2014.06.19 11:09:13 LOG5[15491]: Reading configuration from file stunnel.K.tacacs+.conf 2014.06.19 11:09:13 LOG5[15491]: FIPS mode enabled ##################FIPS mode enabled############ 2014.06.19 11:09:13 LOG7[15491]: Compression disabled 2014.06.19 11:09:13 LOG7[15491]: Snagged 64 random bytes from /root/.rnd 2014.06.19 11:09:13 LOG7[15491]: Wrote 1024 new random bytes to /root/.rnd 2014.06.19 11:09:13 LOG7[15491]: PRNG seeded successfully 2014.06.19 11:09:13 LOG6[15491]: Initializing service [encrypted_tacplus] 2014.06.19 11:09:13 LOG6[15491]: Loading cert from file: /tftpboot/cacert-hyu.pem 2014.06.19 11:09:13 LOG6[15491]: Loading key from file: /tftpboot/privkey-hyu.pem 2014.06.19 11:09:13 LOG4[15491]: Insecure file permissions on /tftpboot/privkey-hyu.pem 2014.06.19 11:09:13 LOG7[15491]: Private key check succeeded 2014.06.19 11:09:13 LOG7[15491]: DH initialization 2014.06.19 11:09:13 LOG7[15491]: Could not load DH parameters from /tftpboot/cacert-hyu.pem 2014.06.19 11:09:13 LOG7[15491]: Using hardcoded DH parameters 2014.06.19 11:09:13 LOG7[15491]: DH initialized with 2048-bit key 2014.06.19 11:09:13 LOG7[15491]: ECDH initialization 2014.06.19 11:09:13 LOG7[15491]: ECDH initialized with curve prime256v1 2014.06.19 11:09:13 LOG7[15491]: SSL options set: 0x00000004 2014.06.19 11:09:13 LOG5[15491]: Configuration successful 2014.06.19 11:09:13 LOG7[15491]: Service [encrypted_tacplus] (FD=7) bound to 0.0.0.0:2249 2014.06.19 11:09:14 LOG7[15491]: No pid file being created 2014.06.19 11:17:52 LOG7[15506]: Service [encrypted_tacplus] accepted (FD=3) from 10.25.105.82:636 2014.06.19 11:17:52 LOG7[15509]: Service [encrypted_tacplus] started 2014.06.19 11:17:52 LOG5[15509]: Service [encrypted_tacplus] accepted connection from 10.25.105.82:636 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): before/accept initialization 2014.06.19 11:17:52 LOG7[15509]: SNI: no virtual services defined 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 read client hello B ##########wireshark shows "client hello" version is TLS1.2, stunnel log shows it is TLS1.0. 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server hello A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write certificate A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write key exchange A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server done A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 flush data 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read client key exchange A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read finished A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write change cipher spec A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write finished A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 flush data 2014.06.19 11:17:55 LOG7[15509]: 1 items in the session cache 2014.06.19 11:17:55 LOG7[15509]: 0 client connects (SSL_connect()) 2014.06.19 11:17:55 LOG7[15509]: 0 client connects that finished 2014.06.19 11:17:55 LOG7[15509]: 0 client renegotiations requested 2014.06.19 11:17:55 LOG7[15509]: 1 server connects (SSL_accept()) 2014.06.19 11:17:55 LOG7[15509]: 1 server connects that finished 2014.06.19 11:17:55 LOG7[15509]: 0 server renegotiations requested 2014.06.19 11:17:55 LOG7[15509]: 0 session cache hits 2014.06.19 11:17:55 LOG7[15509]: 0 external session cache hits 2014.06.19 11:17:55 LOG7[15509]: 1 session cache misses 2014.06.19 11:17:55 LOG7[15509]: 0 session cache timeouts 2014.06.19 11:17:55 LOG6[15509]: No peer certificate received 2014.06.19 11:17:55 LOG6[15509]: SSL accepted: new session negotiated 2014.06.19 11:17:55 LOG6[15509]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES128-SHA (128-bit encryption) ##############negotiated as TLS1.0 2014.06.19 11:17:55 LOG6[15509]: Compression: null, expansion: null 2014.06.19 11:17:55 LOG6[15509]: s_connect: connecting 127.0.0.1:2250 2014.06.19 11:17:55 LOG7[15509]: s_connect: s_poll_wait 127.0.0.1:2250: waiting 10 seconds 2014.06.19 11:17:55 LOG5[15509]: s_connect: connected 127.0.0.1:2250 2014.06.19 11:17:55 LOG5[15509]: Service [encrypted_tacplus] connected remote server from 127.0.0.1:47369 2014.06.19 11:17:55 LOG7[15509]: Remote socket (FD=8) initialized

1 0

Configure stunnel to clear SSL_OP_LEGACY_SERVER_CONNECT to prevent connections to unpatched servers.
by Simner, John 19 Jun '14

19 Jun '14

Hi, I have a requirement for a stunnel client built with openSSL 0.9.8y to not connect to unpatched servers. I know this is a simple matter of using SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT); Is there any way of configuring stunnel to clear this option? If this is the wrong approach, how can I prevent stunnel connecting to unpatched servers? Thank you for your assistance and look forward to your response. John Simner [Unify: Harmonize your enterprise] John Simner BSc(Hons) MSc CEng. MIET Software Engineer, Devices Development Unify Enterprise Communications Ltd. Tel.: +44 (1908) 817378 (One Number Service) Email: john.simner(a)unify.com <mailto:vorname.name@unify.com> www.unify.co.uk<http://www.unify.co.uk/> Follow us: [Social_media_icons] <http://www.unify.com/social-media> Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ Registered No: 5903714, England. This email contains confidential information and is for the exclusive use of the addressee. If you are not the addressee then any distribution, copying, or use of this email is prohibited. If received in error, please advise the sender and delete immediately. We accept no liability for any loss or damage suffered by any person arising from use of this email.

1 0

Re: [stunnel-users] Trouble wrapping samba SWAT...
by Ludolf Holzheid 17 Jun '14

17 Jun '14

On Mon, 2014-06-16 12:53:36 +0200, Marco Gaiarin wrote: > > [..] > > and in /etc/stunnel/swat.conf.inetd: > > cert = /etc/ssl/certs/LNFFVGNobel.pem > key = /etc/ssl/private/LNFFVGNobel.pem > CAfile = /etc/ssl/certs/LNFFVG.pem > > service = swat > exec = /usr/sbin/swat > execargs = swat -P > > [..] > > the only thing i suppose is that for some reason stunnel4, run by root > in inetd, then switch to an unprivileged user before running swat, > preventing access to /var/lib/samba/secrets.tdb . Marco, I don't think stunnel changes the user ID without a 'setuid = ' statement in the configuration file (as it does not know which user ID to switch to). Are you sure, swat isn't changing the user ID? Does it work without being wrapped by stunnel? Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796

2 1

OpenSSL tips header not found - version 5.02
by James Brown 17 Jun '14

17 Jun '14

I’ve installed OpenSSL 1.0.1h (using "./configure darwin64-x86_64-cc”) and now when I go to upgrade stunned from 4.56 to 5.02, configure gives me: checking whether to enable FIPS mode support... autodetecting configure: **************************************** SSL checking for SSL directory... /usr/local/ssl checking /usr/local/ssl/include/openssl/engine.h usability... yes checking /usr/local/ssl/include/openssl/engine.h presence... yes checking for /usr/local/ssl/include/openssl/engine.h... yes checking /usr/local/ssl/include/openssl/ocsp.h usability... yes checking /usr/local/ssl/include/openssl/ocsp.h presence... yes checking for /usr/local/ssl/include/openssl/ocsp.h... yes checking /usr/local/ssl/include/openssl/fips.h usability... no checking /usr/local/ssl/include/openssl/fips.h presence... no checking for /usr/local/ssl/include/openssl/fips.h... no configure: WARNING: OpenSSL fips header not found checking for FIPS_mode_set... yes configure: FIPS mode detected Do I need to worry about the tips header not being found? Is there anything I should do to fix this? (Running on a Mac OS X 10.7.5 machine). Thanks, James.

1 1

Client SSL certificate
by reg14＠rambler.ru 13 Jun '14

13 Jun '14

If a client application is behind NAT, it does not have a real IP address. Certificate field 'common name' is supposed to contain a fully qualified domain name or a real IP address. Could the value of this field be ignored on SSL verification?

2 3

Using SNI in stunnel server
by Derek Cole 13 Jun '14

13 Jun '14

Hello, I have the following config on my stunnel server: Dereks-MacBook-Pro:server derek$ cat server.conf ;setuid = stunnel setgid = nogroup foreground = yes pid = /etc/stunnel/stunnel.pid debug = 7 output = /etc/stunnel/stunnel.log options = NO_SSLv2 verify = 3 fips=no CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert = /Users/derek/cert_attempts/server/domain.local.pem accept = 443 connect = 80 ;connect is the far-end openvpn connection [exit1] sni = https:exit1.domain.local cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem connect=ovpn1:16081 [exit2] sni = https:exit2.domain.local cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem connect=ovpn2:1195 I am trying to test whether this is working by using openssl s_client with something similar to the following: openssl s_client -connect 10.22.1.219:443 -cert ./server/domain.local.pem -servername exit2.domain.local Maybe I misunderstand - but why do I have to specify -servername there? I thought that if I specified -cert and it matched any of the cert= in my services that are in my stunnel configuration, it would automatically know to do that connect? It seems like if I level off -servername entirely, it always defaults to https no matter what cert I specify, and if I do have -servername, it always goes to that SNI regardless of what cert I use (or whether that cert is even valid). All three of these .pem files were generated and signed by the same CA that I created, and they all contain the public and private key. What am I doing wrong here? Thanks

2 1

Re: [stunnel-users] [patch] Systemd socket activation support in daemon mode
by Mark Theunissen 10 Jun '14

10 Jun '14

Hi all, Is there any chance of this functionality getting in upstream? Mark

2 1

Expired Certificate
by Andrew Smith 09 Jun '14

09 Jun '14

I am pretty new to Stunnel as I have inherited the project at my company. Yesterday the certificate expired on our Windows Server 2008 for Stunnel. What are the steps to renew this certificate? ________________________________ Andrew Smith Support Technical Services Analyst P: 614-875-4910 x109 F: 614-875-4088 E: andrew.smith(a)harriscomputer.com [http://www.harriscomputer.com/images/signatures/HarrisSchools.jpg] [http://www.harriscomputer.com/images/signatures/DivisionofHarris.gif]<http://www.harriscomputer.com/> 6110 Enterprise Parkway Grove City, OH 43123 www.harris-schoolsolutions.com<http://www.harris-schoolsolutions.com> This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

2 1

none cipher
by Mark Sullivan 09 Jun '14

09 Jun '14

How can I use the none cipher with SSL? which ciphers allow for the best throughput?

2 1