stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

stunnel as server dont connect to endpoint
by mahdi.section8＠gmail.com 05 Mar '23

05 Mar '23

hello everyone i have a setup of openvpn + stunnel stunnel(client) in a server stunnel(server) + openvpn in another server both were working fine until i moved the second server to another one i moved all openvpn and stunnel files to new one but even though its same stunnel it dont work properly i even compiled latest 5.69 version thinking it was a bug this is my stunnel config: setuid = root setgid = root [openvpn] cert=/etc/stunnel/cert.pem key=/etc/stunnel/key.pem accept = 0.0.0.0:1381 connect = 127.0.0.1:1194 its so simple yet idk whats the problem, cause in the logs i only see from stunnel that a connection from ip x accepted but nothing else saying that it connected to 127.0.0.1:1194 its just accepting connections and nothing more like it forgot there is a connect option there. but i confirm openvpn is correct as i tested with netcat and openvpn showed up in logs saying there is a connection but somehow stunnel dont connect to 127.0.0.1:1194 its crazy that either i forgot something or misconfig of stunnel cause its so simple and its not working

2 2

stunnel 5.69 released
by Michał Trojnara 04 Mar '23

04 Mar '23

Dear Users, I have released version 5.69 of stunnel. ### Version 5.69, 2023.03.04, urgency: MEDIUM * New features - Improved logging performance with the "output" option. - Improved file read performance on the WIN32 platform. - DH and kDHEPSK ciphersuites removed from FIPS defaults. - Set the LimitNOFILE ulimit in stunnel.service to allow for up to 10,000 concurrent clients. * Bugfixes - Fixed the "CApath" option on the WIN32 platform by applying https://github.com/openssl/openssl/pull/20312. - Fixed stunnel.spec used for building rpm packages. - Fixed tests on some OSes and architectures by merging Debian 07-tests-errmsg.patch (thx to Peter Pentchev). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81 stunnel-5.69.tar.gz 66c4f3bbb94c4a274f2e8e98e3d44e74c0460d6494986f0a94b9b8becdc63cc3 stunnel-5.69-win64-installer.exe 74813a0be13270b5348fc4bc7c16ada668d151773be19f404db1176b7e22aafc stunnel-5.69-android.zip Best regards, Mike

1 0

Can I use SCCM to push the install of stunnel to multiple devices
by kmbpabvmkrmtzuzurk＠bbitf.com 27 Feb '23

27 Feb '23

Just a quick question around this and are there any documentation/guides that could be useful?

1 0

Stunnel Configuration issues
by ringbretson＠keplp.com 22 Feb '23

22 Feb '23

I'm trying to create a FIX application that interfaces with ICE using Stunnel to provide encryption. I'm encountering a handshake failure trying to interface with the FIX application. I've copies portions of the Stunnel configuration file as well as the entire FIX configuration file below. Can you do a quick review of the two configuration files and tell me what I'm doing wrong? Both FIX and Stunnel are running on the same Windows 10 virtual pc. *** Stunnel ERRORS with accept set to 127.0.0.1:83 *** 2023.02.21 20:07:13 LOG5[main]: stunnel 5.68 on x64-pc-mingw32-gnu platform 2023.02.21 20:07:13 LOG5[main]: Compiled/running with OpenSSL 3.0.8 7 Feb 2023 2023.02.21 20:07:13 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2023.02.21 20:07:13 LOG5[main]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2023.02.21 20:07:13 LOG5[main]: UTF-8 byte order mark detected 2023.02.21 20:07:13 LOG5[main]: FIPS mode disabled 2023.02.21 20:07:13 LOG3[main]: No trusted certificates found 2023.02.21 20:07:13 LOG5[main]: Configuration successful 2023.02.21 20:07:25 LOG5[0]: Service [fix_initiator_session1_tunnel] accepted connection from 127.0.0.1:62314 2023.02.21 20:07:25 LOG5[0]: s_connect: connected 63.247.113.201:443 2023.02.21 20:07:25 LOG5[0]: Service [fix_initiator_session1_tunnel] connected remote server from 192.168.1.219:62315 2023.02.21 20:07:25 LOG3[0]: SSL_connect: ssl/record/rec_layer_s3.c:1605: error:0A000410:SSL routines::sslv3 alert handshake failure 2023.02.21 20:07:25 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2023.02.21 20:07:26 LOG5[1]: Service [fix_initiator_session1_tunnel] accepted connection from 127.0.0.1:62316 2023.02.21 20:07:26 LOG5[1]: s_connect: connected 63.247.113.201:443 2023.02.21 20:07:26 LOG5[1]: Service [fix_initiator_session1_tunnel] connected remote server from 192.168.1.219:62317 2023.02.21 20:07:26 LOG3[1]: SSL_connect: ssl/record/rec_layer_s3.c:1605: error:0A000410:SSL routines::sslv3 alert handshake failure 2023.02.21 20:07:26 LOG5[1]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket *** FIX ERRORS with accept set to 127.0.0.1:49200 *** Same errors in stunnel, but (Socket Error: An existing connection was forcibly closed by the remote host.) in FIX Application *** Stunnel configuration *** [fix_initiator_session1_tunnel] client = yes accept = 127.0.0.1:83 connect = 63.247.113.201:443 cert = stunnel.pem ciphers = PSK PSKsecrets = psk.txt *** FIX 4.4 Configuration *** [DEFAULT] ConnectionType=initiator ReconnectInterval=60 FileStorePath=c:\Temp\WebIce_Initiator FileLogPath=c:\Temp\WebIce_Initiator StartTime=00:00:00 EndTime=23:59:59 SocketConnectHost=127.0.0.1 SocketConnectPort=83 ResetOnLogon=Y ResetOnLogout=Y ResetOnDisconnect=Y [SESSION] BeginString=FIX.4.4 SenderCompID=8655 SenderSubID=0921 TargetCompID=ICE HeartBtInt=30 ValidateFieldsOutOfOrder=N UseDataDictionary=Y DataDictionary=C:\Applications\WebIceInitiator_Pub\FIX44.xml CheckLatency=N SSLEnable=Y SSLProtocols=Tls12 SSLValidateCertificates=N SSLCertificateRevocation=N SSLCertificate=C:\Applications\WebIceInitiator_Pub\Wildcard.ingsoftware.net. pfx SSLCertificatePassword=9322 SSLRequireClientCertificate=N ScreenLogEvents=N ScreenLogShowIncoming=N ScreenLogShowOutgoing=N ScreenLogShowHeartBeats=N

1 0

tstunnel.exe fails to start after updating from 5.67 to 5.68
by Yasuhiro Kimura 21 Feb '23

21 Feb '23

Hello, I install stunnel to my 64bit Windows 10 22H2 PC with official Windows installer and use tstunnel.exe to create TLS connection to IMAP server with configuration file as following ("debug=debug" line is added for debugging purpose). ---------------------------------------------------------------------- client=yes verify=2 checkHost=imap.example.org CApath=C:/Users/yasu/.certs debug=debug [13579] accept=localhost:13579 connect=imap.example.org:143 protocol=imap ---------------------------------------------------------------------- With version 5.67, tstunnel.exe successfully starts as following. ---------------------------------------------------------------------- C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf 2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration 2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2 2023.02.19 04:29:11 LOG7[ui]: No limit detected for the number of clients 2023.02.19 04:29:11 LOG5[ui]: stunnel 5.67 on x64-pc-mingw32-gnu platform 2023.02.19 04:29:11 LOG5[ui]: Compiled/running with OpenSSL 3.0.7 1 Nov 2022 2023.02.19 04:29:11 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2023.02.19 04:29:11 LOG7[ui]: errno: (*_errno()) 2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration 2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2 2023.02.19 04:29:11 LOG5[ui]: Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf 2023.02.19 04:29:11 LOG5[ui]: UTF-8 byte order mark not detected 2023.02.19 04:29:11 LOG5[ui]: FIPS mode disabled 2023.02.19 04:29:11 LOG6[ui]: Compression disabled 2023.02.19 04:29:11 LOG7[ui]: No PRNG seeding was required 2023.02.19 04:29:11 LOG6[ui]: Initializing service [13579] 2023.02.19 04:29:11 LOG6[ui]: stunnel default security level set: 2 2023.02.19 04:29:11 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2023.02.19 04:29:11 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.02.19 04:29:11 LOG7[ui]: TLS options: 0x2100000 (+0x0, -0x0) 2023.02.19 04:29:11 LOG6[ui]: Session resumption enabled 2023.02.19 04:29:11 LOG7[ui]: No certificate or private key specified 2023.02.19 04:29:11 LOG6[ui]: DH initialization skipped: client section 2023.02.19 04:29:11 LOG7[ui]: ECDH initialization 2023.02.19 04:29:11 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.02.19 04:29:11 LOG5[ui]: Configuration successful 2023.02.19 04:29:11 LOG7[ui]: Deallocating deployed section defaults 2023.02.19 04:29:11 LOG7[ui]: Binding service [13579] 2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=524) 2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=524) 2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=524) bound to ::1:13579 2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=528) 2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=528) 2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=528) bound to 127.0.0.1:13579 2023.02.19 04:29:11 LOG7[cron]: Cron thread initialized 2023.02.19 04:29:11 LOG6[cron]: Executing cron jobs 2023.02.19 04:29:11 LOG6[cron]: Cron jobs completed in 0 seconds 2023.02.19 04:29:11 LOG7[cron]: Waiting 86400 seconds ---------------------------------------------------------------------- And if I try `telnet localhost 13579`, then I can successfully connect to IMAP server. But after updating from 5.67 to 5.68, it fails to start as following. ---------------------------------------------------------------------- C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.68 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [13579] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] No certificate or private key specified [!] No trusted certificates found [!] Service [13579]: Failed to initialize TLS context [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [13579] ---------------------------------------------------------------------- Why these different results happen? Is it bug of 5.68? Or it there any incompatible change between 5.67 and 5.68? --- Yasuhiro Kimura

2 2

No peer temporary key received
by Michael S. Chusovitin 17 Feb '23

17 Feb '23

Hi folks, is there any chance to grasp why such a line - "No peer temporary key received" - is logged immediately after successful negotiation? It does not look harmful but I cannot understand *how ECDHE can do without the ephemeral key*. 2023.02.17 20:33:41 LOG6[4]: TLS accepted: new session negotiated 2023.02.17 20:33:41 LOG6[4]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2023.02.17 20:33:41 LOG6[4]: No peer temporary key received 2023.02.17 20:33:41 LOG7[4]: Compression: null, expansion: null 2023.02.17 20:33:41 LOG6[4]: s_connect: connecting 127.0.0.1:9000 2023.02.17 20:33:41 LOG7[4]: s_connect: s_poll_wait 127.0.0.1:9000: waiting 10 seconds 2023.02.17 20:33:41 LOG7[4]: FD=524 ifds=--- ofds=r-- 2023.02.17 20:33:41 LOG7[4]: FD=540 ifds=rwx ofds=--- 2023.02.17 20:33:41 LOG5[4]: s_connect: connected 127.0.0.1:9000 The above is logged by Stunnel 5.67/5.68; whereas Stunnel 5.66 logs the very same moments differently: it says "SSL_get_peer_tmp_key: Peer suddenly disconnected" (but this can hardly be true). 2023.02.17 20:27:15 LOG6[4]: TLS accepted: new session negotiated 2023.02.17 20:27:15 LOG6[4]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2023.02.17 20:27:15 LOG3[4]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2023.02.17 20:27:15 LOG7[4]: Compression: null, expansion: null 2023.02.17 20:27:15 LOG6[4]: s_connect: connecting 127.0.0.1:9000 2023.02.17 20:27:15 LOG7[4]: s_connect: s_poll_wait 127.0.0.1:9000: waiting 10 seconds 2023.02.17 20:27:15 LOG7[4]: FD=512 ifds=--- ofds=r-- 2023.02.17 20:27:15 LOG7[4]: FD=528 ifds=rwx ofds=--- 2023.02.17 20:27:15 LOG5[4]: s_connect: connected 127.0.0.1:9000 Thanks in advance, Mikhail

1 0

blat, stunnel, and gmail with an app password
by blat_stunnel2023＠protonmail.com 17 Feb '23

17 Feb '23

I was using a Windows command line blat.exe mailer with stunnel along with a gmail account to send emails from a Windows command line batch file. Gmail started requiring I se the gmail account to allow "less secure" sign in options. That worked for a while, but in May 2022, gmail discontinued that option. It sounds like you can set two factor on the gmail account and then generate an app password for the gmail account. So I did that. I'm stumped on how to get either blat or stunnel to use that gmail app password though. Any ideas? Blat is looking super old though. I see when I set up this computer to with blat-stunnel-gmail, that I ran a line with blat.exe to store the gmail password. I don't see a way to store an app password, but blat is old. This is blat. http://www.blat.net./ Looks like the last update was in 2012, so app passwords may not have even existed then. Is there any way to stunnel to store a gmail app password? My goal is just to send an email from a Windows machine with either a Windows batch file or PowerShell script. It's not mission critical. It's for home use. I just like to get email alerts when my home machines complete some task. If something else works, I'm interested. It needs to work in a batch file though, or at least powershell if a batch file can't work. For my previous set up, I just kept stunnel updated, initially set up blat with the email information, and used only a batch file with blat to send emails from a gmail account. And then it was making sure less secure apps was an option on the gmail account. Now it's been broken for almost a year.

2 2

Windows offical release - Anyone knows which compiler is used ? VS or minigw ?
by roie rachamim 13 Feb '23

13 Feb '23

Many thanks, Roie

1 0

stunnel 5.68 released
by Michał Trojnara 12 Feb '23

12 Feb '23

Dear Users, I have released version 5.68 of stunnel. ### Version 5.68, 2023.02.07, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.8. * New features - Added the new 'CAengine' service-level option to load a trusted CA certificate from an engine. - Added requesting client certificates in server mode with 'CApath' besides 'CAfile'. * Bugfixes - Fixed EWOULDBLOCK errors in protocol negotiation. - Fixed handling TLS errors in protocol negotiation. - Prevented following fatal TLS alerts with TCP resets. - Improved OpenSSL initialization on WIN32. - Improved testing suite stability. - Improved file read performance. - Improved logging performance. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: dcd895ab088b043d4e0bafa8b934e7ab3e697293828dbe9fce46cb7609a7dacf stunnel-5.68.tar.gz 62807f6233c8a5693104c09b44ebde6cc395877d948651c3ff0767e07ccdd316 stunnel-5.68-win64-installer.exe 93291060fdfc889431e8bce5cfe875b23be2bac11e2338f8f8f84d509f1b33fa stunnel-5.68-android.zip Best regards, Mike

2 1

Cannot establish tunnel
by andrew.haworth＠roche.com 11 Feb '23

11 Feb '23

Hi, I am new to stunnel on a MAC. When I run stunnel with the enabled configuration [mllp-to-dip], I am prompted for a local password and then for my certificate passphrase. I am not able to establish a tunnel. See logs: Initializing service [mllp-to-dip] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /opt/homebrew/etc/stunnel/test_client.cert.pem [ ] Certificate loaded from file: /opt/homebrew/etc/stunnel/test_client.cert.pem [ ] Loading private key from file: /opt/homebrew/etc/stunnel/test_client_cert.pem [:] Insecure file permissions on /opt/homebrew/etc/stunnel/test_client_cert.pem [ ] Private key loaded from file: /opt/homebrew/etc/stunnel/test_client_cert.pem [ ] Private key check succeeded [:] Service [mllp-to-dip] needs authentication to prevent MITM attacks [ ] DH initialization skipped: client section [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [mllp-to-dip] [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [mllp-to-dip] to :::6661: Address already in use (48) [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [mllp-to-dip] to 0.0.0.0:6661: Address already in use (48) [!] Binding service [mllp-to-dip] failed [ ] Unbinding service [mllp-to-dip] [ ] Service [mllp-to-dip] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [mllp-to-dip] Can someone help with my troubleshooting steps?

4 5

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users