- stunnel-users - stunnel.org

Re: [stunnel-users] 4.39 RPM
by Jack Liu 21 Jul '11

21 Jul '11

Thank you so much for making RPMs for me~=D Mr. Jack Date: Mon, 18 Jul 2011 20:20:04 -0700 From: josealf(a)rocketmail.com Subject: Re: [stunnel-users] 4.39 RPM To: jackliu92(a)hotmail.com; stunnel-users(a)stunnel.org Jack, Take a look at my RPMs for CentOS 5. These follow the same conventions as the official RPMS:- By default log to authpriv instead of daemon facility- sample config file adjusted.- I also set the /etc/init.d/stunnel init script executable Binaries were compiled with gcc 4.4. Should work on similar systems (RHEL 5, Scientific Linux 5, Oracle Linux 5 or later). You should be able to build your own binaries starting from the source rpm. My apologies if posting attachments on this list is not encouraged. Regards,Jose From: Jack Liu <jackliu92(a)hotmail.com> To: stunnel-users(a)stunnel.org Sent: Wednesday, July 13, 2011 3:14 AM Subject: [stunnel-users] 4.39 RPM Does anyone have version 4.39 RPM inst package or knows where to download it? Thank you! _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0

misconfiguration of transparent proxy
by Marco Strullato 19 Jul '11

19 Jul '11

Hi all, is there any way to use stunnel to proxy a connection without using encryption? I have an application that is listening on 0.0.0.0:port but which refuses connection if not coming from localhost:port and that application is reachable only with telnet, with no encryption. I have found a possible configuration that is the following: chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log transparent=yes [AppSrv01] accept = 5776 connect = 4776 [AppSrv02] accept = 5777 connect = 4777 but it seems not working: that is the log. 2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no FD_SETSIZE limit for file descriptors 2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777 2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid 2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8 from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on local socket 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe 2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384 finished with code 0 2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from 10.0.1.11:41922 permitted by libwrap 2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept): before/accept initialization 2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left) and from the standard out I get: 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random bytes from /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random bytes to /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims sufficient entropy for the PRNG 2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv01 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv02 What happens connecting with telnet is: Trying 10.0.2.140... Connected to server. Escape character is '^]'. It seems the connection is successful but with tcpdump I see nothing and moreover I see nothing also in the application log. If I type something nothing happens. It seems that the flow is not passed to the destination port. Do you have any hint? Thanks! -- Marco

5 5

stunnel 4.40b1
by Michal Trojnara 18 Jul '11

18 Jul '11

Dear Users, I have just added a new Windows GUI menu to save peer certificate chains. Please to give it a try and let me know if there are any issues, so I can fix them in the final stunnel 4.40: ftp://ftp.stunnel.org/stunnel/stunnel-4.40b1-installer.exe Another useful function would probably be a replacement for Unix c_rehash script. 8-) I also appreciate your comments are suggestions related to the new functionality. Best regards, Mike

1 0

Windows 7 connection to HTTPS server
by Daniel Pierce 10 Jul '11

10 Jul '11

stunnel user group, Thanks Yucong Sun or your help. I have changed the configuration file values to the values that you recommended. I didn't read the documentation careful enough. [https] accept = 3600 connect = partnerlogin.advancedmd.com <https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a sp> :443 (stopped and started the windows service to get the new configuration) HOWEVER I'm still not getting stunnel to provide the interface to the https web server. I have a http client software which I have tried both GET and POST calls to https://localhost:3600/practicemanager/xmlrpc/processrequest.asp <blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp> Every time the interface comes back with the error "The Connection to the Server was Reset while the Page was Loading" So I decided to try the page using a standard web browser (Firefox and IE) thinking that my client software may have a problem. I opened the browser and entered the address https://localhost:3600/practicemanager/xmlrpc/processrequest.asp <blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp> Got the same results. So I changed the configuration to go to the same web site as gmail with the following configuration. [https] accept = 3600 connect = mail.google.com:443 When I try to open the page with the browser to address https://localhost:3600/mail/?hl=en <blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox, I get the same error message. NEXT I started WIRESHARK on the network and filtered for packets coming from/to my host computer. When I enter https://localhost:3600/mail/?hl=en <blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox on the browser. The following details were captured by WIRESHARK. Source Destination Protocol Lenth Info 74.125.225.53 192.168.1.70 TLSV1 107 Application Data Protocol: http 192.168.1.70 74.125.255.53 TCP 54 https [ACK] Seq=1 Ack=54 win=16181 Len=0 74.125.225.53 192.168.1.70 TLSV1 112 Application Data Protocol: http 192.168.1.70 74.125.255.53 TLSV1 81 Encrypted Alert 192.168.1.70 74.125.255.53 TCP 54 60089 > https [FIN, ACK] Seq=28 Ack=112 win=16167 Len=0 192.168.1.70 74.125.255.54 TCP 1484 [TCP segment of a reassembled PDU] 192.168.1.70 74.125.255.53 TLSv1 316 Application Data 74.125.225.53 192.168.1.70 TCP 60 https > 60089 [FIN, ACK] Seq=112 Ack=29 win=196 len=0 192.168.1.70 74.125.255.53 TCP 54 60089 > https [ACK] Seq=29 Ack=113 win=16167 Len=0 74.125.225.54 192.168.1.70 TCP 60 https > 60113 [ACK] Seq=1 Ack=1693 win=285 len=0 74.125.225.54 192.168.1.70 TLSV1 457 Application Data Protocol: http 192.168.1.70 74.125.255.54 TCP 54 60113 > https [ACK] Seq=1693 Ack=404 win=16445 Len=0 SO the packets are being sent and returned, but the protocol is erroring out for GOOGLE MAIL. NEXT When I configure the service for the other https web server. https://localhost:3600/practicemanager/xmlrpc/processrequest.asp <blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp> I get a simular exchange, but more reference to change cipher Spec. and http RST for different ip address Source Destination Protocol Lenth Info 192.168.1.70 74.125.255.54 TCP 66 60840 > https [SYN] 74.125.225.54 192.168.1.70 TCP 66 https > 60840 [SYN, ACK] 192.168.1.70 74.125.255.54 TCP 54 60840 > https [ACK] 192.168.1.70 74.125.255.54 TLSv1 451 client Hello 74.125.225.54 192.168.1.70 TCP 60 https > 60840 [ACK] 74.125.225.54 192.168.1.70 TLSv1 97 change cipher Spec, Encrypted Handshake Message 192.168.1.70 74.125.255.54 TLSv1 162 Application Data 74.125.225.54 192.168.1.70 TCP 60 https > 60840 [ACK] 192.168.1.70 98.137.80.34 TCP 54 60819 > http [RST, ACK] STUNNEL LOG for partnerlogin.advancedmd.com:443 NO OBVIOUS ERRORS 2011.07.08 21:31:21 LOG7[4960:4568]: No limit detected for the number of clients 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#1: FD=144 allocated (blocking mode) 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#2: FD=148 allocated (blocking mode) 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_accept: FD=152 allocated (non-blocking mode) 2011.07.08 21:31:21 LOG5[4960:4568]: stunnel 4.39 on x86-pc-mingw32-gnu platform 2011.07.08 21:31:21 LOG5[4960:4568]: Compiled/running with OpenSSL 1.0.0d 8 Feb 2011 2011.07.08 21:31:21 LOG5[4960:4568]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2011.07.08 21:31:21 LOG5[4960:4568]: Reading configuration from file stunnel.conf 2011.07.08 21:31:21 LOG7[4960:4568]: Snagged 64 random bytes from C:/.rnd 2011.07.08 21:31:22 LOG7[4960:4568]: Wrote 1024 new random bytes to C:/.rnd 2011.07.08 21:31:22 LOG7[4960:4568]: PRNG seeded successfully 2011.07.08 21:31:22 LOG7[4960:4568]: Configuration SSL options: 0x01000000 2011.07.08 21:31:22 LOG7[4960:4568]: SSL options set: 0x01000004 2011.07.08 21:31:22 LOG7[4960:4568]: Certificate: stunnel.pem 2011.07.08 21:31:22 LOG7[4960:4568]: Certificate loaded 2011.07.08 21:31:22 LOG7[4960:4568]: Key file: stunnel.pem 2011.07.08 21:31:22 LOG7[4960:4568]: Private key loaded 2011.07.08 21:31:22 LOG7[4960:4568]: SSL context initialized for service http 2011.07.08 21:31:22 LOG5[4960:4568]: Configuration successful 2011.07.08 21:31:22 LOG7[4960:4568]: accept socket: FD=144 allocated (non-blocking mode) 2011.07.08 21:31:22 LOG7[4960:4568]: Option SO_REUSEADDR set on accept socket 2011.07.08 21:31:22 LOG7[4960:4568]: Service http bound to 0.0.0.0:3600 2011.07.08 21:31:22 LOG7[4960:4568]: Service http opened FD=144 Do I need to have the Public Key Certificate for the remote serve installed in stunnel for it to access the page? I'm trying to find a simple configuration to prove out that the basic stunnel application is working. Any suggestions? Is there something basic that I'm missing? If I send a GET request, I should get a response from the https server that CONNECT is configurred for. Is there a compatibility issue between OpenSSL and https web server? Thanks in advance for the help. Dan

2 3

problem running on Mac OS X
by athir＠nuaimi.com 07 Jul '11

07 Jul '11

Hi there. I've built stunnel on the Mac (including the patch for str.c) and have problem when I run it. Whenever it gets a request on one side (from a browser), I see the following in the log. The weird thing is that when I run stunnel in gdb it works?? 2011.07.05 17:51:00 LOG7[6300:4297842688]: Service https started 2011.07.05 17:51:00 LOG7[6300:4297842688]: Option TCP_NODELAY set on local socket 2011.07.05 17:51:00 LOG7[6300:4297842688]: Waiting for a libwrap process 2011.07.05 17:51:00 LOG7[6300:4297842688]: Acquired libwrap process #0 2011.07.05 17:51:00 LOG3[6300:4297842688]: Unexpected socket close (read_blocking) 2011.07.05 17:51:00 LOG5[6300:4297842688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket Any advice would be appreciated. thanks Athir Nuaimi

3 2

Windows 7 connection to HTTPS server
by Daniel Pierce 07 Jul '11

07 Jul '11

stunnel user group, I'm trying to use stunnel to connect to a secure web server to do an XML interface, but I'm having no luck. What am I missing? Environment OS = Windows 7 Ultimate stunnel version = 4.39 (latest release) stunnel installed as service and is running. Windows Firewall = OFF, but have added stunnel to the application list Anti-Virus = ESET, have disabled Web Access Protection Configuration File cert = stunnel.pem options = NO_SSLv2 debug = 7 output = c:\Program files\stunnel\stunnel.log client = yes [https] accept = 3600 connect = <https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a sp> https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.as p ;TIMEOUTclose = 0 Log File 2011.07.06 16:00:07 LOG7[5880:6040]: No limit detected for the number of clients 2011.07.06 16:00:07 LOG7[5880:6040]: make_sockets: s_socket#1: FD=136 allocated (blocking mode) 2011.07.06 16:00:07 LOG7[5880:6040]: make_sockets: s_socket#2: FD=140 allocated (blocking mode) 2011.07.06 16:00:07 LOG7[5880:6040]: make_sockets: s_accept: FD=144 allocated (non-blocking mode) 2011.07.06 16:00:07 LOG5[5880:6040]: stunnel 4.39 on x86-pc-mingw32-gnu platform 2011.07.06 16:00:07 LOG5[5880:6040]: Compiled/running with OpenSSL 1.0.0d 8 Feb 2011 2011.07.06 16:00:07 LOG5[5880:6040]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2011.07.06 16:00:07 LOG5[5880:6040]: Reading configuration from file stunnel.conf 2011.07.06 16:00:07 LOG7[5880:6040]: Snagged 64 random bytes from C:/.rnd 2011.07.06 16:00:07 LOG7[5880:6040]: Wrote 1024 new random bytes to C:/.rnd 2011.07.06 16:00:07 LOG7[5880:6040]: PRNG seeded successfully 2011.07.06 16:00:07 LOG3[5880:6040]: Unknown TCP service '//partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.asp' 2011.07.06 16:00:07 LOG6[5880:6040]: Cannot resolve 'https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a sp' - delaying DNS lookup 2011.07.06 16:00:07 LOG7[5880:6040]: Configuration SSL options: 0x01000000 2011.07.06 16:00:07 LOG7[5880:6040]: SSL options set: 0x01000004 2011.07.06 16:00:07 LOG7[5880:6040]: Certificate: stunnel.pem 2011.07.06 16:00:07 LOG7[5880:6040]: Certificate loaded 2011.07.06 16:00:07 LOG7[5880:6040]: Key file: stunnel.pem 2011.07.06 16:00:07 LOG7[5880:6040]: Private key loaded 2011.07.06 16:00:07 LOG7[5880:6040]: SSL context initialized for service https 2011.07.06 16:00:07 LOG5[5880:6040]: Configuration successful 2011.07.06 16:00:07 LOG7[5880:6040]: accept socket: FD=136 allocated (non-blocking mode) 2011.07.06 16:00:07 LOG7[5880:6040]: Option SO_REUSEADDR set on accept socket 2011.07.06 16:00:07 LOG7[5880:6040]: Service https bound to 0.0.0.0:3600 2011.07.06 16:00:07 LOG7[5880:6040]: Service https opened FD=136 I can open a Firefox browser and the designated URL address resolves, but stunnel cannot resolve it. Do I have the configuration wrong or is Windows 7 blocking the connection? I'm able to send an XML message from by application to 127.0.0.1:3600 and stunnel responds with a successful but EMPTY RESPONSE. Thanks in advance for your help. Dan Pierce Xpert Assist Corp.

2 1

stunnel 4.39 released
by Michal Trojnara 07 Jul '11

07 Jul '11

Dear Users, I have just released version 4.39 of stunnel. This version includes major improvements of the Windows GUI and installer. The ChangeLog entry: Version 4.39, 2011.07.06, urgency: LOW: * New features - New Win32 installer module to build self-signed stunnel.pem. - Added configuration file editing with Windows GUI. - Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation. - Improved configuration file reload with Windows GUI. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.39.tar.gz: 972e4c150e3012ba8777f149c858e1e290aeb7ad7976e1551ac1752bc04fb0ed Best regards, Mike

1 0

stunnel 4.38 released
by Michal Trojnara 29 Jun '11

29 Jun '11

Dear Users, I have just released version 4.38 of stunnel. The ChangeLog entry: Version 4.38, 2011.06.28, urgency: MEDIUM: * New features - Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi". - "socket" option also accepts "yes" and "no" for flags. - Nagle's algorithm is now disabled by default for improved interactivity. * Bugfixes - A compilation fix was added for OpenSSL version < 1.0.0. - Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.38.tar.gz: aa49012195fde4dc3e4bed2bb25283cb40a6e0ad8295a47e730652f611e2268c Best regards, Mike

2 1

STunnel on 443 (ip1) and iis (443) on ip2?
by R. van der Gugten 27 Jun '11

27 Jun '11

Hi, Is it possible to run STunnel on my server to lisen to IP1 on port 443 And to have IIS listen to IP2 on port 443? Should I make changes in the config file? Thanks, Reinier Current server stunnel file: cert = stunnel.pem key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Authentication stuff verify = 2 CAfile = certs.pem ; Use it for client mode client = no ; Service-level configuration [SQLServer] accept = <<IP1:xxx.xxx.xxx.xxx>>:443 connect = 127.0.0.1:31433

2 1

Stuunnel Help
by Chris Pershin 24 Jun '11

24 Jun '11

Hello All, I am new to stunnel and am trying to solve a problem. When I try to start stunnel I get the following log file Reading configuration from file stunnel.conf PRNG seeded successfully Certificate: stunnel.pem Certificate loaded Key file: stunnel.pem Private key loaded SSL context initialized for service pop3s Certificate: stunnel.pem Certificate loaded Key file: stunnel.pem Private key loaded SSL context initialized for service imaps Certificate: stunnel.pem Certificate loaded Key file: stunnel.pem Private key loaded SSL context initialized for service ssmtp Configuration successful No limit detected for the number of clients accept socket: FD=164 allocated (non-blocking mode) Option SO_REUSEADDR set on accept socket Service pop3s bound to 0.0.0.0:110 Service pop3s opened FD=164 accept socket: FD=188 allocated (non-blocking mode) Option SO_REUSEADDR set on accept socket Service imaps bound to 0.0.0.0:143 Service imaps opened FD=188 accept socket: FD=196 allocated (non-blocking mode) Option SO_REUSEADDR set on accept socket Error binding ssmtp to 0.0.0.0:25 bind: No error (0) Server is down My Config file is: cert = stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes [pop3s] accept = 110 connect = pop.gmail.com:995 [imaps] accept = 143 connect = imap.gmail.com:993 [ssmtp] accept = 25 connect = smtp.gmail.com:465 Can someone please help me? Thanks Chris

2 1