- stunnel-users - stunnel.org

stunnel on osX
by fmgre-dell＠yahoo.fr 30 Sep '06

30 Sep '06

>From: Michal Trojnara <Michal.Trojnara(a)mobi-com.net> >Subject: Re: [stunnel-users] Tr: failure notice >To: stunnel-users(a)mirt.net >Message-ID: <200609292118.57291.Michal.Trojnara(a)mobi-com.net> >Content-Type: text/plain; charset="utf-8" >On Friday 29 September 2006 16:11, fmgre-dell(a)yahoo.fr wrote: >> We have been using stunnel for 2 years now. >> We need to renew our keys, and we usually proceed to a >> software upgrade at the same time. >> Â >> - I have noticed changes in stunnel-client ( 4.16 ) >> running on OSX : now, stunnel asks for the key >> password for each service it is launching. > >Just password from your private key. 8-) > Hello, What i mean is that we have 8 different services running. they are all locked with the same key. We distribute the private key to other non-computer persons, who don t know how to remove a password from a key ( and we 'd like to keep the key locked ) With the former version of stunnel, we could unlock the 8 services with typing the password only once With the latest version, we need to type in the keyword once for every service ( i.e. 8 times !!! ) Is there any way to 'ease' the use of the latest version while keeping the key passworded ? bon week end fred ___________________________________________________________________________ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com

2 1

Help please - debug and random file
by Eric S. Eberhard 30 Sep '06

30 Sep '06

Hello everyone. I have not been on the list for a long time. I last compiled openssl and stunnel in 2000 or so and have been using the same code ever since. I use it very simply in client mode ... I have an application to authorize credit cards and it connect to stunnel in inetd mode (with -c in the command line). visanet is now requiring version 2 SSL so I have to change so I got all the new stuff and compiled it up and made a .conf file. I have two problems (for now :-) ): 1) No matter what I do it seems that at least some debug is coming back through the socket, and no debug is going to my debug file 2) The debug I am getting is very strange -- the first time it says "Snagged 64 from bytes from stunnel.rnd" The second time it says "Unable to retrieve any random data from stunnel.rnd" When I examine the file it has a current date and zero bytes. If I copy back my old (2000) stunnel.rnd it always reads once, and then writes it back out with zero bytes. I am AIX 4.3.3 and I compiled with xlc and the only option I used that was not default was to not link in the wrappers. I did get a ton of warnings that the "-pthreaded" option was not valid ... but it executes and responds so I am not sure that matters? Or should I do something (what?) about that? My configuration files for the service (visanet) is: output = /tmp/stunnel.log debug = 7 RNDfile = /visanet/ssl/stunnel.rnd [visanet] client = yes connect = ssllab.pgs.wcom.net:443 sslVersion = SSLv2 protocol = smtp cert = /viasanet/ssl/stunnel.pem The rnd file and cert file are from 2000 (old old old!). I would have expected a file /tmp/stunnel.log -- the file is not even created! The old inetd line was: (blah blah) stunnel -r ssllab.pgs.wcom.net:443 -c -R /visanet/sslold/stunnel.rnd What stupid thing am I doing wrong? Does anyone else have experience using stunnel with visanet and can they give me any pointers? Thanks! Eric This email sent by: Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax 928-301-7537 -- you may call any time day or night, I turn it off when I sleep :-) Please try to use a land line first (reception often poor). Note the change in the domain from vicspdi.com to vicsmba.com !!!! For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com Completely updated web site of personal pictures with many new pictures! Includes horses, dogs, Corvairs, and more. http://www.vicsmba.com/ourpics/index.html Corvair pictures including the Judson setup on our 62 Sedan and lots of pictures of Cheryl's 62 Monza Wagon and our 62 Spyder convertible. http://www.vicsmba.com/ourpics/corvairs.html My younger brother Martin has started a very serious car company. A hot rod (very fast) electric roadster is the first offering. The chassis is built by Lotus to their specs. Check it out: http://www.teslamotors.com

1 0

Tr: failure notice
by fmgre-dell＠yahoo.fr 29 Sep '06

29 Sep '06

Hello, We have been using stunnel for 2 years now. We need to renew our keys, and we usually proceed to a software upgrade at the same time. - I have noticed changes in stunnel-client ( 4.16 ) running on OSX : now, stunnel asks for the key password for each service it is launching. - a collegue is running stunnel ( client ) on windows and told me that the 4.15 and 4.16 version keeps on crashing on windows. Anybody with the same symptoms ( and possiby a workaround ? ) :-) ( we use keys which are protected by a password, we launch the stunnel ( client ) manually and type in the password for the service to start ) Sincerely, Fred ___________________________________________________________________________ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com

2 1

create_client failed
by James 29 Sep '06

29 Sep '06

I am running Debian 3.1 (stable) with stunnel 3.26 (Debian package) to wrap my qmail pop3 daemon. Stunnel works properly for a good amount of time, but at a point (I am unable to find any specific influencing factors) it begins to fail with the error, "Connection reject: create_client failed" (see below for more info). To fix the error I have to kill and restart stunnel. I have adjusted the timeouts for both stunnel and the pop3 daemon, but nothing appears to have a lasting affect. When stunnel errors out the pop3 daemon is still available and can be connected to, so it does not appear to be an issue related to stunnel not being able to talk to the pop3 daemon. Below I have some of the debugging and system information regarding the system and problem. I would be more than appreciative if anyone had some input. Thank you. # Error stunnel[2500]: pop3 accepted FD=9 ###.###.###.### stunnel[2500]: Connection rejected: create_client failed # strace -p select(7, [4 6], NULL, NULL, NULL) = 1 (in [6]) fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 accept(6, {sa_family=AF_INET, sin_port=htons(63759), sin_addr=inet_addr("###.###.###.###")}, [16]) = 9 fcntl64(6, F_SETFL, O_RDWR) = 0 fcntl64(9, F_SETFD, FD_CLOEXEC) = 0 rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT TERM CHLD], [], 8) = 0 mmap2(NULL, 8388608, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 ENOMEM (Cannot allocate memory) rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 close(9) = 0 time([1159535901]) = 1159535901 getpid() = 21864 rt_sigaction(SIGPIPE, {0x40253a70, [], 0}, {SIG_IGN}, 8) = 0 send(3, "<27>Sep 29 09:18:21 stunnel[2186"..., 77, 0) = 77 rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 close(9) = -1 EBADF (Bad file descriptor) # uname -a 2.6.8-3-686-smp #1 SMP Thu Sep 7 04:39:15 UTC 2006 i686 GNU/Linux # libc version GNU C Library stable release version 2.3.2 # Command Running /usr/sbin/stunnel -d pop3s -r pop3 -p /etc/ssl/certs/pop3d.pem -R /dev/urandom -s nobody -g root # stunnel -V stunnel 3.26 on i386-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Default behaviour: run in inetd mode (unless -d used) run in background (unless -f used) run in ssl server mode (unless -c used) Compile time defaults: -v level no verify -a directory /etc/ssl/certs -A file (none) -S sources 3 -t timeout 300 seconds -B bytes 64 -D level 5 -P pid dir /var/run/stunnel/ -p pemfile in server mode: /etc/ssl/certs/stunnel.pem in client mode: none Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0

1 0

SSL and keep alive
by Alex Turner 29 Sep '06

29 Sep '06

All, I am load testing stunnel as a front end to a web server. The problem I have is that the connection is dropping even though JMeter is set to keep-alive on the http sampler. I was wondering if anyone knew if this was a JMeter issue – IE it does not do http1.1 properly with SSL or should I dig deeper? The stunnel log just shows the socket being closed down at the end of each request. Now – as stunnel should not care what data is going over ssl, then there must be something from JMeter that is triggering it to drop the socket. My thinking is that this is either an SSL session end or an actual FIN. In the absence of any feedback – I think I will try using stunnel in both client and server modes and, as I already know JMeter is OK at keep-alive non https – I should thus find out where the issue lays. Thanks for any info AJ PS – I am working on XP both ends with JMeter 2.2 and the latest stunnel. PPS – Naturally, once I have this figured I will post the method and results to nerds-central Alexander J Turner Ph.D. HYPERLINK "http://www.deployview.com"www.deployview.com HYPERLINK "http://www.nerds-central.blogspot.com"www.nerds-central.blogspot.com HYPERLINK "http://www.project-network.com"www.project-network.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.9/457 - Release Date: 26/09/2006

2 3

Zombies in 4.17?
by Pete Resnick 28 Sep '06

28 Sep '06

I'm running 4.17 on a Mac Mini (Intel) running MacOSX 10.4.7 and I'm seeing a slew of zombies. Anything I can do to track down what the problem is? pr -- Pete Resnick <http://www.episteme-software.com/> All connections to the world are tenuous at best

2 2

stunnel 4.18 released
by Michal Trojnara 26 Sep '06

26 Sep '06

Version 4.18, 2006.09.26, urgency: MEDIUM: * Bugfixes - GPF on entering private key pass phrase on Win32 fixed. - Updated Win32 OpenSSL DLLs. - Minor configure script update. Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ sha1sum for stunnel-4.18.tar.gz: 3ed3eaefae91d80fcfcbb29dd285d0f773756397 Best regards, Mike

1 0

Windows OpenSSL DLL Version
by algol sigfrid 26 Sep '06

26 Sep '06

2 1

seg fault stunnel 4-14 on SLES10
by Jon Howse 22 Sep '06

22 Sep '06

Hi, I am getting a seg fault with stunnel on an installation of SLES10. This is the first SLES10 server I have set up after having set up many SLES9 servers (approx twelve) which all communicate through stunnel to a central syslog server. The version of stunnel we are using on SLES9 is: stunnel-4.05-20.1. The other machines are a mix of 32bit and 64bit Xeons. The seg fault seems to happen when syslog starts to talk through stunnel. The program is a binary rpm install for 64bit SLES10 and is being run in standalone mode as a client connecting to a stunnel/syslog server running SLES9. OS:- SLES10 x86_64 Packages:- Stunnel 4-14-14.2 Syslog-ng-1.6.8-20.4 Openssl-0.9.8a-18.4 uname -a: Linux server 2.6.16.21-0.15-smp #1 SMP Tue Jul 25 15:28:49 UTC 2006 x86_64 x86_64 x86_64 GNU/Linux libc version: libc.so.6 => /lib64/libc.so.6 (0x00002ae068cf2000) openssl version: OpenSSL 0.9.8a 11 Oct 2005 stunnel.conf:- # Copyright by Michal Trojnara 2002-2004 # --with changes for SuSE package # client = yes | no # client mode (remote service uses SSL) # default: no (server mode) client = yes # # chroot + user (comment out to disable) # chroot = /var/lib/stunnel/ setuid = stunnel setgid = nogroup # note about the chroot feature and the "exec" keyword to start other # services... # while the init script /etc/init.d/stunnel will copy the binaries and libraries # into the chroot jail, more files might be needed in the jail (configuration files etc.) pid = /var/run/stunnel.pid # # debugging # debug = 7 output = /var/log/stunnel.log # # Some performance tunings # # disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp) socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 # compression = rle # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Authentication stuff # verify = 2 # Don't forget to c_rehash CApath; CApath is located inside chroot jail: # CApath = /certs # It's often easier to use CAfile: # CAfile = /etc/stunnel/certs.pem # Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail: # CRLpath = /crls # Alternatively you can use CRLfile: # CRLfile = /etc/stunnel/crls.pem CAfile = /etc/openldap/rootcert.pem cert = /etc/ssl/certs/thorincert.pem key = /etc/ssl/certs/thorinkey.pem verify = 2 [5140] accept = 127.0.0.1:514 connect = xxx.xxx.xxx.xxx:5140 /var/log/messages:- kernel: Kernel logging (proc) stopped. Sep 21 13:51:00 thorin kernel: Kernel log daemon terminating. Sep 21 13:51:01 thorin syslog-ng[3146]: syslog-ng version 1.6.8 going down Sep 21 13:51:01 thorin syslog-ng[3769]: syslog-ng version 1.6.8 starting Sep 21 13:51:01 thorin syslog-ng[3769]: Changing permissions on special file /dev/tty10 Sep 21 13:51:01 thorin syslog-ng[3769]: Connection broken to AF_INET(127.0.0.1:514), reopening in 60 seconds Sep 21 13:51:06 thorin kernel: klogd 1.4.1, log source = /proc/kmsg started. Sep 21 13:51:06 thorin kernel: stunnel[3739]: segfault at 000000005569a9f0 rip 000055555555b793 rsp 00005555556b2f60 error 4 var/log/stunnel.log:- stunnel 4.14 on x86_64-suse-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 2006.09.21 13:48:25 LOG7[3396:1]: RAND_status claims sufficient entropy for the PRNG 2006.09.21 13:48:25 LOG6[3396:1]: PRNG seeded successfully 2006.09.21 13:48:25 LOG7[3396:1]: Certificate: /etc/ssl/certs/thorincert.pem 2006.09.21 13:48:25 LOG7[3396:1]: Key file: /etc/ssl/certs/thorinkey.pem 2006.09.21 13:48:25 LOG7[3396:1]: Loaded verify certificates from /etc/openldap/rootcert.pem 2006.09.21 13:48:25 LOG6[3396:1]: file ulimit = 1024 (can be changed with 'ulimit -n') 2006.09.21 13:48:25 LOG6[3396:1]: poll() used - no FD_SETSIZE limit for file descriptors 2006.09.21 13:48:25 LOG5[3396:1]: 500 clients allowed 2006.09.21 13:48:25 LOG7[3396:1]: FD 4 in non-blocking mode 2006.09.21 13:48:25 LOG7[3396:1]: FD 5 in non-blocking mode 2006.09.21 13:48:25 LOG7[3396:1]: FD 6 in non-blocking mode 2006.09.21 13:48:25 LOG7[3396:1]: SO_REUSEADDR option set on accept socket 2006.09.21 13:48:25 LOG7[3396:1]: 5140 bound to 127.0.0.1:514 2006.09.21 13:48:25 LOG7[3397:1]: Created pid file /var/run/stunnel.pid 2006.09.21 13:48:25 LOG7[3397:0]: Waiting -1 second(s) for 2 file descriptor(s) 2006.09.21 13:49:20 LOG7[3397:0]: CONTEXT 1, FD=4, (IN)->() 2006.09.21 13:49:20 LOG7[3397:0]: CONTEXT 1, FD=6, (IN)->(IN) 2006.09.21 13:49:20 LOG7[3397:1]: 5140 accepted FD=7 from 127.0.0.1:7323 2006.09.21 13:49:20 LOG7[3397:1]: Creating a new context 2006.09.21 13:49:20 LOG7[3397:1]: Context 2 created 2006.09.21 13:49:20 LOG7[3397:2]: Context swap: 1 -> 2 It waits at the last entry until syslog tries to connect. And that's where the useful logging stops, after that it's a seg fault. Hope you can point me in the right direction... Jon Howse ---------------------------------------------------------------------------- St Brendan's Sixth Form College --- STAFF e-mail Please consider the environment before printing this email. This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of St Brendan's Sixth Form College. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender. Please report any abuse of this e-mail service to postmaster(a)stbrn.ac.uk ---------------------------------------------------------------------------- *** This e-mail has been scanned by Symantec Anti-Virus software. ***

1 0

Would you plz help me? I have problem with defining ciphers in stunnel
by hjanzadeh＠sinamicro.com 19 Sep '06

19 Sep '06

1 0