stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Is it possible to wrap openvpn thru stunnel to HTTP-Like
by UARE1234 28 Nov '10

28 Nov '10

Hi, I understand that it is possible to wrap VPN's using Stunnel tool. How Can I do that for openvpn. The purpose is to use openvpn over http like. OpenVPN can establish an HTTP connection to a proxy server, where it will issue a CONNECT to establish a binary connection to the VPN server on port 443/TCP. This works in 99,9% but not in this case since I am talking about a very restrictive network but yet Skype for example works on it since it works in a way of http like. I will appreceate if someone can give me a solution for combinig Stunnel and openvpn or other tool if possible. Thanks -- View this message in context: http://old.nabble.com/Is-it-possible-to-wrap-openvpn-thru-stunnel-to-HTTP-L… Sent from the Stunnel - Users mailing list archive at Nabble.com.

1 0

Stunnel resource usage
by Avinash Gaonkar 26 Nov '10

26 Nov '10

Hi All, I need to understand how can we calculate the throughput for stunnel based on allocated CPU and memory. For e.g if we allocate 512Mb of RAM and 1 core for the stunnel in Vmware, what would be the throughput in Mbps. Regards, Avinash gaonkar

1 0

Enhance description of transparent mode in FAQ
by Ivan Trancik 25 Nov '10

25 Nov '10

Hello, I would suggest to improve 'transparent = yes | no (Unix only)' section of http://www.stunnel.org/faq/stunnel.html#service_level_options and how this option work on OS X. I think that this part remote mode (I<connect> option) on Linux >=2.6.28 remote mode (I<connect> option) 2.2.x local mode (I<exec> option) is not clear. Remote mode is a "I<connect> option"? What the heck? And local mode is a "I<exec> option"? Does this "I" thingie stand for unnamed pipe or capital "i" or small cap "L"?? I ran to this problem when I tried to set up stunnel on Mac OS X and carelessly used some example config on web. Setting "transparent = yes" in Mac OS X will result in very funny behavior. Consider this conf debug=7 output=stunnel.log verify=0 foreground=yes client=yes pid= [https] accept=localhost:8080 connect=google.com:443 transparent=yes will result in unbelievable error - "local_bind (original port): Address family not supported by protocol family (47)" Using 127.0.0.1 instead of localhost will do better - "Service https bound to 127.0.0.1:8080" - BUT when you try to access 127.0.0.1:8080 nothing reasonable happens and log will show another strange error "connect_blocking: connect <ip_address>: Network is unreachable (51)" The next spectacular thing is that when you use only localhost connect and accept parameter, than transparent=yes works OK. I would suggest rewriting that part to reflect these kind of situations in more clear way - they are very hard to debug, and honestly I couldn't figure it out even though I read FAQ several times. Final question - is it possible on OS X (which doesn't have iptables interface, but has ipfw) to set up transparent proxy tunnel with stunnel? Thanks.

2 1

Problems with cert
by Ross 25 Nov '10

25 Nov '10

Hello, we were using Stunnel 4.25 for a long time without any problems. We used "verify=3". Our client config file: service = stunnel-client cert = client.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CApath = certificates CAfile = CAcert.pem client = yes [rdp] accept = 3398 connect = XX.XX.XX.XX:3398 But after switching to Stunnel 4.34 (preserving configuration) we started to get errors: 2010.11.25 13:13:30 LOG5[8332:5336]: Service rdp-database accepted connection from 127.0.0.1:30082 2010.11.25 13:13:30 LOG5[8332:5336]: connect_blocking: connected 95.130.236.42:3398 2010.11.25 13:13:30 LOG5[8332:5336]: Service rdp-database connected remote server from XX.XX.XX.XX:30083 2010.11.25 13:13:30 LOG5[8332:5336]: Certificate accepted: depth=1, /C=UA/ST=Lviv/L=Lviv region/O=ROSS/OU=IT/emailAddress=bla(a)bla.com 2010.11.25 13:13:30 LOG4[8332:5336]: CERT: Certificate not found in local repository 2010.11.25 13:13:30 LOG4[8332:5336]: Certificate check failed: depth=0, /C=UA/ST=Lviv/L=Lviv region/O=ROSS/OU=IT/CN=OURSERVER/emailAddress=bala(a)bla.com 2010.11.25 13:13:30 LOG3[8332:5336]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2010.11.25 13:13:30 LOG5[8332:5336]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket Main error is: CERT: Certificate not found in local repository Looks like stunnel cannot find the hashed server's certificate in C:\Program Files\stunnel\certificates (CApath = certificates) We tried specifying full paths, but it does not help. Switching to "verify=2" (do not check server's cert) works ok. Also stunnel 4.25 (with verify=3) works ok on this configuration. Could you help? Ross

2 1

Re: [stunnel-users] ssl renegotiation
by Jason Haar 25 Nov '10

25 Nov '10

On 11/25/2010 05:42 AM, Joe Williams wrote: > > Got it, so there's no way to configure stunnel to disable it without building a new openssl from source. I was thinking there might be an SSL option I could pass in. > That kind of feature was only introduced into the newer versions of OpenSSL, so by definition, older versions can't have an option to disable it ;-) FYI I still have to run fully patched Apache with "SSLInsecureRenegotiation on" due to MSIE still not supporting proper optional client cert renegotiation. It's only *2 years* since the vulnerability was discovered... (Chrome, Firefox are fine of course) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

1 0

ssl renegotiation
by Joe Williams 24 Nov '10

24 Nov '10

List, How does one secure stunnel from man in the middle attacks regarding ssl renegotiation. I have seen http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATI… but I couldn't tell if stunnel is affected by it, nor what I could do outside of installing a newer version of openssl to prevent it. Additionally I did a scan on www.ssllabs.com and it stated that insecure renegotiation was supported, which isn't good. I am running 0.9.8k-7ubuntu8.4, the standard version that ships with ubuntu 10.04, and stunnel 4.32. What can I do to configure stunnel to protect myself? My current config is below. Thanks. -Joe ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/file.crt key = /etc/stunnel/file.key foreground = yes debug = 5 ciphers = DES-CBC3-SHA:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5 ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all options = NO_SSLv2 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Service-level configuration [https] accept = 443 connect = localhost:80 TIMEOUTclose = 0 Name: Joseph A. Williams Email: joe(a)joetify.com Blog: http://www.joeandmotorboat.com/ Twitter: http://twitter.com/williamsjoe

2 2

SSLPassPhraseDialog
by Avinash Gaonkar 23 Nov '10

23 Nov '10

Hi Team, How can we configure ssl key passphrase in stunnel config file. for. eg SSLPassPhraseDialog exec:/path/to/passphrase-file parameter we have in apache, so no need to key in password every time when we restart service. Regards, Avinash Gaonkar

3 2

SMPP Protocol and STunnel
by Pathak, Apurva (Apu) 23 Nov '10

23 Nov '10

Hello, I would like to find out if I can use STunnel as follows: I have a stand alone C# executable program that uses a third party SDK that implements SMPP protocol and sends SMS text messages with wireless carriers. Recently, one of the wireless carriers wants us to implement SSL Client Authentication and wants SMPP messages that are exchanged with them to be encrypted after the client authentication is done. I want to find out if I can use STunnel running so that STunnel can encrypt and decrypt the messages exchanged between my program and the carrier's SMS server. (1) Is this possible with STunnel? (2) What are the steps involved? I am on the Windows Server 2003 platform. I would really appreciate a reply. Thanks, Apu

3 12

Re: [stunnel-users] Error: faulting application stunnel.exe, version 0.0.0.0, faulting module libeay32.dll, version 1.0.0.1, fault address 0x0007331e.
by Pathak, Apurva (Apu) 21 Nov '10

21 Nov '10

Ok...I may keep it....at the moment things are very stable so I am not touching any thing for the moment. The client mentioned it...and they examined the stunnel.conf of some of their other customers...so...otherwise it made sense to me to keep it. Thanks again for your help! Apurva ====== Hi Apurva, Good news. Just to mention: SslVersion=all OFTEN SOLVES MANY PROBLEMS in various circumstances. So I would keep it... Just search for it in the mailing list and you will see... This is just an advice... Yours sincerely, Pierre -----Original Message----- From: stunnel-users-bounces(a)mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of stunnel-users-request(a)mirt.net Sent: Sunday, November 21, 2010 1:27 PM To: stunnel-users(a)mirt.net Subject: stunnel-users Digest, Vol 76, Issue 13 Send stunnel-users mailing list submissions to stunnel-users(a)mirt.net To subscribe or unsubscribe via the World Wide Web, visit http://stunnel.mirt.net/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request(a)mirt.net You can reach the person managing the list at stunnel-users-owner(a)mirt.net When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."

1 0

public domain [PATCH] to stunnel 4.34 for Windows CE / Windows Mobile, "no service" CRITICAL bug and unicode bugs fixed
by Pierre DELAAGE 17 Nov '10

17 Nov '10

Dear All, Please find enclosed a patch in "diff -cr orig patched" format, applying to stunnel4.34 as found here ftp://stunnel.mirt.net/stunnel/. This patch mainly addresses compilation and unicode issues for Windows CE targets + ONE critical issue preventing stunnel to service anything (!). I use MS EVC 4sp2 compiler with WCE 420 SDK, on a vista host platform. Once debugged the code works fine on WM6 HTC smartphones. Should work on WM5. It needs a windows CE openssl lib (I recompiled MY patched version of openssl 1.0.0a successfully: I will have to log a patch to those gentlemen, hoping that they are open to integrate it, something not so obvious in the past). I will later post here a link to my patch for openssl 100a pointing to the openssl mailing list. THIS OPENSSL PATCH IS ESSENTIAL : with my older version of openssl 098pre_j for wce, stunnel does not work anymore (it crashes after first cnx). The present stunnel patch addresses the following issues : ************* I] COMPILATION FAILURES 1/ on common.h "EINVAL redefinition" : in fact the compile options WX (see evc.mak) does not tolerate any warning : The MS evc420 compiler ALWAYS issues a warning on this symbol redefinition. Michal and I are dealing with it since month... But, considering that NEITHER Exxx error codes are used in stunnel, I suggest that in fact ALL these redef should be suppressed. TODO: In the future a proper rewrite of code in log.c, where hardcoded values of WSA error codes are used instead of symbolic constant, will have to be done. 2/ client.c CreateProcess is a UNICODE function: code was ascii only. Code has been adapted to work in unicode. 3/ evc.mak path to new openssl lib has been redefined. proper location for the libs in openssl tree has been set in the make-install block (although this block is presently USELESS and needs a complete rewrite). 4/ gui.c All code using hmainmenu is OFF under winCE. So some new lines involving it were not compiling. 5/ options.c linger_val.l_linger and linger_val.l_onoff require ushort values. Strict type checking of the compiler required a proper cast to ushort of the r-values. stralloc uses "strdup": on Win32 and winCE strdup is _strdup (!). 6/ prototypes.h : _beginthread was defined as returning an int, an a long in sthread.c. After some checking in various documentations, long is the correct type, in particular because _beginthread can return the special error value "-1L". So that unsigned types are illogical. This simplifies the code in some locations, by saving some -now useless- casts. 7/ sthread.c create_client: suppressed some useless cast to (long) for beginthread. ************* II] OPERATIONAL ERRORS (at run-time) This is a reminder of previous notification to the mailing list : due to beginthread improper code and/or use, It is presently IMPOSSIBLE for stunnel 434 to be used in production on WCE: it is just unable to service any...service. Nothing happens if, for example, you use it to connect to an https server. No log either ! I corrected the code with both Michal patch to gui.c and mine to sthread.c: gui.c (Michal patch) : _beginthread was called with 0 as stacksize which, cumulated to an improper coding of sthread/beginthread, led to FAILURE of service thread creation. sthread.c: _beginthread : now supports "0" stacksize value, leading to default linker stack size (1MB by default unless specified differently on the linker command line, something we do not yet perform but could). ************* III] MINOR IMPROVMENT _beginthread: added a log on critical event of "failure" to create a service thread. because I think it is a critical event, isn't it? I hope you will find this patch useful. Thank you for your excellent work, Yours sincerely, Pierre Delaage Note : I use stunnel to establish a simple "vpn" between smartphones and a corporate linux server mainly for HTTPS/POPS/SMTPS support. Stunnel is very relevant in that matter, over solutions based on SSH (although we use also ssh), from a communication cost point of view : ssh establishes permanent socket between client and server, so that the communication is charged by the mobile network provider : and these charges are very expensive. On the contrary stunnel only establishes ssl sockets on demand so that financial charges are limited to strict necessary. Please note that stunnel brings "client based certificate authentication" to POP/SMTP mobile mail user agents which only BASICALLY supports SSL with server authentication, but NO client authentication, such as M$ Outlook for Mobile (unless you pay for an exchange server and exchange client licence). Here again stunnel is very relevant. Note 2 : the strdup and unicode bug fixes should benefit also to the win32 (for PC) stunnel version for PC.

1 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users