stunnel-users

stunnel-users@stunnel.org

5 participants
3293 discussions

stunnel with Winxp
by russell.jim＠rogers.com 13 Jul '22

13 Jul '22

i've used stunnel (v5.35) for many years, always working great. my 3rd party app running on WinXP computer was always able to send emails to gmail account. last month my app on this machine failed to send emails. changing to another (non-gmail) email account did not help. i am assuming issue is something to do with tls 1.0/1.1 on Winxp machine? do i need to do something to get this WinXP app to be able to send emails (outgoing only) again? thanks so much for any advice. /jim

1 0

Memory usage in stunnel-5.63
by roie rachamim 28 Jun '22

28 Jun '22

Hi, I'm running stunnel 5.63 compiled in debian-bullseye inside docker, and i'm trying to understand the allocated memory behavior In a test i'm conducting i'm creating a load towards the stunnel server And the process CPU + memory consumption rises. Once i stop the traffic the CPU goes down but the memory doesn't. Is this expected ? Many Thanks, Roie

2 1

Stunnel's Windows client stopped working in Iran
by landateta＠yahoo.com 26 Jun '22

26 Jun '22

I have a Stunnel server that users connect to from Iran, to circumvent internet censorship. It was working for years but in recent days Stunnel's Windows client has stopped working (maybe due to censorship), but the Android clients like (SSLSocks and SSL Encryptor) do work. So do you have any idea what would be the difference between Windows and Android clients which can help me fix the problem? Any help appreciated.

1 0

Stunnel5.64 Failed to initialize TLS on Windows 7
by White Louis 23 Jun '22

23 Jun '22

Hi All I upgraded Stunnel 5.64, but it got an error about "Failed to initialize TLS." But It works on Windows10/Windows server 2012 with the Stunnel 5.64 and the same configuration Note: The same configuration works with Stunnel5.63 and earlier version on Windows 7. Below is my configuration sslVersion = TLSv1.2 ciphers=HIGH options = NO_SSLv3 [HOST] client = yes accept = 127.0.0.1:59379 connect = remoteIP:Port verify = 3 CAfile = xxx.crt Logs are below: [ ] Initializing inetd mode configuration [ ] Running on Windows 6.1 [ ] No limit detected for the number of clients [.] stunnel 5.64 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.3 3 May 2022 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.1 [.] Reading configuration from file C:\Users\vm\AppData\Local\Temp\0660770671653983902255\stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression enabled: 0 methods [!] PRNG seeded with 0 bytes total [!] PRNG was not seeded with enough random bytes [!] Global options: Failed to initialize TLS [!] Configuration failed [ ] Deallocating temporary section defaults Server is down

1 0

Connection to Outlook O365 owa
by raduci＠gmail.com 09 Jun '22

09 Jun '22

Dear all, I am trying to connect via stunnel to O365 OWA. Configuration file is below: ; Sample stunnel configuration file for Win64 by Michal Trojnara 2002-2022 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may be useful for troubleshooting) debug = 7 output = stunnel.log ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes ; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS ;sslVersionMax = TLSv1.1 ; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later securityLevel = 0 ; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234 ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Enable support for the insecure SSLv3 protocol ;options = -NO_SSLv3 ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** ;include = conf.d ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** ; ***************************************** Example TLS client mode services ; Encrypted HTTP proxy authenticated with a client certificate ; located in the Windows certificate store [O365] client = yes accept = 192.168.0.225:443 connect = outlook.office.com:443 engineId = capi ; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token ;[example-pkcs11] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = pkcs11 ;cert = pkcs11:token=MyToken;object=MyCert ;key = pkcs11:token=MyToken;object=MyKey ; ***************************************** Example TLS server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;cert = stunnel.pem ;[imaps] ;accept = 993 ;connect = 143 ;cert = stunnel.pem ; Either only expose this service to trusted networks, or require ; authentication when relaying emails originated from loopback. ; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 ;cert = stunnel.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; Remote cmd.exe protected with PSK-authenticated TLS ; Create "secrets.txt" containing IDENTITY:KEY pairs ;[cmd] ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe ;PSKsecrets = secrets.txt ; vim:ft=dosini In the browser (Firefox) I get the below error: Secure Connection Failed An error occurred during a connection to 192.168.0.225. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Chrome says: 192.168.0.225 sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR Logs are below: Found 1 ready file descriptor(s) 2022.06.09 15:46:32 LOG7[main]: FD=604 ifds=r-x ofds=r-- 2022.06.09 15:46:32 LOG7[main]: FD=908 ifds=r-x ofds=--- 2022.06.09 15:46:32 LOG7[main]: Dispatching a signal from the signal pipe 2022.06.09 15:46:32 LOG7[main]: Processing SIGNAL_RELOAD_CONFIG 2022.06.09 15:46:33 LOG6[main]: Initializing inetd mode configuration 2022.06.09 15:46:33 LOG7[main]: Running on Windows 6.2 2022.06.09 15:46:33 LOG5[main]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2022.06.09 15:46:33 LOG5[main]: UTF-8 byte order mark detected 2022.06.09 15:46:33 LOG7[main]: Enabling support for engine "capi" 2022.06.09 15:46:33 LOG6[main]: UI not supported by engine #1 (capi) 2022.06.09 15:46:33 LOG7[main]: Initializing engine #1 (capi) 2022.06.09 15:46:33 LOG6[main]: Engine #1 (capi) initialized 2022.06.09 15:46:33 LOG5[main]: FIPS mode disabled 2022.06.09 15:46:33 LOG6[main]: Compression enabled: 0 methods 2022.06.09 15:46:33 LOG7[main]: No PRNG seeding was required 2022.06.09 15:46:33 LOG6[main]: Initializing service [O365] 2022.06.09 15:46:33 LOG6[main]: User-specified security level set: 0 2022.06.09 15:46:33 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2022.06.09 15:46:33 LOG7[main]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2022.06.09 15:46:33 LOG7[main]: TLS options: 0x2100000 (+0x0, -0x0) 2022.06.09 15:46:33 LOG6[main]: Session resumption enabled 2022.06.09 15:46:33 LOG6[main]: Client certificate engine (capi) enabled 2022.06.09 15:46:33 LOG7[main]: No certificate or private key specified 2022.06.09 15:46:33 LOG4[main]: Service [O365] needs authentication to prevent MITM attacks 2022.06.09 15:46:33 LOG6[main]: DH initialization skipped: client section 2022.06.09 15:46:33 LOG7[main]: ECDH initialization 2022.06.09 15:46:33 LOG7[main]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2022.06.09 15:46:33 LOG5[main]: Configuration successful 2022.06.09 15:46:33 LOG7[main]: Unbinding service [O365] 2022.06.09 15:46:33 LOG7[main]: Service [O365] closed (FD=908) 2022.06.09 15:46:33 LOG7[main]: Service [O365] closed 2022.06.09 15:46:33 LOG7[main]: Deallocating deployed section defaults 2022.06.09 15:46:33 LOG7[main]: Deallocating section [O365] 2022.06.09 15:46:33 LOG5[main]: Logging to C:\Users\radc\AppData\Local\stunnel.log 2022.06.09 15:46:33 LOG7[main]: Binding service [O365] 2022.06.09 15:46:33 LOG7[main]: Listening file descriptor created (FD=1580) 2022.06.09 15:46:33 LOG7[main]: Setting accept socket options (FD=1580) 2022.06.09 15:46:33 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2022.06.09 15:46:33 LOG6[main]: Service [O365] (FD=1580) bound to 192.168.0.225:443 2022.06.09 15:47:19 LOG7[17]: Service [O365] started 2022.06.09 15:47:19 LOG7[17]: Setting local socket options (FD=1624) 2022.06.09 15:47:19 LOG7[main]: FD=604 ifds=r-x ofds=--- 2022.06.09 15:47:19 LOG7[17]: Option TCP_NODELAY set on local socket 2022.06.09 15:47:19 LOG5[17]: Service [O365] accepted connection from 192.168.0.200:55381 2022.06.09 15:47:19 LOG7[main]: FD=1580 ifds=r-x ofds=r-- 2022.06.09 15:47:19 LOG6[17]: failover: priority, starting at entry #0 2022.06.09 15:47:19 LOG7[main]: Service [O365] accepted (FD=1608) from 192.168.0.200:55382 2022.06.09 15:47:19 LOG6[17]: s_connect: connecting 52.98.152.162:443 2022.06.09 15:47:19 LOG7[main]: Creating a new thread 2022.06.09 15:47:19 LOG7[main]: New thread created 2022.06.09 15:47:19 LOG7[18]: Service [O365] started 2022.06.09 15:47:19 LOG7[18]: Setting local socket options (FD=1608) 2022.06.09 15:47:19 LOG7[18]: Option TCP_NODELAY set on local socket 2022.06.09 15:47:19 LOG5[18]: Service [O365] accepted connection from 192.168.0.200:55382 2022.06.09 15:47:19 LOG6[18]: failover: priority, starting at entry #0 2022.06.09 15:47:19 LOG6[18]: s_connect: connecting 52.98.152.162:443 2022.06.09 15:47:19 LOG7[17]: s_connect: s_poll_wait 52.98.152.162:443: waiting 10 seconds 2022.06.09 15:47:19 LOG7[17]: FD=1596 ifds=rwx ofds=--- 2022.06.09 15:47:19 LOG7[18]: s_connect: s_poll_wait 52.98.152.162:443: waiting 10 seconds 2022.06.09 15:47:19 LOG7[18]: FD=1204 ifds=rwx ofds=--- 2022.06.09 15:47:19 LOG5[17]: s_connect: connected 52.98.152.162:443 2022.06.09 15:47:19 LOG5[17]: Service [O365] connected remote server from 10.57.2.17:57847 2022.06.09 15:47:19 LOG7[17]: Setting remote socket options (FD=1596) 2022.06.09 15:47:19 LOG7[17]: Option TCP_NODELAY set on remote socket 2022.06.09 15:47:19 LOG7[17]: Remote descriptor (FD=1596) initialized 2022.06.09 15:47:19 LOG6[17]: SNI: sending servername: outlook.office.com 2022.06.09 15:47:19 LOG6[17]: Peer certificate not required 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): before SSL initialization 2022.06.09 15:47:19 LOG7[17]: Initializing application specific data for session authenticated 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG5[18]: s_connect: connected 52.98.152.162:443 2022.06.09 15:47:19 LOG5[18]: Service [O365] connected remote server from 10.57.2.17:57848 2022.06.09 15:47:19 LOG7[18]: Setting remote socket options (FD=1204) 2022.06.09 15:47:19 LOG7[18]: Option TCP_NODELAY set on remote socket 2022.06.09 15:47:19 LOG7[18]: Remote descriptor (FD=1204) initialized 2022.06.09 15:47:19 LOG6[18]: SNI: sending servername: outlook.office.com 2022.06.09 15:47:19 LOG6[18]: Peer certificate not required 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): before SSL initialization 2022.06.09 15:47:19 LOG7[18]: Initializing application specific data for session authenticated 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write change cipher spec 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write change cipher spec 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): TLSv1.3 read encrypted extensions 2022.06.09 15:47:19 LOG6[17]: Certificate verification disabled 2022.06.09 15:47:19 LOG6[17]: Certificate verification disabled 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS read server certificate 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): TLSv1.3 read server certificate verify 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS read finished 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:19 LOG7[17]: TLS state (connect): SSLv3/TLS write finished 2022.06.09 15:47:19 LOG7[17]: 2 client connect(s) requested 2022.06.09 15:47:19 LOG7[17]: 1 client connect(s) succeeded 2022.06.09 15:47:19 LOG7[17]: 0 client renegotiation(s) requested 2022.06.09 15:47:19 LOG7[17]: 0 session reuse(s) 2022.06.09 15:47:19 LOG6[17]: TLS connected: new session negotiated 2022.06.09 15:47:19 LOG6[17]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2022.06.09 15:47:19 LOG6[17]: Peer temporary key: ECDH, P-384, 384 bits 2022.06.09 15:47:19 LOG7[17]: Compression: null, expansion: null 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): TLSv1.3 read encrypted extensions 2022.06.09 15:47:19 LOG6[18]: Certificate verification disabled 2022.06.09 15:47:19 LOG6[18]: Certificate verification disabled 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS read server certificate 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): TLSv1.3 read server certificate verify 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS read finished 2022.06.09 15:47:19 LOG7[18]: TLS state (connect): SSLv3/TLS write finished 2022.06.09 15:47:19 LOG7[18]: 2 client connect(s) requested 2022.06.09 15:47:19 LOG7[18]: 2 client connect(s) succeeded 2022.06.09 15:47:19 LOG7[18]: 0 client renegotiation(s) requested 2022.06.09 15:47:19 LOG7[18]: 0 session reuse(s) 2022.06.09 15:47:19 LOG6[18]: TLS connected: new session negotiated 2022.06.09 15:47:19 LOG6[18]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2022.06.09 15:47:19 LOG6[18]: Peer temporary key: ECDH, P-384, 384 bits 2022.06.09 15:47:19 LOG7[18]: Compression: null, expansion: null 2022.06.09 15:47:20 LOG7[17]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[17]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[17]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[17]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG7[17]: New session callback 2022.06.09 15:47:20 LOG7[17]: Peer certificate was cached (4822 bytes) 2022.06.09 15:47:20 LOG6[17]: Session id: 8C30BA078B16527A627B472B16BD94469EF8EF2C2B3DC4DE83C9E9DD0454AE89 2022.06.09 15:47:20 LOG7[17]: TLS state (connect): SSLv3/TLS read server session ticket 2022.06.09 15:47:20 LOG7[17]: Remove session callback 2022.06.09 15:47:20 LOG7[17]: TLS alert (write): fatal: decode error 2022.06.09 15:47:20 LOG3[17]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.06.09 15:47:20 LOG5[17]: Connection reset: 517 byte(s) sent to TLS, 505 byte(s) sent to socket 2022.06.09 15:47:20 LOG7[17]: Remote descriptor (FD=1596) closed 2022.06.09 15:47:20 LOG7[17]: Local descriptor (FD=1624) closed 2022.06.09 15:47:20 LOG7[17]: Service [O365] finished (1 left) 2022.06.09 15:47:20 LOG7[main]: Found 1 ready file descriptor(s) 2022.06.09 15:47:20 LOG7[main]: FD=604 ifds=r-x ofds=--- 2022.06.09 15:47:20 LOG7[main]: FD=1580 ifds=r-x ofds=r-- 2022.06.09 15:47:20 LOG7[main]: Service [O365] accepted (FD=1132) from 192.168.0.200:55383 2022.06.09 15:47:20 LOG7[main]: Creating a new thread 2022.06.09 15:47:20 LOG7[main]: New thread created 2022.06.09 15:47:20 LOG7[19]: Service [O365] started 2022.06.09 15:47:20 LOG7[19]: Setting local socket options (FD=1132) 2022.06.09 15:47:20 LOG7[19]: Option TCP_NODELAY set on local socket 2022.06.09 15:47:20 LOG5[19]: Service [O365] accepted connection from 192.168.0.200:55383 2022.06.09 15:47:20 LOG6[19]: failover: priority, starting at entry #0 2022.06.09 15:47:20 LOG6[19]: s_connect: connecting 52.98.152.162:443 2022.06.09 15:47:20 LOG7[19]: s_connect: s_poll_wait 52.98.152.162:443: waiting 10 seconds 2022.06.09 15:47:20 LOG7[19]: FD=848 ifds=rwx ofds=--- 2022.06.09 15:47:20 LOG7[18]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[18]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[18]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[18]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG7[18]: New session callback 2022.06.09 15:47:20 LOG7[18]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG6[18]: Session id: 052BDBEAEF57DAF30820ADD1223A0C800EC7C7FBEFC8D6ECAAA50A67383A26F8 2022.06.09 15:47:20 LOG7[18]: TLS state (connect): SSLv3/TLS read server session ticket 2022.06.09 15:47:20 LOG7[18]: Remove session callback 2022.06.09 15:47:20 LOG7[18]: TLS alert (write): fatal: decode error 2022.06.09 15:47:20 LOG3[18]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.06.09 15:47:20 LOG5[18]: Connection reset: 517 byte(s) sent to TLS, 505 byte(s) sent to socket 2022.06.09 15:47:20 LOG7[18]: Remote descriptor (FD=1204) closed 2022.06.09 15:47:20 LOG7[18]: Local descriptor (FD=1608) closed 2022.06.09 15:47:20 LOG7[18]: Service [O365] finished (1 left) 2022.06.09 15:47:20 LOG7[main]: Found 1 ready file descriptor(s) 2022.06.09 15:47:20 LOG7[main]: FD=604 ifds=r-x ofds=--- 2022.06.09 15:47:20 LOG7[main]: FD=1580 ifds=r-x ofds=r-- 2022.06.09 15:47:20 LOG7[main]: Service [O365] accepted (FD=844) from 192.168.0.200:55384 2022.06.09 15:47:20 LOG7[main]: Creating a new thread 2022.06.09 15:47:20 LOG7[main]: New thread created 2022.06.09 15:47:20 LOG7[20]: Service [O365] started 2022.06.09 15:47:20 LOG7[20]: Setting local socket options (FD=844) 2022.06.09 15:47:20 LOG7[20]: Option TCP_NODELAY set on local socket 2022.06.09 15:47:20 LOG5[20]: Service [O365] accepted connection from 192.168.0.200:55384 2022.06.09 15:47:20 LOG6[20]: failover: priority, starting at entry #0 2022.06.09 15:47:20 LOG6[20]: s_connect: connecting 52.98.152.162:443 2022.06.09 15:47:20 LOG7[20]: s_connect: s_poll_wait 52.98.152.162:443: waiting 10 seconds 2022.06.09 15:47:20 LOG7[20]: FD=1120 ifds=rwx ofds=--- 2022.06.09 15:47:20 LOG5[19]: s_connect: connected 52.98.152.162:443 2022.06.09 15:47:20 LOG5[19]: Service [O365] connected remote server from 10.57.2.17:57849 2022.06.09 15:47:20 LOG7[19]: Setting remote socket options (FD=848) 2022.06.09 15:47:20 LOG7[19]: Option TCP_NODELAY set on remote socket 2022.06.09 15:47:20 LOG7[19]: Remote descriptor (FD=848) initialized 2022.06.09 15:47:20 LOG6[19]: SNI: sending servername: outlook.office.com 2022.06.09 15:47:20 LOG6[19]: Peer certificate not required 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): before SSL initialization 2022.06.09 15:47:20 LOG7[19]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG5[20]: s_connect: connected 52.98.152.162:443 2022.06.09 15:47:20 LOG5[20]: Service [O365] connected remote server from 10.57.2.17:57850 2022.06.09 15:47:20 LOG7[20]: Setting remote socket options (FD=1120) 2022.06.09 15:47:20 LOG7[20]: Option TCP_NODELAY set on remote socket 2022.06.09 15:47:20 LOG7[20]: Remote descriptor (FD=1120) initialized 2022.06.09 15:47:20 LOG6[20]: SNI: sending servername: outlook.office.com 2022.06.09 15:47:20 LOG6[20]: Peer certificate not required 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): before SSL initialization 2022.06.09 15:47:20 LOG7[20]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write change cipher spec 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write change cipher spec 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write client hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): TLSv1.3 read encrypted extensions 2022.06.09 15:47:20 LOG6[19]: Certificate verification disabled 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS read server hello 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): TLSv1.3 read encrypted extensions 2022.06.09 15:47:20 LOG6[19]: Certificate verification disabled 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS read server certificate 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): TLSv1.3 read server certificate verify 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS read finished 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS write finished 2022.06.09 15:47:20 LOG7[19]: 4 client connect(s) requested 2022.06.09 15:47:20 LOG7[19]: 3 client connect(s) succeeded 2022.06.09 15:47:20 LOG7[19]: 0 client renegotiation(s) requested 2022.06.09 15:47:20 LOG7[19]: 0 session reuse(s) 2022.06.09 15:47:20 LOG6[19]: TLS connected: new session negotiated 2022.06.09 15:47:20 LOG6[19]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2022.06.09 15:47:20 LOG6[19]: Peer temporary key: ECDH, P-384, 384 bits 2022.06.09 15:47:20 LOG7[19]: Compression: null, expansion: null 2022.06.09 15:47:20 LOG6[20]: Certificate verification disabled 2022.06.09 15:47:20 LOG6[20]: Certificate verification disabled 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS read server certificate 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): TLSv1.3 read server certificate verify 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS read finished 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS write finished 2022.06.09 15:47:20 LOG7[20]: 4 client connect(s) requested 2022.06.09 15:47:20 LOG7[20]: 4 client connect(s) succeeded 2022.06.09 15:47:20 LOG7[20]: 0 client renegotiation(s) requested 2022.06.09 15:47:20 LOG7[20]: 0 session reuse(s) 2022.06.09 15:47:20 LOG6[20]: TLS connected: new session negotiated 2022.06.09 15:47:20 LOG6[20]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2022.06.09 15:47:20 LOG6[20]: Peer temporary key: ECDH, P-384, 384 bits 2022.06.09 15:47:20 LOG7[20]: Compression: null, expansion: null 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[19]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[19]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG7[19]: New session callback 2022.06.09 15:47:20 LOG7[19]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG6[19]: Session id: 3E857D78696F2321EDEE2F622CDB1A050B70B915FB7A6DD37C5DE86EC311534F 2022.06.09 15:47:20 LOG7[19]: TLS state (connect): SSLv3/TLS read server session ticket 2022.06.09 15:47:20 LOG7[19]: Remove session callback 2022.06.09 15:47:20 LOG7[19]: TLS alert (write): fatal: decode error 2022.06.09 15:47:20 LOG3[19]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.06.09 15:47:20 LOG5[19]: Connection reset: 517 byte(s) sent to TLS, 505 byte(s) sent to socket 2022.06.09 15:47:20 LOG7[19]: Remote descriptor (FD=848) closed 2022.06.09 15:47:20 LOG7[19]: Local descriptor (FD=1132) closed 2022.06.09 15:47:20 LOG7[19]: Service [O365] finished (1 left) 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSL negotiation finished successfully 2022.06.09 15:47:20 LOG7[20]: Initializing application specific data for session authenticated 2022.06.09 15:47:20 LOG7[20]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG7[20]: New session callback 2022.06.09 15:47:20 LOG7[20]: Deallocating application specific data for session connect address 2022.06.09 15:47:20 LOG6[20]: Session id: E65F2E71C3EF8E156FA8FAEB5AD445887573D80ED9889F65524514A6ABC02D99 2022.06.09 15:47:20 LOG7[20]: TLS state (connect): SSLv3/TLS read server session ticket 2022.06.09 15:47:20 LOG7[20]: Remove session callback 2022.06.09 15:47:20 LOG7[20]: TLS alert (write): fatal: decode error 2022.06.09 15:47:20 LOG3[20]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.06.09 15:47:20 LOG5[20]: Connection reset: 517 byte(s) sent to TLS, 505 byte(s) sent to socket 2022.06.09 15:47:20 LOG7[20]: Remote descriptor (FD=1120) closed 2022.06.09 15:47:20 LOG7[20]: Local descriptor (FD=844) closed 2022.06.09 15:47:20 LOG7[20]: Service [O365] finished (0 left) Do you have any ideas?

2 1

stunnel started to core dump
by itdo＠cndag.onmicrosoft.com 08 Jun '22

08 Jun '22

Hello all About half a year ago, we started using stunnel on Solaris to secure NFS. The latest available pkg was 5.59 at that time. After a couple of months, stunnel started to core dump on several systems. We updated to the then latest version 5.63. It took again some time until core dumps occurred with 5.63 (still same stack traces). I am aware, that in the meantime 5.64 is out. We are in the process of updating it but it will take some time. Could you please have a look at the below mdb output and tell me if you need any further information to find the root cause? # mdb core.stunnel.339.60001 Loading modules: [ libc.so.1 ld.so.1 ] > ::status debugging core file of stunnel (32-bit) from xxxxxxx file: /opt/csw/bin/stunnel initial argv: /opt/csw/bin/stunnel /etc/opt/csw/stunnel/stunnel.conf start threading model: multi-threaded status: process terminated by SIGSEGV (Segmentation Fault) > $c libssl.so.1.0.0`freelist_extract+0x57(0, 2000000, 14, 42e4db16, 9bd6f8a0, eaf57a5d) > $q In the other dumps, libssl was involved as well. This is the stunnel config: setuid = nobody setgid = nogroup debug = info output = /var/adm/stunnel syslog = no options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 sslVersion=TLSv1.2 renegotiation=no options = SINGLE_ECDH_USE options = SINGLE_DH_USE ciphers = aes192-ctr:aes256-ctr socket = a:TCP_NODELAY=1 socket = a:SO_KEEPALIVE=1 TIMEOUTidle = 300 pid = /tmp/stunnel.pid ;include = /etc/opt/csw/stunnel/conf.d [tls-nfs-srv] accept = 31039 connect = localhost:2049 ciphers = PSK PSKsecrets = /etc/opt/csw/stunnel/psk-s.keys libwrap = yes [tls-nfs-client-1] client = yes accept = localhost:31701 connect = yyyyyy:31039 ciphers = PSK PSKsecrets = /etc/opt/csw/stunnel/psk-c.key libwrap = yes ; vim:ft=dosini Kind regards Sasha This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.

1 0

stunnel log
by Phillip Parker 29 May '22

29 May '22

I just installed the latest version of stunnel (5.64) but there is no log file. Log file is enabled in .conf but when I run a program I don't get any log output. Help

1 0

recent Problem sending email via Blat
by Phillip Parker 25 May '22

25 May '22

I have been using stunnel and Blat for several years to send emails. Recently all the emails stopped. Interestingly I also use PowerShell to send emails and they all stopped as well. That would seem to point to something external but I have no clue what that might be. I have searched the web and have found several posts talking about (Error: Not a Socket) from Blat log but I have been unable to find a solution. In any event for stunnel I have added below the config file and the log file with debug = 7 enabled and a screen shot of netstat -an. I also believe I am running the latest version of Stunnel and Blat. Just for additional info I have attached my powershell program and the resultant error. Any help on this issue would be greatly appreciated. Incidentally I am not a stunnel or Blat person I just want things to work like they were. ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration sslversion = all ;[Protocol] protocol = smtp [ssmtp] accept = 127.0.0.1:25 connect = smtp.live.com:587 =============================================== 2022.05.21 15:03:04 LOG5[5916:5920]: Reading configuration from file stunnel.conf 2022.05.21 15:03:04 LOG7[5916:5920]: PRNG seeded successfully 2022.05.21 15:03:05 LOG7[5916:5920]: SSL context initialized for service ssmtp 2022.05.21 15:03:05 LOG5[5916:5920]: Configuration successful 2022.05.21 15:03:05 LOG5[5916:5920]: No limit detected for the number of clients 2022.05.21 15:03:05 LOG7[5916:5920]: accept socket: FD=700 allocated (non-blocking mode) 2022.05.21 15:03:05 LOG7[5916:5920]: Option SO_REUSEADDR set on accept socket 2022.05.21 15:03:05 LOG7[5916:5920]: Service ssmtp bound to 127.0.0.1:25 2022.05.21 15:03:05 LOG7[5916:5920]: Service ssmtp opened FD=700 2022.05.21 15:03:05 LOG5[5916:5920]: stunnel 4.36 on x86-pc-mingw32-gnu with OpenSSL 1.0.0d 8 Feb 2 2022.05.21 15:03:05 LOG5[5916:5920]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT, IPv6 2022.05.21 15:39:56 LOG7[5916:7748]: local socket: FD=692 allocated (non-blocking mode) 2022.05.21 15:39:56 LOG7[5916:7748]: Service ssmtp accepted FD=692 from 127.0.0.1:62680 2022.05.21 15:39:56 LOG7[5916:7748]: Creating a new thread 2022.05.21 15:39:56 LOG7[5916:7748]: New thread created 2022.05.21 15:39:56 LOG7[5916:11272]: Service ssmtp started 2022.05.21 15:39:56 LOG7[5916:11272]: Option TCP_NODELAY set on local socket 2022.05.21 15:39:56 LOG5[5916:11272]: Service ssmtp accepted connection from 127.0.0.1:62680 2022.05.21 15:39:56 LOG7[5916:11272]: remote socket: FD=740 allocated (non-blocking mode) 2022.05.21 15:39:56 LOG6[5916:11272]: connect_blocking: connecting 204.79.197.212:587 2022.05.21 15:39:56 LOG7[5916:11272]: connect_blocking: s_poll_wait 204.79.197.212:587: waiting 10 seconds 2022.05.21 15:40:06 LOG3[5916:11272]: connect_blocking: s_poll_wait 204.79.197.212:587: TIMEOUTconnect exceeded 2022.05.21 15:40:06 LOG5[5916:11272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket Partial screen shot of netstat -an TCP 127.0.0.1:25 0.0.0.0:0 LISTENING TCP 127.0.0.1:4444 0.0.0.0:0 LISTENING TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING TCP 127.0.0.1:5354 127.0.0.1:53941 ESTABLISHED TCP 127.0.0.1:5354 127.0.0.1:58943 ESTABLISHED TCP 127.0.0.1:8884 0.0.0.0:0 LISTENING TCP 127.0.0.1:9012 0.0.0.0:0 LISTENING TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING TCP 127.0.0.1:33555 0.0.0.0:0 LISTENING TCP 127.0.0.1:42424 0.0.0.0:0 LISTENING TCP 127.0.0.1:53941 127.0.0.1:5354 ESTABLISHED TCP 127.0.0.1:58943 127.0.0.1:5354 ESTABLISHED TCP 127.0.0.1:60485 0.0.0.0:0 LISTENING TCP 127.0.0.1:60961 0.0.0.0:0 LISTENING TCP 127.0.0.1:62433 0.0.0.0:0 LISTENING 2022.05.21 15:40:06 LOG7[5916:11272]: Service ssmtp finished (0 left) 2022.05.21 15:40:06 LOG7[5916:11272]: str_stats: 0 blocks, 0 bytes Blat Log 2022.05.21 15:39:56 (Sat)------------Start of Session----------------- Blat v3.2.19 (build : Nov 18 2017 03:14:35) 32-bit Windows, Full, Unicode Error: Connection to server was dropped. *** Error *** SMTP server error Error: Not a socket. Error: Not a socket. 2022.05.21 15:40:06 (Sat)-------------End of Session------------------

2 1

Unexpected EOF while Reading
by Joe Sterk 24 May '22

24 May '22

Stunnel User, When we upgrade from 5.60 to 5.63 or 5.64 we start to get the unexpected eof while reading on the SSL_accept log. I re-loaded 5.60 and the error went away. Does anyone have any ideas on what to review to solve this issue? [cid:image001.png@01D86ECE.E6D97940] Joe Sterk CIO (Chief Information Officer) [Description: Description: cid:image004.jpg@01CD22BD.40F8C160] Insurance Services Corp. ? (972) 896-0384 (Mobile) * (707) 303-8105 (Work) * joes(a)QuieTrack.com<mailto:joes@QuieTrack.com>

1 0

Stunnel - TLS error unexpected eof while reading
by rick.gregson＠gmail.com 19 May '22

19 May '22

Hi All, I have recently configured stunnel on a Windows Server, it has been configured using a certificate from our internal CA and appears to be functioning ok. However we have a load balancer that is doing a health check against the service and is polling S-Tunnel availability every 5 seconds each time a poll occurs I am seeing the error posted below in the logs. 2022.05.12 10:22:55 LOG3[4113]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.05.12 10:22:55 LOG5[4113]: Connection reset: 217 byte(s) sent to TLS, 49 byte(s) sent to socket Can I please have some advice on how to stop this error? Thank you Rick

2 3

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users