- stunnel-users - stunnel.org

Self signed certificate check
by Bob Bob 20 Nov '22

20 Nov '22

Hi, I have two Windows based stations with one hosting a specific service. Stunnel is used to create a secure connection. As stated on the auth page, I have implemented PSK to prevent MITM Attack but also as a way to authenticate connections and limit who can connect to the server. I would like to add an extra layer of security by having the Server only accept connections when the client submits a pre-agreed self cert. verifyPeer does not seem to work with self certificate. I would like to end up with PSK + certificate check. Is there a way to achieve that with self certificate on Stunnel? Thanks.

1 0

Windows 10 Pro - StartService: error 1053
by jason99si＠gmail.com 11 Nov '22

11 Nov '22

I'm installing stunnel for a second time. I'm using it for Blue Iris on a Windows 10 Pro machine. I'm using stunnel 5.67 on Win64. GUI shows "Configuration successful". I've tried uninstalling and reinstalling numerous times. When I run stunnel Service Start I receive a dialog box that says: stunnel 5.67 on Win64 (not configured) StartService: error 1053: The service did not respond to the start or control request in a timely fashion Can anyone help?

2 2

Two certificates on same connection
by perisnagini＠gmail.com 07 Nov '22

07 Nov '22

hi, I am into implementations and generally use stunnel with a certification provided by our third party connections in stunnel for encryption/ decryption both ways. Recently we had a query from one of our vendors stating we must use one cert to encrypt which they will decrypt using the key provided by us and they will encrypt which must be decrypted using the key provided. Keeping it simple we have below: Client Key - clt.pem Client cert - clt.cer Vendor key - vndr.pem our ca certs - ca-cert.pem Could anyone help me in understanding how do I leverage vendor key for decrypting and clt key for encrypting in stunnel.conf using the above certs. Many Thanks.

1 0

error:0A000126:SSL routines::unexpected eof while reading
by sburke＠unitedelectric.com 07 Nov '22

07 Nov '22

Hello, I am trying to get a system notification email back up and running after google disabled the "use less secure apps" functionality in the Gmail platform. I have set up the Gmail account to use an app password which I assigned to the system that was sending emails before this change. It appears the system is now connecting to Stunnel running on a windows 10 machine and Stunnel is making the connection with the Gmail server again, but no email actually gets sent out. I am running Stunnel 5.66 Here is the configuration currently: [gmail-smtp] client = yes accept = 25 connect = smtp.gmail.com:465 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.Gmail.com OCSPaia = yes Here is a copy of the log file: 2022.09.20 07:40:49 LOG5[0]: Service [gmail-smtp] accepted connection from 192.168.100.200:56399 2022.09.20 07:40:49 LOG5[0]: s_connect: connected 74.125.138.109:465 2022.09.20 07:40:49 LOG5[0]: Service [gmail-smtp] connected remote server from 172.16.4.220:60367 2022.09.20 07:40:49 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp.pki.goog/gtsr1" 2022.09.20 07:40:50 LOG5[0]: s_connect: connected 142.251.40.67:80 2022.09.20 07:40:50 LOG5[0]: OCSP: Certificate accepted 2022.09.20 07:40:50 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp.pki.goog/gts1c3" 2022.09.20 07:40:50 LOG5[0]: s_connect: connected 142.251.40.67:80 2022.09.20 07:40:50 LOG5[0]: OCSP: Certificate accepted 2022.09.20 07:40:50 LOG5[0]: Certificate accepted at depth=0: CN=smtp.gmail.com 2022.09.20 07:40:51 LOG3[0]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.09.20 07:40:51 LOG5[0]: Connection reset: 92 byte(s) sent to TLS, 620 byte(s) sent to socket Is this something I can remedy from the configuration, or is this something that requires modification on the email server side? Thank you sean

3 2

Re: stunnel 5.67 released
by Rok Berlec 07 Nov '22

07 Nov '22

Hi, When we install version 5.67 we sometimes get the message: "The procedure entry point OPENSSL_strcasecmp could not be located" After start of service everything looks fine. We upgrade by uninstalling the previous version and installing the latest one. Best regards, Rok Berlec

1 0

stunnel 5.67 released
by Michał Trojnara 01 Nov '22

01 Nov '22

Dear Users, I have released version 5.67 of stunnel. ### Version 5.67, 2022.11.01, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.7. * New features - Provided a logging callback to custom engines. * Bugfixes - Fixed "make cert" with OpenSSL older than 3.0. - Fixed the code and the documentation to use conscious language for SNI servers (thx to Clemens Lang). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 3086939ee6407516c59b0ba3fbf555338f9d52f459bcab6337c0f00e91ea8456 stunnel-5.67.tar.gz a6bdc2a735eb34465d10e3c7e61f32d679ba29a68de8ea8034db79c0c8b328a3 stunnel-5.67-win64-installer.exe 893f53d6647900eb34041be8f21a21c052a31de3fb393a97627021a1ef2752f5 stunnel-5.67-android.zip Best regards, Mike

1 0

"make cert" get "Error configuring OpenSSL modules"
by decatur93＠163.com 28 Oct '22

28 Oct '22

Hi, all. I have done "make && make install" under "sudo", then I got this when "make cert" --------------------------------------------------------------- make -C tools cert make[1]: Entering directory '/opt/stunnel-5.66/tools' ./makecert.sh . /usr /dev/urandom OpenSSL 1.1.1f 31 Mar 2020 1+0 records in 1+0 records out 256 bytes copied, 0.0001303 s, 2.0 MB/s Error configuring OpenSSL modules 139784943940928:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(libproviders.so): libproviders.so: cannot open shared object file: No such file or directory 139784943940928:error:25070067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:162: 139784943940928:error:0E07506E:configuration file routines:module_load_dso:error loading dso:../crypto/conf/conf_mod.c:224:module=providers, path=providers 139784943940928:error:0E076071:configuration file routines:module_run:unknown module name:../crypto/conf/conf_mod.c:165:module=providers Certificate details: Can't open stunnel.pem for reading, No such file or directory 139707919738176:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('stunnel.pem','r') 139707919738176:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76: unable to load certificate /usr/bin/install -c -b -m 600 stunnel.pem /usr/local/etc/stunnel/stunnel.pem /usr/bin/install: cannot stat 'stunnel.pem': No such file or directory make[1]: *** [Makefile:579: cert] Error 1 make[1]: Leaving directory '/opt/stunnel-5.66/tools' make: *** [Makefile:894: cert] Error 2 ------------------------------------------------------------------ It seems I have no libproviders.so, but I have installed openssl. Can anyone help me? Thx.

3 2

stunnel as simple TLS terminator to web backend -- works, but 1st response is blank page, after reload all's good ?
by PGNet Dev 15 Oct '22

15 Oct '22

I'm running [.] stunnel 5.66 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.5 5 Jul 2022 on lsb_release -rd Description: Fedora release 36 (Thirty Six) Release: 36 uname -rm 5.19.15-201.fc36.x86_64 x86_64 it's setup to frontend terminate TLS in front of a bind9 nameserver instance's statistics (http-only) web server backend. it's a trivial config, cat /etc/stunnel/stunnel.conf debug = 5 syslog = yes [bind9-stats] accept = ns.example.com:10000 connect = 127.0.0.1:10001 sslVersion = TLSv1.3 ciphersuites = TLS_CHACHA20_POLY1305_SHA256 requireCert = yes verifyChain = yes verifyPeer = no CAfile = /usr/local/etc/stunnel/example_CA.CHAIN.crt.pem cert = /usr/local/etc/stunnel/ns.example.com.COMBINED.pem key = /usr/local/etc/stunnel/ns.example.com.server.key.pem sessionCacheSize = 1 sessionCacheTimeout = 360 and it does provide access, with no apparent/reported *error*, afaict. but, on initial access, i.e. first nav to the exposed site page, I get a blank page. simply RELOADING the browser page cures the problem. page display, with current/correct data -- as do all (sub)links on the page. this is repeatable behavior in multiple browsers (Firefox, Chromium, Chrome). so far i've not found any indication of an actual error -- only this 1st-page-visit-is-blank behavior, unique to my stunnel usage. other/heavier frontends have no such issue. odd, but not fatal. or even, apparently, problematic (so far, i think). is this a pebkac/config issue? or a known issue/bug? other?

1 0

SSL Termination Issue
by Gary Jackson 15 Oct '22

15 Oct '22

We have an STunnel configuration running to take encrypted TLS traffic from customers and pass it to our application unencrypted. We have purchased a CA signed certificate, but we are receiving an error when negotiating. We have tried many searches/configurations with no progress. STunnel General Config ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may be useful for troubleshooting) debug = debug output = stunnel.log ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes ; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS ;sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2 ; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later ;securityLevel = 0 ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-;RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-;SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-;AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256 curves = X25519:P-256:X448:P-521:P-384 ; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234 ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Enable support for the insecure SSLv3 protocol options = -NO_SSLv3 ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** ;include = conf.d STunnel Service Specific Config ; TLS front-end to a web server [https] accept = 27015 connect = 172.31.4.10:9000 cert = mycert.pem key = mycert.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0 STunnel Debug 2022.10.15 11:16:08 LOG6[769]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 11:16:08 LOG3[769]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 11:16:08 LOG7[769]: Compression: null, expansion: null 2022.10.15 11:16:08 LOG7[769]: Deallocating application specific data for session connect address 2022.10.15 11:16:08 LOG6[769]: s_connect: connecting x.x.x.x:9000 2022.10.15 11:16:08 LOG7[769]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 11:16:08 LOG7[769]: FD=792 ifds=--- ofds=r-- 2022.10.15 11:16:08 LOG7[769]: FD=888 ifds=rwx ofds=--- 2022.10.15 11:16:08 LOG5[769]: s_connect: connected x.x.x.x:9000 2022.10.15 11:16:08 LOG6[769]: persistence: x.x.x.x:9000 cached 2022.10.15 11:16:08 LOG5[769]: Service [https] connected remote server from x.x.x.x:52720 2022.10.15 11:16:08 LOG7[769]: Setting remote socket options (FD=888) 2022.10.15 11:16:08 LOG7[769]: Option TCP_NODELAY set on remote socket 2022.10.15 11:16:08 LOG7[769]: Remote descriptor (FD=888) initialized 2022.10.15 11:16:09 LOG6[769]: SSL_read: Socket is closed 2022.10.15 11:16:09 LOG6[769]: TLS socket closed (SSL_read) 2022.10.15 11:16:09 LOG7[769]: Sent socket write shutdown Any assistance would be GREATLY appreciated! Thank you. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940 IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245 The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.

2 3

Peer Suddenly Disconnects after Negotiating TLS
by Gary Jackson 13 Oct '22

13 Oct '22

I have a TLS Connection that appears to be established but then is terminating and not sure what would cause this. 2022.10.13 14:56:36 LOG5[12435]: Service [https] accepted connection from 97.72.232.10:62890 2022.10.13 14:56:36 LOG6[12435]: Peer certificate not required 2022.10.13 14:56:36 LOG6[12435]: TLS accepted: new session negotiated 2022.10.13 14:56:36 LOG6[12435]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.13 14:56:36 LOG3[12435]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.13 14:56:36 LOG6[12435]: s_connect: connecting 172.31.4.10:9000 2022.10.13 14:56:36 LOG5[12435]: s_connect: connected 172.31.4.10:9000 2022.10.13 14:56:36 LOG6[12435]: persistence: 172.31.4.10:9000 cached 2022.10.13 14:56:36 LOG5[12435]: Service [https] connected remote server from 172.31.4.20:59907 2022.10.13 14:56:36 LOG6[12435]: SSL_read: Socket is closed 2022.10.13 14:56:36 LOG6[12435]: TLS socket closed (SSL_read) 2022.10.13 14:56:36 LOG5[12435]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Thanks in advance. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940 IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245 The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.

1 0