stunnel-users

stunnel-users@stunnel.org

5 participants
3293 discussions

Re: tunnel for IMAP/SMTP
by Eberhard 13 Feb '22

13 Feb '22

Just saying -- if something is deprecated it does not mean you MUST stop using it. Use an older version of the software. You can of course have both -- put the older version in one place and the newer one in another. Configure your system to use whichever version you need. The habit of always updating "just because" is sometimes not good for you 😊 E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) http://www.vicsmba.com https://www.facebook.com/groups/286143052248115 -----Original Message----- From: Germano Massullo <germano.massullo(a)gmail.com> On Behalf Of Caterpillar Sent: Saturday, February 12, 2022 7:18 AM To: Josealf.rm <josealf(a)rocketmail.com> Cc: stunnel-users(a)stunnel.org Subject: [stunnel-users] Re: tunnel for IMAP/SMTP Il 10/02/22 01:56, Josealf.rm ha scritto: > OK, I see you’re using stunnel only on your client and it looks you’re > connecting using TLS 1.0 which is deprecated. > > My proposed solution runs stunnel on your server and aims to implement > a front end proxy to the imap/smtp product. This can give you the > support for new TLS versions and no need to run stunnel on your clients. No, I don't have access to the mail server machine. I just installed stunnel on a localhost VM, then lowered the VM minimum accepted TLS to 1.0, and then run Thunderbird from host machine. The latter will connect to the stunnel running in the VM _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org To unsubscribe send an email to stunnel-users-leave(a)stunnel.org

1 0

tunnel for IMAP/SMTP
by Caterpillar 12 Feb '22

12 Feb '22

Good day. I need to be able to use Thunderbird to connect to a mail server (IMAP/SMTP) that has an obsolete TLS version (1.1) and I don't want to low the TLS minimum version on my computers. For this need I would like to use stunnel between Thunderbid clients and the mail server. I tried to use tutorial [1] plus "sslVersion = all" option, but I think the guide is quite incomplete. Do you have any other guide/tutoral that is more complete? Thank you [1]: https://petermolnar.com/secure-smtp-and-imap-sessions-with-stunnel/

3 4

stunnel (5.62 and 5.59) causing high load...
by erik＠baigar.de 06 Feb '22

06 Feb '22

Hi there, I was running stunnel successfully for many years (4.26 with older openssl) wrapping http and imap and upgraded for security reasons to openssl 1.1.1 with stunnel 5.59. The platform is somewhat exotic: SPARC Solaris 10 using gcc 3.4.6. The stunnel works for imap and https without problems for some time but after heavy load conditions it starts consuming 100% CPU load although it still works. In this case it is not the DH computation as no ciphers depending on that one are used: 2022.02.06 11:56:33 LOG6[ui]: DH initialization skipped: no DH ciphersuites On the life machine it happens e.g. after some script based port scan attacks and in a way to trigger the phenomenon I found, that running a cipher enumberate for example triggers the "high-load" state. Running nmap 7.80 the command doing the job is nmap --script ssl-enum-ciphers -p PORT SERVER-IP Checking the log-file (level 7) the end of the logfile after such a burst of acitity with the stunnel ennding up at 100% CPU load looks like that: 2022.02.06 14:23:17 LOG7[39]: Deallocating application specific data for session connect address 2022.02.06 14:23:17 LOG7[39]: linger (local): Invalid argument (22) 2022.02.06 14:23:17 LOG7[39]: Local descriptor (FD=22) closed 2022.02.06 14:23:17 LOG7[39]: Service [imaps] finished (6 left) 2022.02.06 14:23:14 LOG7[main]: FD=4 events=0x1 revents=0x1 2022.02.06 14:23:17 LOG7[main]: FD=11 events=0x1 revents=0x0 2022.02.06 14:23:17 LOG7[main]: FD=12 events=0x1 revents=0x0 2022.02.06 14:23:17 LOG7[main]: FD=13 events=0x1 revents=0x0 2022.02.06 14:23:17 LOG7[main]: FD=14 events=0x1 revents=0x0 2022.02.06 14:23:17 LOG7[main]: Dispatching a signal from the signal pipe 2022.02.06 14:23:17 LOG7[main]: Processing SIGCHLD 2022.02.06 14:23:17 LOG7[main]: Retrieving pid statuses with waitpid() 2022.02.06 14:23:17 LOG7[main]: Retrieving pid statuses with waitpid() - DONE Remarkable is that some imaps (we named the IMAP service to be wrapped imaps) still seem to remain active (6 left). The last entry always is the one with the waitpid() and to be sure that it is not the while loop in that one (stunnel.c) I added an additional log entry "DONE" in the source whenever the routine is left - so it is not that easy. The workaround currently is a script monitoring the CPU usage of stunnel and killing/restarting it if >80% for extended period of time is observed, but that can just be a temporary solution. Any ideas what to try/debug locating the reason for the problem? Thanks, Erik. P.S. Experimenting with the timeouts does not alter the phenomenon. P.P.S. Here the active lines of the config file (deleted comments and unused lines to remove clutter): cert = /usr/local/etc/stunnel/stunnel.pem sslVersion = all chroot = /var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [imaps] accept = 14310 connect = 143 local = 127.0.0.1

1 0

Re: stunnel 5-15 minute outages
by Eberhard 05 Feb '22

05 Feb '22

I a hate to sound like a broken record – why not at least try inetd mode for a few days? If nothing else it will tell you if it is stunnel (either server issues or problems with continuing running programs) with little cost to you to try it. E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Steve Clement <steve3279(a)gmail.com> Sent: Saturday, February 5, 2022 3:01 AM To: john.robertson.arnold(a)gmail.com Cc: stunnel-users(a)stunnel.org Subject: [stunnel-users] Re: stunnel 5-15 minute outages We haven't taken any actions yet. We have so far believed that it was a network side issue, so we have been looking hard at the network devices and getting vendor cases open. We have been looking at packet captures to see if we can figure it out. We haven't found anything that points to the network, but still looking at that. Do you happen to have any load balancers in front of stunnel? I plan to recommend some changes to stunnel suggested in this thread. Thanks, and sorry you are facing this same issue. On Fri, Feb 4, 2022 at 11:36 PM <john.robertson.arnold(a)gmail.com <mailto:john.robertson.arnold@gmail.com> > wrote: I second your problem! We are experiencing what sounds like the same issue. We have had 8 outages since November. They come in pairs, roughly 48 hours apart. Each outage is between 10-12 minutes, then self resolves. I literally just came to this thread tonight while troubleshooting the latest outage. Did the suggestion in the thread work for you? _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org <mailto:stunnel-users@stunnel.org> To unsubscribe send an email to stunnel-users-leave(a)stunnel.org <mailto:stunnel-users-leave@stunnel.org> -- Steve Clement steve3279(a)gmail.com <mailto:steve3279@gmail.com> 614-632-7380

1 0

Re: stunnel 5-15 minute outages
by Eberhard 05 Feb '22

05 Feb '22

Which is why my advice is “strange.” We support so many Unix versions with thousands of users of various capabilities. I don’t want to have to learn secret tricks – especially as they change with versions of the O/S. So I use inetd – all the same on every O/S and always works. I see no reason not to do this unless you have a belief that there is a performance issue with it, which is possible I suppose but I suspect completely unlikely in modern computers. Further, inetd is running anyway so the server part is hardly affected by stunnel whereas if you use stunnel in server mode it has overhead … so a real picky person would do performance analysis and it still may be more efficient to use inetd depending on server overhead. Which is like different by O/S and computer hardware and … I worry about performance only when it actually matters. I’d rather concern myself with reliable with less maintenance on my part. My primary O/S is AIX which is stone reliable and requires little fussing with – hence using AIX to do the server part (inetd) makes my life easier. And probably 95% of the people here will disagree with me and that is fine because there is no “right” answer, just choices. I just think some people dismiss inetd out of hand because they were told a decade or two ago (I am old 😊 ) that performance was an issue and that remains the legend. And, I have helped several people overcome issues by changing to inetd, especially those with little experience in server management and/or O/S settings like Danny did (good job!). So please don’t flame me people – this is just explaining why one might consider using inetd mode, not making a case to always use it. E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Danny Clowes <danny0809881(a)gmail.com> Sent: Friday, February 4, 2022 1:21 PM To: Eric Eberhard <flash(a)vicsmba.com> Cc: Steve Clement <steve3279(a)gmail.com>; stunnel-users(a)stunnel.org Subject: Re: [stunnel-users] Re: stunnel 5-15 minute outages Hi, Ive been using stunnel on number of servers for very long time over all experience has been very good not had any issues or concerns with the stunnel they never crash always online. Ive just tested stunnel on debian 11 it's working brilliant. The Linux system do have limitations in place and the client will only allow so many connections before it will close down say can't take anymore connections however I edited the Linux server remove limitation in place. These where teething issues when started to use stunnel. If anyone interested I would provide hidden scrects how make stunnel work like dream. On Fri, 4 Feb 2022, 19:04 Eberhard, <flash(a)vicsmba.com <mailto:flash@vicsmba.com> > wrote: I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues. I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well. The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up. Let me know what you find out and do 😊 E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Steve Clement <steve3279(a)gmail.com <mailto:steve3279@gmail.com> > Sent: Friday, February 4, 2022 4:52 AM To: stunnel-users(a)stunnel.org <mailto:stunnel-users@stunnel.org> Subject: [stunnel-users] stunnel 5-15 minute outages Hello, I have been working on an issue that seems a lot like this one: https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this. Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual. Any help would be appreciated, thank you. -- Steve Clement steve3279(a)gmail.com <mailto:steve3279@gmail.com> 614-632-7380 _______________________________________________ stunnel-users mailing list -- stunnel-users(a)stunnel.org <mailto:stunnel-users@stunnel.org> To unsubscribe send an email to stunnel-users-leave(a)stunnel.org <mailto:stunnel-users-leave@stunnel.org>

3 2

stunnel 5-15 minute outages
by Steve Clement 05 Feb '22

05 Feb '22

Hello, I have been working on an issue that seems a lot like this one: https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this. Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual. Any help would be appreciated, thank you. -- Steve Clement steve3279(a)gmail.com 614-632-7380

2 2

Re: stunnel 5-15 minute outages
by Eberhard 04 Feb '22

04 Feb '22

I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues. I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well. The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up. Let me know what you find out and do 😊 E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Steve Clement <steve3279(a)gmail.com> Sent: Friday, February 4, 2022 4:52 AM To: stunnel-users(a)stunnel.org Subject: [stunnel-users] stunnel 5-15 minute outages Hello, I have been working on an issue that seems a lot like this one: https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this. Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual. Any help would be appreciated, thank you. -- Steve Clement steve3279(a)gmail.com <mailto:steve3279@gmail.com> 614-632-7380

2 1

Use Stunnel with CMD
by gilaguigui＠gmail.com 02 Feb '22

02 Feb '22

Hi, I am trying to use stunnel with CMD (as a service) I get pop up message for each command (service installed \ service stopped etc.) the command in CMD: stunnel.exe -install\ -uninstall.... how can I disable it? run stunnel with no pop up? thanks GG.

1 0

New to stunnel! Need help connecting to a REST API
by Tim Townsend 18 Jan '22

18 Jan '22

Hello! I need help! We have an integration from an ERP package to a REST API (Avatax) that will soon be requiring TLS 1.2 connections. Our tech platform does not have built-in support for TLS 1.2, so I'm hoping to be able to use stunnel to make that happen. Where do I start? What would the conf file section look like for this? I don't see this directly discussed in the documentation. Any help appreciated! [cid:image001.jpg@01D80C02.6F1F2690] Tim Townsend Programmer Earnest & Associates * Profitability Improvement Specialists Voice: 410.766.6076<tel:+14107666076> ext 210 Email: tim.townsend(a)earnestassoc.com<mailto:tim.townsend@earnestassoc.com> * Web: earnestassoc.com<http://www.earnestassoc.com/>

1 0

stunnel 5.62 released
by Michał Trojnara 17 Jan '22

17 Jan '22

Dear Users, I have released version 5.62 of stunnel. ### Version 5.62, 2022.01.17, urgency: MEDIUM * New features - Added a bash completion script. * Bugfixes - Fixed a transfer() loop bug. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 9cf5bb949022aa66c736c1326554cca27d0641605a6370274edc4951eb5bd339 stunnel-5.62.tar.gz fbfcc5759344bcafff9ff3bc6cf56c7fb75cb1244b76d4934c5d9a3eb7eee32d stunnel-5.62-win64-installer.exe 4b52ed6e4bb8293fdefb10ee8c271400a8c1749254a11b674ff690eae00b3c5e stunnel-5.62-android.zip Best regards, Mike

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users