stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Error Stunnel TLS alert (write): fatal: bad record mac
by Alexandre Afonso Vaz 02 Mar '21

02 Mar '21

Hello everyone I apologize in advance because my English is not the best I'm experiencing a problem with stunnel: On the server I'm running a current version [.] stunnel 5.56 on x86_64-pc-linux-gnu platform Compiled / running with OpenSSL 1.1.1d 10 Sep 2019 And on the client an old version [.] stunnel 5.39 on x86_64-pc-linux-gnu platform Compiled with OpenSSL 1.1.0c 10 Nov 2016 The case is that I am having an error in the server log as shown below: SSL_accept: ../ssl/record/ssl3_record.c:677: error: 1408F119: SSL routines: ssl3_get_record: decryption failed or bad record mac I did the test by updating the client to the same version and everything works, the question I have is whether there is really an incompatibility between the versions (be it the stunnel or the openssl). Does anyone know how to confirm me if this is real? Thanks Vaz

1 0

How to insert 2 stunnel.service on redhat 7
by simona vittori 02 Mar '21

02 Mar '21

Hello, I have 2 stunnel instance on a server and I have to insert all 2 in systemd. How to do that? Is it possible to create 2 stunnel.service naming different, for example stunnel.service and stunnel1.service where insert the script to start at boot of the machine? Thanks a lot for you help, Bye Simona

2 2

TLS alert (read): warning: close notify
by Daniel Trickett 01 Mar '21

01 Mar '21

Hi folks, Receiving the message "TLS alert (read): warning: close notify" when initiating connection to another site. I checked logs and we do not get this on any other site we use stunnel to connect to. Is this a message an acknowledgement that stunnel received a close notify message from the external site? 2021.02.25 11:11:17 LOG6[106453]: TLS connected: new session negotiated 2021.02.25 11:11:17 LOG7[106453]: Deallocating application specific data for session connect address 2021.02.25 11:11:17 LOG6[106453]: Negotiated TLSv1.2 ciphersuite ECDHE-ECDSA-AES256-GCM-SHA384 (256-bit encryption) 2021.02.25 11:11:17 LOG7[106453]: Compression: null, expansion: null 021.02.25 11:11:17 LOG7[106453]: TLS alert (read): warning: close notify 2021.02.25 11:11:17 LOG6[106453]: TLS closed (SSL_read) 2021.02.25 11:11:17 LOG7[106453]: Sent socket write shutdown 2021.02.25 11:11:17 LOG6[106453]: Read socket closed (readsocket) 2021.02.25 11:11:17 LOG7[106453]: Sending close_notify alert 2021.02.25 11:11:17 LOG7[106453]: TLS alert (write): warning: close notify 2021.02.25 11:11:17 LOG6[106453]: SSL_shutdown successfully sent close_notify alert 2021.02.25 11:11:17 LOG5[106453]: Connection closed: 9951 byte(s) sent to TLS, 419 byte(s) sent to socket 2021.02.25 11:11:17 LOG7[106453]: Remote descriptor (FD=16) closed 2021.02.25 11:11:17 LOG7[106453]: Local descriptor (FD=15) closed 2021.02.25 11:11:17 LOG7[106453]: Service [xxxx-https] finished (0 left) This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith. Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.

1 0

New User
by David Rose (dsr) 24 Feb '21

24 Feb '21

Hi I have a Windows app that sends email via SMTP without any authentication (port can be set). I want to use it with Office365 SMTP service which requires TLS. Will stunnel allow me to do this without affecting any other application sending email ? If it does, what terms should I be looking for in the help info ? Many thanks Regards David --

1 0

Windows Server 2012 R2 - localhost:25 stops listening
by Frank Warnke 23 Feb '21

23 Feb '21

Hi, I have noticed that when I install stunnel (stunnel-5.57-win64-installer.exe or today stunnel-5.58-win64-installer.exe) that running "netstat -ano" comes back with; TCP 127.0.0.1:25 0.0.0.0:0 LISTENING 2700 and the application we are using can send email via Gmail SMTP using the default stunnel.config. When I log out the user and go back in, the application can no longer send email via Gmail SMTP and "netstat -ano" no longer sees anything listening on port 25. I have verified that the stunnel service is running and have even stopped and started the stunnel service, but I am not able to get port 25 to be listened to unless I uninstall and install stunnel over again. It seems like something is setup or started during the stunnel install process that stops or gets killed after a user log outs. Any suggestions would be appreciated. Thanks, Frank

2 2

Unable to connect to server using Stunnel with TLS1.2
by jing_pan＠kindermorgan.com 02 Feb '21

02 Feb '21

We failed to using stunnel to connect to remote server which only accept TLS1.2. So we configured the stunnel on our side with below stunnel.conf. We have another program listening to localhost:3500 and process the response from server. I would appreciate any suggestion. 1. Stunnel version: 2021.02.02 10:35:27 LOG5[main]: stunnel 5.58 on x64-pc-mingw32-gnu platform 2021.02.02 10:35:27 LOG5[main]: Compiled/running with OpenSSL 1.1.1h 22 Sep 2020 2021.02.02 10:35:27 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2021.02.02 10:35:27 LOG5[main]: Reading configuration from file stunnel.conf 2021.02.02 10:35:27 LOG5[main]: UTF-8 byte order mark not detected 2021.02.02 10:35:27 LOG4[main]: Service [FIXSERVER] needs authentication to prevent MITM attacks 2021.02.02 10:35:27 LOG5[main]: Configuration successful 2. stunnel.conf [FIXSERVER] cert = stunnel.pem client = yes fips = no accept = 127.0.0.1:3000 connect = 63.247.***.***:443 sslVersion = TLSv1.2 3. error returned: An existing connection was forcibly closed by the remote host 4. openssl s_client -connect 63.247.***.***:443 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2814 bytes and written 419 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE

1 0

Seeing Message in Plain Text in Wireshark
by David Brower 28 Jan '21

28 Jan '21

First time user of Stunnel and I just wanted to check what I'm doing wrong. I have two processes running: a TCP Listener that listens on port 13000 and a TCP client that sends it a message. I'm running Stunnel on Windows 10 with the following config: [myapp] client = yes accept = 13001 connect = 13000 cert = stunnel.pem TIMEOUTclose=0 I updated the TCP client to send the message to port 13001 but when I check Wireshark I can still see the contents of the message in plaintext. Shouldn't I no longer be able to see the unencrypted contents of this message? Here are the relevant logs: 2021.01.27 20:57:26 LOG7[main]: Found 1 ready file descriptor(s) 2021.01.27 20:57:26 LOG7[main]: FD=588 ifds=r-x ofds=r-- 2021.01.27 20:57:26 LOG7[main]: FD=596 ifds=r-x ofds=--- 2021.01.27 20:57:26 LOG7[main]: Service [myapp] accepted (FD=924) from 127.0.0.1:9322 2021.01.27 20:57:26 LOG7[main]: Creating a new thread 2021.01.27 20:57:26 LOG7[main]: New thread created 2021.01.27 20:57:26 LOG7[2]: Service [myapp] started 2021.01.27 20:57:26 LOG7[2]: Setting local socket options (FD=924) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on local socket 2021.01.27 20:57:26 LOG5[2]: Service [myapp] accepted connection from 127.0.0.1:9322 2021.01.27 20:57:26 LOG6[2]: s_connect: connecting 127.0.0.1:13000 2021.01.27 20:57:26 LOG7[2]: s_connect: s_poll_wait 127.0.0.1:13000: waiting 10 seconds 2021.01.27 20:57:26 LOG7[2]: FD=940 ifds=rwx ofds=--- 2021.01.27 20:57:26 LOG5[2]: s_connect: connected 127.0.0.1:13000 2021.01.27 20:57:26 LOG5[2]: Service [myapp] connected remote server from 127.0.0.1:9323 2021.01.27 20:57:26 LOG7[2]: Setting remote socket options (FD=940) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on remote socket 2021.01.27 20:57:26 LOG7[2]: Remote descriptor (FD=940) initialized 2021.01.27 20:57:26 LOG6[2]: SNI: sending servername: localhost 2021.01.27 20:57:26 LOG6[2]: Peer certificate not required 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): before SSL initialization 2021.01.27 20:57:26 LOG7[2]: Initializing application specific data for session authenticated 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): SSLv3/TLS write client hello

3 2

Stunnel intercept and modify payload
by Sealside - 26 Jan '21

26 Jan '21

Hi! I'm wondering if it is possible to modify payload before it is encrypted? I have a stunnel config which intercepts TLS. I have the following config: [server] client = no cert= /etc/stunnel/stunnel.pem accept = 127.0.0.1:11010 connect = 127.0.0.1:12220 [client] client = yes accept = 127.0.0.1:12220 connect = remoteserver_ip:12222 So when posting TLS messages on port 11010 from my TLS-client on the same server, I can connect to port 12220 using tcp-dump and read the payload unencrypted. Is it possible to alter the payload before it is sent? In that case any pointers would be appreciated , I have tried searching but it does not seem to be a common use case. Would be great if I could tunnel it somewhere else and back (external python program). Thanks in advance, S

1 0

Poss Memory Leak
by Danny Clowes 25 Jan '21

25 Jan '21

Hi, Using the latest build of S'tunnel getting this error when do systemctl status stunnel4 can anyone shed some light on this please using Debian 9 as unable to get Debian 10 work with Stunnel. Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508179]: Possible memory leak at ../ssl/packet_locl.h:385: 1021646 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508091]: Possible memory leak at ../ssl/packet_locl.h:385: 1021646 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508179]: Possible memory leak at ../crypto/threads_pthread.c:21: 526301 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508091]: Possible memory leak at ../crypto/threads_pthread.c:21: 526301 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508170]: Possible memory leak at ../crypto/stack/stack.c:108: 1026780 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508170]: Possible memory leak at ../ssl/packet_locl.h:385: 1021646 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508170]: Possible memory

1 0

installation v run ad-hoc
by Andrew Zenz 21 Jan '21

21 Jan '21

Hi there, a bit of background to start. We are using SEE4C (from marshallsoft.com) for sending email from our application, and have been for some time. We call various functions from their see32.dll. It has been sitting on the back-burner for some time, but now we must implement TLS/SSL for outgoing mail. MarshallSoft don't do TLS/SSL themselves, instead passing that responsibility on to stunnel by way of an internal function I have been reading MarshallSoft's doco and find that I have to 'install' stunnel and have it running in the background either as a services or starting it when the user logs on (in the Startup group). I also read in their doco regarding mapped drives: MAPPED DRIVES Beginning with Windows 10 update 1803, all executables (such as SEE application programs, SEE32.DLL/SEE64.DLL, and Stunnel) must be loaded from a local drive, not a mapped drive. Unfortunately the requirement to install stunnel and inability to run it from a mapped drive doesn't suit many of our clients installation base. Many of them run our application from a mapped drive. I also don't want the overhead of installing stunnel on each workstation that needs to send email or distribute and maintain configuration files. I have enough work to do. Can stunnel be called (started) on an ad-hoc basis and stopped again, only when email is being sent? I don't mean to whine, what options do I have, do our clients have? Cheers, Andrew

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users