- stunnel-users - stunnel.org

stunnel.pem Failure
by waynesmith philosophical-vistas.net 27 May '21

27 May '21

I preface this message to alert the reader that I remain a novice both in use of STunnel and Linux. I am trying to generate an SSL/TLS certificate for use w/ my various e-mail clients. I downloaded and extracted STunnel 5.59 on my Linux Mint Debian box. After perusing the files I issued the following command sudo ./configure --enable-fips Without repeating all the verbiage, it seemed to run properly. I then issued the following command make cert It returned the usual information requests (though it didn't ask for an e-mail address) but returned the following: /usr/bin/install -c -b -m 600 stunnel.pem /usr/local/etc/stunnel/stunnel.pem /usr/bin/install: cannot create regular file ‘/usr/local/etc/stunnel/stunnel.pem’: No such file or directory Makefile:549: recipe for target 'cert' failed make[1]: *** [cert] Error 1 make[1]: Leaving directory '/home/was/stunnel-5.59/tools' Makefile:883: recipe for target 'cert' failed make: *** [cert] Error 2 I negotiated through </usr/local/etc> and ascertained there was no </stunnel> folder. Unfortunately the permissions prevent me from creating this folder. I am thus stumped. Suggestions?

2 2

fixes for Solaris
by Pavel Heimlich 25 May '21

25 May '21

Hi, please find attached two patches that make stunnel 5.59 work better with Oracle Solaris. The first one fixes a few issues with the tests* - it removes unnecessary warning/error messages and adjusts the calls to netcat and ifconfig to what works on Solaris. The second one adds the location of 64 bit shared libraries for linking OpenSSL, similar to what has been added for Fedora. best regards P. * test result: test 010_require_cert ok test 011_verify_peer ok test 012_verify_chain ok test 013_CRL_file ok test 014_PSK_secrets ok test 015_p12_cert ok test 020_IPv6 ok test 021_FIPS skipped test 022_bind ok test 028_redirect_chain ok test 029_no_redirect_chain ok test 030_simple_execute ok test 031_redirect ok test 032_no_redirect ok test 033_redirect_exec ok test 034_no_redirect_exec ok test 035_SNI ok test 036_no_SNI ok test 037_failover_prio1 ok test 038_failover_prio2 ok test 039_failover_rr ok test 040_reload ok test 041_exec_connect ok test 042_inetd ok test 043_session_delay ok test 044_session_nodelay ok test 045_include ok test 046_resume_PSK ok test 047_resume_redirect ok test 048_resume_noredirect ok test 049_redirect_nocert ok test 050_ticket_secrets ok test 051_resume_cache_old skipped test 052_resume_cache ok test 053_resume_ticket ok test 054_resume_TLSv1_3 ok test 055_socket_close ok test 110_failure_require_cert ok test 111_failure_verify_peer ok test 112_failure_verify_chain ok test 113_failure_CRL_file ok test 114_failure_PSK_secrets ok test 115_failure_wrong_config ok test 121_failure_FIPS_ciphers skipped test 122_failure_FIPS_curves skipped summary: success 41, skip 4, fail 0 -- Pavel Heimlich | SW Developer Security Compliance & Globalization Oracle Czech s. r. o., U Trezorky 921/2, 158 00 Praha 5, Czech Republic

1 0

Stunnel stopped working..
by Alastair ＠ Expert Geeks 23 May '21

23 May '21

Hi all, I've been happily using stunnel for the same purpose and the same config for over year but it's suddenly stopped working. I was using it to wrap http shoutcast (port 8000) to https (port 8444). I'm using a letsencrypt cert. config: client = no [shoutcast] accept = 8444 connect = 127.0.0.1:8000 cert = /etc/letsencrypt/live/*server name*/fullchain.pem key = /etc/letsencrypt/live/*server name*/privkey.pem This keeps getting repeated in the log: 2021.05.22 22:18:27 LOG7[main]: Found 1 ready file descriptor(s) 2021.05.22 22:18:27 LOG7[main]: FD=4 events=0x2001 revents=0x0 2021.05.22 22:18:27 LOG7[main]: FD=9 events=0x2001 revents=0x1 2021.05.22 22:18:27 LOG7[main]: Service [shoutcast] accepted (FD=3) from *server ip*:40506 2021.05.22 22:18:27 LOG7[4]: Service [shoutcast] started 2021.05.22 22:18:27 LOG7[4]: Setting local socket options (FD=3) 2021.05.22 22:18:27 LOG7[4]: Option TCP_NODELAY set on local socket 2021.05.22 22:18:27 LOG5[4]: Service [shoutcast] accepted connection from *server ip*:40506 2021.05.22 22:18:27 LOG6[4]: Peer certificate not required 2021.05.22 22:18:27 LOG7[4]: TLS state (accept): before SSL initialization 2021.05.22 22:18:27 LOG3[4]: SSL_accept: ../ssl/record/ssl3_record.c:322: error:1408F09C:SSL routines:ssl3_get_record:http request 2021.05.22 22:18:27 LOG5[4]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2021.05.22 22:18:27 LOG7[4]: Local descriptor (FD=3) closed 2021.05.22 22:18:27 LOG7[4]: Service [shoutcast] finished (0 left) (server ip & server name removed) Suggestions and recommendations gratefully received! Thanks.

2 1

Re: stunnel in Citrix Environment
by Eberhard 21 May '21

21 May '21

It is pretty much impossible for users to hijack each other. The connections are persistent and if a user drops it is gone. It won’t hijack or share. Having said that, if your app works like a Web browser (not persistent) then of course they will interleave and of course you need to use the same technique as browsers – cookies, hidden fields, whatever. E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Bruce Liptak <bliptakjr(a)gmail.com> Sent: Friday, May 21, 2021 10:35 AM To: stunnel-users(a)stunnel.org Subject: [stunnel-users] stunnel in Citrix Environment Hello stunnel-users, Currently we have an application using stunnel being presented by a Citrix presentation server. The first user authenticates over stunnel with a PKI cert and every user thereafter creates a prompt for the first user again and again for each user that also tries to get into the app. Is there a way for stunnel to be separated based on something that pertains to the user trying to get access? We are using a PKI solution based on certificates. It's like every new user is hijacking the first users' stunnel session. Any help would be appreciated! Thank you, Bruce Liptak <mailto:bliptakjr@gmail.com> bliptakjr(a)gmail.com CCNA R&S | VCA-DCV | Linux+ | Security+ | Network+

1 0

stunnel in Citrix Environment
by Bruce Liptak 21 May '21

21 May '21

Hello stunnel-users, Currently we have an application using stunnel being presented by a Citrix presentation server. The first user authenticates over stunnel with a PKI cert and every user thereafter creates a prompt for the first user again and again for each user that also tries to get into the app. Is there a way for stunnel to be separated based on something that pertains to the user trying to get access? We are using a PKI solution based on certificates. It's like every new user is hijacking the first users' stunnel session. Any help would be appreciated! Thank you, Bruce Liptak bliptakjr(a)gmail.com CCNA R&S | VCA-DCV | Linux+ | Security+ | Network+

1 0

Unable to connect after upgrade of server
by Christopher Schultz 13 May '21

13 May '21

All, I upgraded one of my servers from Debian stretch to Debian buster yesterday and I've been unable to establish stunnel connections to it since then. When I connect, I get this log message on the server end: LOG5[0]: Service [svn-name] accepted connection from [client ip]:45382 LOG5[0]: Certificate accepted at depth=0: [cert dn] LOG3[0]: SSL_accept: 1414D17A: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket We are using EC certs and it's complaining about a curve. So, probably curve-related :) Our private key on the client side is using the secp256k1 curve. The client is using OpenSSL 1.0.2. The server is running OpenSSL 1.1.1. Both client and server support secp256k1. I tried specifying: curves = secp256k1 On the server side, but stunnel won't start, telling me that the configuration option isn't valid. I tried it in the global scope, and also in the service-scope and got the same error. Am I missing something? Minting new certificates (e.g. using prime256v1/secp256r1) is definitely an option, as my client openssl says it supports the NIST P-256 curve. $ openssl ecparam -list_curves secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field That last one is NIST P-256. Is my best bet to mint a new certificate? Or is it possible to configure the server to allow this secp256k1 curve? -chris

1 0

Stunnel static compile with open ssl error while running make command
by snainwar＠rediffmail.com 30 Apr '21

30 Apr '21

I am running RHEL release v 7.9 and have successfully compiled OpenSSL version 1.1.1k using the following configuration: ##> ./config --prefix=/usr/src/openssl-1.1.1 --openssldir=/etc/openssl The following paths are shown when I run command whereis openssl # whereis openssl openssl: /usr/lib64/openssl /usr/local/bin/openssl /usr/include/openssl /opt/openssl/bin/openssl /usr/src/openssl-1.1.1k/openssl.pc ]# I have download and prepared Stunnel version 5.59 from https://www.stunnel.org/ I am using the following configuration: ##> ./configure --with-ssl=/opt/openssl --enable-static When I compile Stunnel I get the following error message when we run Make install make[2]: Nothing to be done for `install-exec-am'. /bin/mkdir -p '/usr/local/share/doc/stunnel' /bin/install -c -m 644 README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md INSTALL.FIPS.md '/usr/local/share/doc/stunnel' make install-data-hook make[3]: Entering directory `/usr/src/stunnel-5.59' ********************************************************* * Type 'make cert' to also install a sample certificate * ********************************************************* make[3]: Leaving directory `/usr/src/stunnel-5.59' make[2]: Leaving directory `/usr/src/stunnel-5.59' make[1]: Leaving directory `/usr/src/stunnel-5.59' [root@tvdcltmp001 stunnel-5.59]# Looks like Stunnel cannot link (probably because it can’t find the library) Does anyone know what the error might be? What changes do I need to make to configure for compilation.

1 0

5.59 on win64
by Joe Phillips 29 Apr '21

29 Apr '21

I'm running win64 version 5.59. Installed service and it is started and running (set to automatic). But when I try to open the stunnel allUsers I get the error : stunnel server is down sue to an error, you need to exit and correct the problem. Click ok to see the error log. Shouldn't I be able to open the log window if the service is running? Also when the service is running there is no stunnel icon in the system tray. Please advise. Thanks [cid:image001.png@01D73CD5.3C81D040]

1 0

Load Balancing
by Ramin Malekgahsemi 28 Apr '21

28 Apr '21

Hi Dear friend If have one stunnel client and have three Stunnel server My question IS How by RR user three server For client ? Forward and handle connection on three server (Client and access Port is once) thanks

1 0

Stunnel static compile error while running Make command
by snainwar＠rediffmail.com 28 Apr '21

28 Apr '21

We are trying to static compile stunnel 5.59 with open ssl 1.1.1 on RHEl 6 and RHEL7 we are getting below error running command Make on the server /stunnel-5.59/src/cron.c:239: undefined reference to `BN_GENCB_new' /stunnel-5.59/src/cron.c:244: undefined reference to `BN_GENCB_set' stunnel-cron.o: In function `cron_dh_param': /stunnel-5.59/src/cron.c:219: undefined reference to `CRYPTO_THREAD_write_lock' /stunnel-5.59/src/cron.c:222: undefined reference to `CRYPTO_THREAD_unlock' /stunnel-5.59/src/cron.c:225: undefined reference to `CRYPTO_THREAD_read_lock' /stunnel-5.59/src/cron.c:229: undefined reference to `CRYPTO_THREAD_unlock' stunnel-cron.o: In function `cron_init': /stunnel-5.59/src/cron.c:78: undefined reference to `CRYPTO_THREAD_write_lock' /stunnel-5.59/src/cron.c:81: undefined reference to `CRYPTO_THREAD_unlock' stunnel-stunnel.o: In function `main_cleanup': /stunnel-5.59/src/stunnel.c:249: undefined reference to `CRYPTO_THREAD_write_lock' /stunnel-5.59/src/stunnel.c:263: undefined reference to `CRYPTO_THREAD_unlock' stunnel-stunnel.o: In function `process_connections': /stunnel-5.59/src/stunnel.c:889: undefined reference to `CRYPTO_THREAD_write_lock' /stunnel-5.59/src/stunnel.c:898: undefined reference to `CRYPTO_THREAD_unlock' stunnel-stunnel.o: In function `stunnel_info': /stunnel-5.59/src/stunnel.c:1034: undefined reference to `OpenSSL_version' /stunnel-5.59/src/stunnel.c:1036: undefined reference to `OpenSSL_version' /stunnel-5.59/src/stunnel.c:1041: undefined reference to `OpenSSL_version_num' collect2: error: ld returned 1 exit status make[2]: *** [stunnel] Error 1 make[2]: Leaving directory `/stunnel-5.59/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/stunnel-5.59/src' make: *** [all-recursive] Error 1 [root@tvdcltmp001 stunnel-5.59]#

1 0