stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Why the version of Client Hello is always TLS 1.0 ?
by liuyongjiao＠synqnc.com 13 Jan '21

13 Jan '21

Hi, Why the TLS version is always 1.0 ? Please help to check. Frame 11: 1721 bytes on wire (13768 bits), 1721 bytes captured (13768 bits) Ethernet II, Src: fa:16:3e:53:dc:2f (fa:16:3e:53:dc:2f), Dst: IETF-VRRP-VRID_02 (00:00:5e:00:01:02) Internet Protocol Version 4, Src: 10.160.8.11, Dst: 10.160.130.34 Transmission Control Protocol, Src Port: 50692, Dst Port: 9002, Seq: 1, Ack: 1, Len: 1655 Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1650 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1646 Version: TLS 1.2 (0x0303) Random: fd7cbf2da8172c362ebd3120b2dcd3886f3015eabfb5f167… Session ID Length: 32 Session ID: 4ea202f00bd35c102c97e8621f68e33dd59ad8ee95a58a2f… Cipher Suites Length: 170 Cipher Suites (85 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1403 Extension: server_name (len=18) Extension: ec_point_formats (len=4) Extension: supported_groups (len=28) Extension: session_ticket (len=1296) Extension: signature_algorithms (len=32) Extension: heartbeat (len=1) Following are the config file: ;************************************************************************** ; * Global options * ; ************************************************************************** ; It is recommended to drop root privileges if stunnel is started by root ;setuid = stunnel4 ;setgid = stunnel4 ; PID file is created inside the chroot jail (if enabled) pid = /home/stunnelnew.pid ; Debugging stuff (may be useful for troubleshooting) ;foreground = yes ;debug = info debug = debug output = /home/log/stunnelnew.log ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_TLSv1 ;options = NO_TLSv1.1 ;sslVersionMax = TLSv1.2 ;sslVersionMin = TLSv1.2 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [xxxxxxxxxxxx] ;socket = a:SO_REUSEADDR=no retry = yes ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_TLSv1 ;options = NO_TLSv1.1 sslVersion = TLSv1.2 ;socket = l:SO_LINGER=1:13 ;sslVersionMin = TLSv1.2 cert = /home/x/ssltest/x/server.cer key = /home/x/ssltest/x/server_key.pem CAfile = /home/x/ssltest/x/trust.cer client = yes accept = 31115 connect = 10.160.1.11:9113 liuyongjiao(a)synqnc.com

1 0

stunnel to gmail didn't work
by wangweihsiang1109＠gmail.com 09 Jan '21

09 Jan '21

Hello,I have set up a website,and I want to send email by gmail,so I used stunnel,but my gmail didn't send anything. 2021.01.08 15:01:58 LOG5[14]: Service [gmail-smtp] accepted connection from 127.0.0.1:59920 2021.01.08 15:01:58 LOG5[14]: s_connect: connected 2404:6800:4008:c06::6d:587 2021.01.08 15:01:58 LOG5[14]: Service [gmail-smtp] connected remote server from 2001:b011:e:3358:b5b1:fa68:8b3:883c:59921 2021.01.08 15:01:59 LOG5[14]: Connection closed: 22 byte(s) sent to TLS, 154 byte(s) sent to socket conf look like this: [gmail-smtp] client = yes accept = 127.0.0.1:35 connect = smtp.gmail.com:587 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.gmail.com OCSPaia = yes protocol = smtp protocolUsername = *****(a)gmail.com protocolPassword = *****

1 0

report
by Danny Clowes 03 Jan '21

03 Jan '21

sudo find / -name openssl ive checked some locations but im very lost since learning ssl and stunnel i would be happy if you could forward me to the right location & i'll send information back.. Thank you ------------------- /etc/apparmor.d/abstractions/openssl /usr/include/x86_64-linux-gnu/openssl /usr/include/openssl /usr/bin/openssl /usr/share/lintian/overrides/openssl /usr/share/doc/openssl /usr/share/bash-completion/completions/openssl /root/openssl-master/test/ossl_shim/include/openssl /root/openssl-master/include/openssl /snap/core/10577/etc/apparmor.d/abstractions/openssl /snap/core/10577/usr/bin/openssl /snap/core/10577/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl /snap/core/10577/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl /snap/core/10577/usr/share/bash-completion/completions/openssl /snap/core/10577/usr/share/doc/openssl root@debian:/usr/local/include#

1 0

report
by Danny Clowes 28 Dec '20

28 Dec '20

Hi, I'm using 5.7 stunnel for Debian. I have clients connecting to the server we are getting the following error message. I would be grateful if able to help? * Unable to use the beta version as the R-limit don't work and gives me error messages. Dec 28 08:44:33 debian stunnel: LOG4[129248]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Dec 28 08:44:33 debian stunnel: LOG4[128031]: Possible memory leak at ../crypto/stack/stack.c:108: 243008 allocations Dec 28 08:44:33 debian stunnel: LOG4[129238]: Possible memory leak at ../crypto/stack/stack.c:108: 243008 allocations Dec 28 08:44:33 debian stunnel: LOG4[128031]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Dec 28 08:44:33 debian stunnel: LOG4[129140]: Possible memory leak at ../crypto/stack/stack.c:108: 243008 allocations Dec 28 08:44:33 debian stunnel: LOG4[129140]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Dec 28 08:44:33 debian stunnel: LOG4[129238]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Dec 28 08:44:33 debian stunnel: LOG4[129206]: Possible memory leak at ../crypto/stack/stack.c:108: 243008 allocations Dec 28 08:44:33 debian stunnel: LOG4[129206]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Dec 28 08:44:33 debian stunnel: LOG4[128166]: Possible memory leak at ../crypto/stack/stack.c:108: 243008 allocations Dec 28 08:44:33 debian stunnel: LOG4[128166]: Possible memory leak at ../ssl/packet_locl.h:385: 241533 allocations Thanks.

1 0

stunnel is stuck for 30 seconds
by dittyadler＠gmail.com 23 Dec '20

23 Dec '20

Hi, I'm running stunnel version 5.58 on Windows, everything works perfectly besides that sometimes stunnel gets stuck for 30 seconds - Nothing special in stunnel log, except for the 30 seconds delay: 2020.12.21 14:48:36 LOG6[8]: TLS connected: previous session reused 2020.12.21 14:48:36 LOG6[8]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2020.12.21 14:48:36 LOG6[8]: Peer temporary key: X25519, 253 bits 2020.12.21 14:48:36 LOG7[8]: Compression: null, expansion: null 2020.12.21 14:48:36 LOG6[8]: Session id: 8E62D0D8EB6359FEA7370E64AA7CC58EF9DB68059A5E01417E7038B773CE60D3 2020.12.21 14:48:36 LOG7[8]: TLS state (connect): SSL negotiation finished successfully 2020.12.21 14:48:36 LOG7[8]: TLS state (connect): SSL negotiation finished successfully 2020.12.21 14:48:36 LOG7[8]: Initializing application specific data for session authenticated 2020.12.21 14:48:36 LOG7[8]: New session callback 2020.12.21 14:48:36 LOG7[8]: Deallocating application specific data for session connect address 2020.12.21 14:48:36 LOG6[8]: Session id: AF8ED185555C6734403C71B514A3F6B75F8484A5AC4EAE6058CFF4D35D929B36 2020.12.21 14:48:36 LOG7[8]: TLS state (connect): SSLv3/TLS read server session ticket 30 sec delay 2020.12.21 14:49:06 LOG6[8]: Read socket closed (readsocket) 2020.12.21 14:49:06 LOG7[8]: Sending close_notify alert 2020.12.21 14:49:06 LOG7[8]: TLS alert (write): warning: close notify 2020.12.21 14:49:06 LOG6[8]: SSL_shutdown successfully sent close_notify alert 2020.12.21 14:49:06 LOG3[8]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 2020.12.21 14:49:06 LOG7[8]: FD=4540 ifds=--x ofds=--- 2020.12.21 14:49:06 LOG7[8]: FD=4792 ifds=r-x ofds=--- 2020.12.21 14:49:06 LOG5[8]: Connection closed: 64 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.12.21 14:49:06 LOG7[8]: Remote descriptor (FD=4792) closed 2020.12.21 14:49:06 LOG7[8]: Local descriptor (FD=4540) closed 2020.12.21 14:49:06 LOG7[8]: Service [SLNP pem file] finished (0 left) log example when stunnel doesn't get stuck: 2020.12.21 14:49:06 LOG6[9]: TLS connected: previous session reused 2020.12.21 14:49:06 LOG6[9]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2020.12.21 14:49:06 LOG6[9]: Peer temporary key: X25519, 253 bits 2020.12.21 14:49:06 LOG7[9]: Compression: null, expansion: null 2020.12.21 14:49:06 LOG6[9]: Session id: AF8ED185555C6734403C71B514A3F6B75F8484A5AC4EAE6058CFF4D35D929B36 2020.12.21 14:49:06 LOG7[9]: TLS state (connect): SSL negotiation finished successfully 2020.12.21 14:49:06 LOG7[9]: TLS state (connect): SSL negotiation finished successfully 2020.12.21 14:49:06 LOG7[9]: Initializing application specific data for session authenticated 2020.12.21 14:49:06 LOG7[9]: New session callback 2020.12.21 14:49:06 LOG7[9]: Deallocating application specific data for session connect address 2020.12.21 14:49:06 LOG6[9]: Session id: 44E9010787EFDBC0FCA92724415AD30EF9EDB626D734D894061606C79CD26402 2020.12.21 14:49:06 LOG7[9]: TLS state (connect): SSLv3/TLS read server session ticket 2020.12.21 14:49:06 LOG6[9]: Read socket closed (readsocket) 2020.12.21 14:49:06 LOG7[9]: Sending close_notify alert 2020.12.21 14:49:06 LOG7[9]: TLS alert (write): warning: close notify 2020.12.21 14:49:06 LOG6[9]: SSL_shutdown successfully sent close_notify alert 2020.12.21 14:49:06 LOG3[9]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 2020.12.21 14:49:06 LOG7[9]: FD=2464 ifds=r-x ofds=--- 2020.12.21 14:49:06 LOG7[9]: FD=2788 ifds=--x ofds=--- 2020.12.21 14:49:06 LOG5[9]: Connection closed: 64 byte(s) sent to TLS, 108 byte(s) sent to socket 2020.12.21 14:49:06 LOG7[9]: Remote descriptor (FD=2464) closed 2020.12.21 14:49:06 LOG7[9]: Local descriptor (FD=2788) closed 2020.12.21 14:49:06 LOG7[9]: Service [SLNP pem file] finished (0 left) My stunnel conf: debug = 7 output = stunnel.log fips = no options = NO_SSLv2 [SLNP pem file] key = SLNP_urmsand01_new.pem cert = SLNP_urmsand01_new.pem client = yes accept = 8003 connect = host:6443 TIMEOUTbusy = 30 TIMEOUTclose = 0 TIMEOUTconnect = 60 TIMEOUTidle = 86400 With the old stunnel(5.14) it doesn’t happen. Thanks, Ditty.

3 3

stunnel is stuck for 30 seconds
by Brent Kimberley 23 Dec '20

23 Dec '20

Chris/Ditty. Have you tried optimizing your config - on both sides? For example, please search for TIMEOUTbusy in https://github.com/mtrojnar/stunnel/tree/stunnel-5.58 &/| https://github.com/mtrojnar/stunnel/tree/stunnel-5.57 On 12/21/20 13:09, dittyadler(a)gmail.com wrote: > Hi, > > I'm running stunnel version 5.58 on Windows, > everything works perfectly besides that sometimes stunnel gets stuck for 30 seconds - > Nothing special in stunnel log, except for the 30 seconds delay: >

1 0

stunnel is stuck for 30 seconds
by dittyadler＠gmail.com 21 Dec '20

21 Dec '20

1 0

stunnel is stuck for 30 seconds
by DITTY ADLER 21 Dec '20

21 Dec '20

1 0

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

EHLO localhost causing problem in smtp-relay.gmail.com
by sreyas-n＠hcl.com 11 Dec '20

11 Dec '20

We note that always EHLO command sent by sTunnel to SMTP server always been populated as "localhost". Note some well know SMTP server (or) SMTP relay servers such as smtp-relay.gmail.com, etc reject further communication with SMTP clients (as here sTunnel), if they receive initial handshake EHLO request itself as LOCALHOST. Please refer this link on why SMTP servers/ relay servers reject EHLO command with LOCALHOST - https://support.google.com/a/answer/2956491. Note because of this reason, we could use sTunnel as our encryption channel to communicate with SMTP server/relay server. Is there any specific reason behind in hardcoding the EHLO command with LOCALHOST always even in latest version of sTunnel - 5.57 version..? Always what would be in sTunnel functionality, if we change the EHLO command to populate as hostname (or) FQDN instead.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users