stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Could stunnel encryption be responsible for rendering the year as "4019" instead of "2019"?
by Al Birchall 09 Jan '19

09 Jan '19

Hi All, This may be stupid question, but I'll pose it anyway! We use stunnel to encrypt communications between library self-service kiosks and a cloud-based library system. Since switching to this cloud-based library system, the self-service kiosks have been rendering the year in item due dates as "4019" instead of "2019" printed and emailed patron library account statements. Items will actually have been checked out to the correct due date in library system, with the year displayed correctly, which library staff and patrons can see is so when they access the system directly. We have fixed the problem with a work-around by configuring the kiosk software to only display the last two digits of the year. So could it be the stunnel encryption algorithms that are causing "2019" to display as "4019"? Many thanks! Alex Alex Birchall Library Systems Manager The Sheppard Library Middlesex University London NW4 4BT UK Tel: +44 (0)20 8411 5235 Mob: 07765 237 570

2 1

Internal Errors
by _ Ånüßås _ 08 Jan '19

08 Jan '19

Hello, I would like to report two bugs. I recently upgraded to stunnel 5.50 on FreeBSD 12.0 and noticed that the stunnel server service now crashes periodically. When checking the logs after a crash, I see the following error: INTERNAL ERROR: Dead canary at /usr/src/crypto/openssl/ssl/statem/extensions_sr The stunnel server service only ever talks to a stunnel client service, also running version 5.50 on FreeBSD 12.0. The server configuration is as follows. Anything in {} brackets has been redacted. I have seen this issue on multiple servers configured the same way. <config> client = no setuid = stunnel setgid = stunnel pid = {/path/to/file} output = {/path/to/file} debug = 4 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [server] accept = {ip}:{port} connect = {ip}:{port} ciphers = PSK PSKsecrets = {/path/to/file} </config> Additionally, I have noticed another error in the logs. Although it appears far more frequently than the error above, it does not seem to cause the server service to crash. INTERNAL ERROR: Double free attempt: ptr=0x802119050 alloc=/usr/src/crypto/openssl/crypto/stack/stack.c:198 free#1=/usr/src/crypto/openssl/crypto/stack/stack.c:376 free#2=/usr/src/crypto/openssl/ssl/ssl_sess.c:814 Please let me know if additional information is needed to fix these bugs. Thank you.

1 0

No more addresses to connect
by Ben Habel 08 Jan '19

08 Jan '19

I am trying to implement an openvpn + stunnel vpn with a Linux host server and a windows client, i have everything connecting when alone but when I connect openvpn over Stunnel i get and error that says: 2019.01.07 21:18:50 LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:49343 2019.01.07 21:19:15 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2019.01.07 21:19:20 LOG5[2]: Service [openvpn] accepted connection from 127.0.0.1:49380 2019.01.07 21:19:30 LOG3[2]: s_connect: s_poll_wait xx.xxx.xxx.xxx:1194: TIMEOUTconnect exceeded 2019.01.07 21:19:30 LOG3[2]: No more addresses to connect And this error will loop until I disable the openvpn connection. Any help would be appreciated. Thanks

2 1

Need help to confi Stunnel
by Larry Alba 08 Jan '19

08 Jan '19

I need help to configure Stunnel to work again for my Secure Email being sent by my NoteSmith software thru Aplus.net mail server. I am: larryalba(a)yahoo.com Sent from Yahoo Mail on Android

1 0

ssl3_get_record:wrong version number
by Moellers 07 Jan '19

07 Jan '19

Hello, what I´m trying to accomplish is to build a secure RDP Connection between my Laptop and a Server, which are in the same Network but as RDP in itself is not secure enough I need the stunnel encryption. As of now I can establish a connection but as soon as I try to start an RDP Connection I get the following message: SSL_accept: 1408F10B: error:1408F10B:SSL routines:ssl3_get_record:wrong version number I tried serveral things for example: sslVersion = all options = NO_SSLv2 Sadly this doesn´t work either as I get a different error after that. This is pretty much the config for both Server and Client. ; R.B. Konfiguration HMailServer InvNr. 4522 RDP Zugriff mit STunnel-Verschlüsselung [RDP-SSL] CAfile = certs.pem accept = 9000 connect = 3389 ;verify = 4 verifyPeer = yes verifyChain = no sslVersion = all cert = stunnel.pem I exchanged the certificates between the Server and the Laptop but can´t establish a connection to get a RDP Session going. Hope someone can help me. Kind regards. F.Moellers Mit freundlichen Grüßen IT-Abteilung Jugendhilfe Köln e.V. Christianstr. 82 50825 Köln Tel. (0221) 54600-177 <mailto:it@jugendhilfe-koeln.de> it(a)jugendhilfe-koeln.de <http://www.jugendhilfe-koeln.de> www.jugendhilfe-koeln.de Geschäftsführerin: Almut Gross - Amtsgericht Köln VR 7348 Vorstandsvorsitzende: Dr. Agnes Klein

2 1

Re: [stunnel-users] older browsers, stunnel and privoxy
by Eric Eberhard 04 Jan '19

04 Jan '19

Observation: you accept on port 80 ... the log says 4121 ... any chance you have some sort of port forwarding/NAT/firewall/router issue? Second -- if you are on Unix why not just use inetd? Easy, reliable, simple, always works (if inetd goes down you have no Unix). And you have nothing to manage -- just logs to look at. Happy New Year Eric -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of kovacs janos Sent: Saturday, December 29, 2018 7:37 PM To: Javier <jamilist.stn(a)gmx.es> Cc: stunnel-users(a)stunnel.org Subject: Re: [stunnel-users] older browsers, stunnel and privoxy it still doesnt seem to work. i tried it with deviantart.com again. configuration: client = yes accept = 127.0.0.1:80 connect = 52.85.220.247:443 verifyChain = yes CAfile = ca-certs.pem checkHost = *.deviantart.com the name after checkHost is the "Common Name" displayed when viewing the site's certificate in a browser(lock icon, view certificate). i also saved the certificate in case i would need to try the "certificate pinning" method. the connect IP is what 'get-site-ip.com' says the IP of the website is. these are the logs: Service [fbsd-www] accepted connection from 127.0.0.1:4121 s_connect: connected 52.85.220.247:443 Service [fbsd-www] connected remote server from 192.168.0.3:4122 SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket i know i pestered everyone long enough, but i still havent been able to connect to anything. without any verification its the same On 12/21/18, Javier <jamilist.stn(a)gmx.es> wrote: > On Fri, 21 Dec 2018 13:58:35 +0200 > Peter Pentchev <roam(a)ringlet.net> wrote: > >> Hm, there's no reason why stunnel would not work like that for a >> predetermined set of hosts with known addresses. > > Hi, > > I'm just trying to avoid encouraging him on keep with his first idea > of browsing through Stunnel, with, or without privoxy. > > Of course one site, one connection would work, if we forget about > secondary issues and..., nevermind... > > I give up :D > > Regards. > > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

2 1

stunnel not working properly on Redhat linux (fresh install)
by Klaus Kloeser 04 Jan '19

04 Jan '19

Hi, I have set up Stunnel as SSL Wrapper for googlemail on a Redhat Enterprise Linux 7.2 installation. The stunnel.conf: output = /var/log/stunnel.log cert = /etc/pki/tls/certs/2019stunnel.pem client = yes sslVersion = TLSv1 ;fips=no [ssmtp] accept = 1925 connect=smtp.googlemail.com:587 lets me start stunned well. I have created the file 2019stunnel.pem following the Instructions on Redhat: make 2019stunnel.pem in the correct directory (certs) now I tried to telnet localhost 1925; I get a “connected”, but nothing more. telnet smtp.googlemail 587 runs very well, I get connected, so I assume it is not a firewall issue. I checked the options sslVersion = TLSv1 and sslVersion = all alternatively, which led to different errors in stunnel.log: Service [ssmtp] accepted connection from 127.0.0.1:49723 2019.01.04 14:45:01 LOG3[4500:140416608397056]: connect_blocking: connect 2a00:1450:400c:c0c::10:587: Network is unreachable (101) 2019.01.04 14:45:01 LOG5[4500:140416608397056]: connect_blocking: connected 74.125.140.16:587 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Service [ssmtp] connected remote server from 192.168.178.57:44246 2019.01.04 14:45:01 LOG3[4500:140416608397056]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2019.01.04 14:54:24 LOG5[4500:140416608249920]: Terminated or Service [ssmtp] accepted connection from 192.168.178.57:57612 2019.01.04 14:54:36 LOG5[7437:139957105055488]: connect_blocking: connected 173.194.76.16:587 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Service [ssmtp] connected remote server from 192.168.178.57:52192 2019.01.04 14:54:36 LOG3[7437:139957105055488]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket Now Open SSL: Openssl output: openssl s_client -connect localhost:1925 CONNECTED(00000003) write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 289 bytes New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1546610402 Timeout : 300 (sec) Verify return code: 0 (ok) What do I miss here; what is running wrong ? Mit freundlichen Grüßen/ best regards Klaus Klöser

2 1

(no subject)
by Guido 30 Dec '18

30 Dec '18

Gesendet von Mail für Windows 10

1 0

(no subject)
by Guido 30 Dec '18

30 Dec '18

Gesendet von Mail für Windows 10

1 0

sslv3 alert bad certificate
by marko 26 Dec '18

26 Dec '18

Hello all, I'm using xmas for something useful - i.e. to configure a new server. After an install of stunnel 5.50 and generating the .pem and .key files with: openssl req -new -x509 -nodes -out /usr/local/etc/stunnel/nw_stunnel.pem -keyout /usr/local/etc/stunnel/nw_stunnel.key -days 1825 using this settings in the stunnel.conf: cert = /usr/local/etc/stunnel/nw_stunnel.pem key = /usr/local/etc/stunnel/nw_stunnel.key options = -NO_SSLv3 sslVersion = all I got LOG5[0]: Service [imaps] accepted connection from 192.168.1.3:64233 Dec LOG3[0]: SSL_accept: 14094412: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Just wondering: this is a self issued CA-Cert. Does the bad certificate error refer to the unsafe ssl3-standard or is it a placeholder for the certificate being self-generated as well? I'm currentlty on [.] stunnel 5.50 on amd64-portbld-freebsd12.0 platform [.] Compiled/running with OpenSSL 1.1.1a-freebsd 20 Nov 2018 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI This configuration works with the same install procedure: [.] stunnel 5.49 on i386-portbld-freebsd11.2 platform [.] Compiled/running with OpenSSL 1.0.2o-freebsd 27 Mar 2018 [.] Threading:PTHREAD Sockets:POLL,IPv4 TLS:ENGINE,OCSP,PSK,SNI Any insights into this matter are highly welcome. Cheers, and merry youknowwhat, Marko

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users