- stunnel-users - stunnel.org

stunnel 5.52 released
by Michal Trojnara 10 Apr '19

10 Apr '19

Dear Users, I have released version 5.52 of stunnel. Version 5.52, 2019.04.08, urgency: HIGH * Bugfixes - Fixed a transfer() loop bug introduced in stunnel 5.51. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 00b973aa0d48b0707dd722c4e0a20b8378fc9b0ba301fdb785ffb75341024e21 stunnel-5.52.tar.gz c9224c35cdd3a6de8fab7c2844ca0c185ebcc96fd9183a05407e2ba77cadc7c6 stunnel-5.52-win64-installer.exe d4ff581e1547c2e194abd586e9542bfe20399c1287f970eaa5ba1824e4567453 stunnel-5.52-android.zip Best regards, Mike

2 1

stunnel 5.51 released
by Michal Trojnara 10 Apr '19

10 Apr '19

Dear Users, I have released version 5.51 of stunnel. Version 5.51, 2019.04.04, urgency: MEDIUM * New features - Hexadecimal PSK keys are automatically converted to binary. - Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address persistence is currently unsupported with session tickets. - SMTP HELO before authentication (thx to Jacopo Giudici). - New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later. - New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites. - Include file name and line number in OpenSSL errors. - Compatibility with the current OpenSSL 3.0.0-dev branch. - Better performance with SSL_set_read_ahead()/SSL_pending(). * Bugfixes - Fixed PSKsecrets as a global option (thx to Teodor Robas). - Fixed a memory allocation bug (thx to matanfih). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 77437cdd1aef1a621824bb3607e966534642fe90c69f4d2279a9da9fa36c3253 stunnel-5.51.tar.gz a0e26fde3ba09d6545cfbb44cab06ebd4ddf9c4b536e7d8eb76615ab54b2339c stunnel-5.51-win64-installer.exe ee90bef40cb47617fe7372707dba119f5176cb0fd9eb1bc00cdd1e2c370041db stunnel-5.51-android.zip Best regards, Mike

2 1

Problems after compiling stunnel 5.16 with openssl 1.0.2k
by simona vittori 09 Apr '19

09 Apr '19

Hello, I have compiled stunnel 5.16 with openssl 1.0.2k on a linux 3.0.101-97-default. When I execute ./stunnel -version I receive the following error: ./stunnel: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory Can anyone help me please? Thanks a lot bye bye Simona

2 1

Issues after upgrading stunnel to v5.51 on Windows
by stunnel＠alpiston.com 07 Apr '19

07 Apr '19

Hello, I've been using stunnel v5.50 (x64-pc-mingw32-gnu) to encrypt RTSP traffic between two Win10 Pro computers without any problems. However, after upgrading to stunnel v5.51 the RTSP traffic has started to stutter (as the framerate has dropped to almost nothing, from 20 fps to 0.01 fps to be precise), and the few frames that are actually transferred arrive visually corrupted. After enabling debugging at level 7, I get the following (some parts have been obfuscated for privacy reasons): 2019.04.08 00:53:51 LOG7[main]: Found 1 ready file descriptor(s) 2019.04.08 00:53:51 LOG7[main]: FD=528 ifds=r-x ofds=--- 2019.04.08 00:53:51 LOG7[main]: FD=536 ifds=r-x ofds=--- 2019.04.08 00:53:51 LOG7[main]: FD=544 ifds=r-x ofds=--- 2019.04.08 00:53:51 LOG7[main]: FD=648 ifds=r-x ofds=r-- 2019.04.08 00:53:51 LOG7[main]: FD=664 ifds=r-x ofds=--- 2019.04.08 00:53:51 LOG7[main]: FD=828 ifds=r-x ofds=--- 2019.04.08 00:53:51 LOG7[main]: Service [RTSP] accepted (FD=584) from A.B.C.D:E 2019.04.08 00:53:51 LOG7[main]: Creating a new thread 2019.04.08 00:53:51 LOG7[main]: New thread created 2019.04.08 00:53:51 LOG7[2]: Service [RTSP] started 2019.04.08 00:53:51 LOG7[2]: Setting local socket options (FD=584) 2019.04.08 00:53:51 LOG7[2]: Option TCP_NODELAY set on local socket 2019.04.08 00:53:51 LOG5[2]: Service [RTSP] accepted connection from A.B.C.D:E 2019.04.08 00:53:51 LOG6[2]: s_connect: connecting F.G.H.I:J 2019.04.08 00:53:51 LOG7[2]: s_connect: s_poll_wait F.G.H.I:J: waiting 10 seconds 2019.04.08 00:53:51 LOG5[2]: s_connect: connected F.G.H.I:J 2019.04.08 00:53:51 LOG5[2]: Service [RTSP] connected remote server from A.B.C.D:K 2019.04.08 00:53:51 LOG7[2]: Setting remote socket options (FD=900) 2019.04.08 00:53:51 LOG7[2]: Option TCP_NODELAY set on remote socket 2019.04.08 00:53:51 LOG7[2]: Remote descriptor (FD=900) initialized 2019.04.08 00:53:51 LOG6[2]: SNI: sending servername: LLLL 2019.04.08 00:53:51 LOG6[2]: Peer certificate required 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): before SSL initialization 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS write client hello 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS write client hello 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS read server hello 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): TLSv1.3 read encrypted extensions 2019.04.08 00:53:51 LOG7[2]: Verification started at depth=1: O=O, OU=OU, CN=CN 2019.04.08 00:53:51 LOG7[2]: CERT: Pre-verification succeeded 2019.04.08 00:53:51 LOG6[2]: Certificate accepted at depth=1: O=O, OU=OU, CN=CN 2019.04.08 00:53:51 LOG7[2]: Verification started at depth=0: O=O, OU=OU 2019.04.08 00:53:51 LOG7[2]: CERT: Pre-verification succeeded 2019.04.08 00:53:51 LOG6[2]: CERT: Host name "LLLL" matched with "LLLL" 2019.04.08 00:53:51 LOG5[2]: Certificate accepted at depth=0: O=O, OU=OU 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS read server certificate 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): TLSv1.3 read server certificate verify 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS read finished 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS write change cipher spec 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS write finished 2019.04.08 00:53:51 LOG7[2]: 1 client connect(s) requested 2019.04.08 00:53:51 LOG7[2]: 1 client connect(s) succeeded 2019.04.08 00:53:51 LOG7[2]: 0 client renegotiation(s) requested 2019.04.08 00:53:51 LOG7[2]: 0 session reuse(s) 2019.04.08 00:53:51 LOG6[2]: TLS connected: new session negotiated 2019.04.08 00:53:51 LOG6[2]: TLSv1.3 ciphersuite: TLS_CHACHA20_POLY1305_SHA256 (256-bit encryption) 2019.04.08 00:53:51 LOG7[2]: Compression: null, expansion: null 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:53:51 LOG7[2]: Deallocating application specific data for session connect address 2019.04.08 00:53:51 LOG7[2]: New session callback 2019.04.08 00:53:51 LOG7[2]: Peer certificate was cached (1509 bytes) 2019.04.08 00:53:51 LOG6[2]: Session id: 08B6A892F03C33D29542A794B1C5B0A7646FB9160318EC39D3F294EEF7CAE4EB 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS read server session ticket 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:53:51 LOG7[2]: New session callback 2019.04.08 00:53:51 LOG7[2]: Deallocating application specific data for session connect address 2019.04.08 00:53:51 LOG6[2]: Session id: 9A06F5437D7039A32E531DA4976EDE9F8CA44820025221D1CE36E237B71E9AD3 2019.04.08 00:53:51 LOG7[2]: TLS state (connect): SSLv3/TLS read server session ticket 2019.04.08 00:54:02 LOG6[2]: Read socket closed (readsocket) 2019.04.08 00:54:02 LOG7[2]: Sending close_notify alert 2019.04.08 00:54:02 LOG7[2]: TLS alert (write): warning: close notify 2019.04.08 00:54:02 LOG6[2]: SSL_shutdown successfully sent close_notify alert 2019.04.08 00:54:02 LOG7[main]: Found 1 ready file descriptor(s) 2019.04.08 00:54:02 LOG7[main]: FD=528 ifds=r-x ofds=--- 2019.04.08 00:54:02 LOG7[main]: FD=536 ifds=r-x ofds=--- 2019.04.08 00:54:02 LOG7[main]: FD=544 ifds=r-x ofds=--- 2019.04.08 00:54:02 LOG7[main]: FD=648 ifds=r-x ofds=r-- 2019.04.08 00:54:02 LOG7[main]: FD=664 ifds=r-x ofds=--- 2019.04.08 00:54:02 LOG7[main]: FD=828 ifds=r-x ofds=--- 2019.04.08 00:54:02 LOG7[main]: Service [RTSP] accepted (FD=908) from A.B.C.D:L 2019.04.08 00:54:02 LOG7[main]: Creating a new thread 2019.04.08 00:54:02 LOG7[main]: New thread created 2019.04.08 00:54:02 LOG7[3]: Service [RTSP] started 2019.04.08 00:54:02 LOG7[3]: Setting local socket options (FD=908) 2019.04.08 00:54:02 LOG7[3]: Option TCP_NODELAY set on local socket 2019.04.08 00:54:02 LOG5[3]: Service [RTSP] accepted connection from A.B.C.D:L 2019.04.08 00:54:02 LOG7[2]: TLS alert (read): warning: close notify 2019.04.08 00:54:02 LOG6[2]: TLS closed (SSL_read) 2019.04.08 00:54:02 LOG7[2]: Sent socket write shutdown 2019.04.08 00:54:02 LOG5[2]: Connection closed: 1374 byte(s) sent to TLS, 1782 byte(s) sent to socket 2019.04.08 00:54:02 LOG7[2]: Remote descriptor (FD=900) closed 2019.04.08 00:54:02 LOG7[2]: Local descriptor (FD=584) closed 2019.04.08 00:54:02 LOG7[2]: Service [RTSP] finished (1 left) 2019.04.08 00:54:02 LOG6[3]: s_connect: connecting F.G.H.I:J 2019.04.08 00:54:02 LOG7[3]: s_connect: s_poll_wait F.G.H.I:J: waiting 10 seconds 2019.04.08 00:54:02 LOG5[3]: s_connect: connected F.G.H.I:J 2019.04.08 00:54:02 LOG5[3]: Service [RTSP] connected remote server from A.B.C.D:M 2019.04.08 00:54:02 LOG7[3]: Setting remote socket options (FD=592) 2019.04.08 00:54:02 LOG7[3]: Option TCP_NODELAY set on remote socket 2019.04.08 00:54:02 LOG7[3]: Remote descriptor (FD=592) initialized 2019.04.08 00:54:02 LOG6[3]: SNI: sending servername: LLLL 2019.04.08 00:54:02 LOG6[3]: Peer certificate required 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): before SSL initialization 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS write client hello 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS write client hello 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS read server hello 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): TLSv1.3 read encrypted extensions 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS read finished 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS write change cipher spec 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS write finished 2019.04.08 00:54:02 LOG7[3]: Remove session callback 2019.04.08 00:54:02 LOG7[3]: 2 client connect(s) requested 2019.04.08 00:54:02 LOG7[3]: 2 client connect(s) succeeded 2019.04.08 00:54:02 LOG7[3]: 0 client renegotiation(s) requested 2019.04.08 00:54:02 LOG7[3]: 1 session reuse(s) 2019.04.08 00:54:02 LOG6[3]: TLS connected: previous session reused 2019.04.08 00:54:02 LOG6[3]: TLSv1.3 ciphersuite: TLS_CHACHA20_POLY1305_SHA256 (256-bit encryption) 2019.04.08 00:54:02 LOG7[3]: Compression: null, expansion: null 2019.04.08 00:54:02 LOG6[3]: Session id: 9A06F5437D7039A32E531DA4976EDE9F8CA44820025221D1CE36E237B71E9AD3 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSL negotiation finished successfully 2019.04.08 00:54:02 LOG7[3]: New session callback 2019.04.08 00:54:02 LOG7[3]: Deallocating application specific data for session connect address 2019.04.08 00:54:02 LOG6[3]: Session id: C0F06C6E894812890045433304AD5880C6512D9FD3E61AA67285009143AFD645 2019.04.08 00:54:02 LOG7[3]: TLS state (connect): SSLv3/TLS read server session ticket 2019.04.08 00:54:05 LOG3[3]: transfer() loop executes not transferring any data 2019.04.08 00:54:05 LOG3[3]: please report the problem to Michal.Trojnara(a)stunnel.org 2019.04.08 00:54:05 LOG3[3]: stunnel 5.51 on x64-pc-mingw32-gnu platform 2019.04.08 00:54:05 LOG3[3]: Compiled/running with OpenSSL 1.1.1b 26 Feb 2019 2019.04.08 00:54:05 LOG3[3]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2019.04.08 00:54:05 LOG7[3]: errno: (*_errno()) 2019.04.08 00:54:05 LOG3[3]: protocol=TLSv1.3, SSL_pending=0 2019.04.08 00:54:05 LOG3[3]: sock_open_rd=Y, sock_open_wr=Y 2019.04.08 00:54:05 LOG3[3]: SSL_RECEIVED_SHUTDOWN=n, SSL_SENT_SHUTDOWN=n 2019.04.08 00:54:05 LOG3[3]: sock_can_rd=n, sock_can_wr=n 2019.04.08 00:54:05 LOG3[3]: ssl_can_rd=n, ssl_can_wr=n 2019.04.08 00:54:05 LOG3[3]: read_wants_read=Y, read_wants_write=n 2019.04.08 00:54:05 LOG3[3]: write_wants_read=n, write_wants_write=n 2019.04.08 00:54:05 LOG3[3]: shutdown_wants_read=n, shutdown_wants_write=n 2019.04.08 00:54:05 LOG3[3]: socket input buffer: 0 byte(s), TLS input buffer: 0 byte(s) 2019.04.08 00:54:05 LOG5[3]: Connection reset: 1169 byte(s) sent to TLS, 19088 byte(s) sent to socket 2019.04.08 00:54:05 LOG7[3]: Remote descriptor (FD=592) closed 2019.04.08 00:54:05 LOG7[3]: Local descriptor (FD=908) closed 2019.04.08 00:54:05 LOG7[3]: Service [RTSP] finished (0 left) As you can see, at 00:54:05 there's a log entry that says "transfer() loop executes not transferring any data". Any ideas about why is this happening on v5.51, and how could I solve it? By the way, should I e-mail this issue to Michal Trojnara as the logs suggests, or should I use this mailing list exclusively? Thank you, Ricardo.-- Best regards

1 0

Stunnel 5.51 Pop3 Problem?
by Colin 07 Apr '19

07 Apr '19

Hello, I'm new to this list and looking for advice/help with release 5.51 for Windows. I have three accounts, Yahoo, Aol and Gmx and I use Foxmail 5 with Stunnel. I use pop3 with all accounts and sometimes when retrieving mail I may decide to 'Not Fetch' any mail on the server that looks 'iffy' untill I've looked at it via the mail providers website. Now I've just upgraded to version 5.51 (over 5.50) and when checking any of the said accounts I can't see any mail that hasn't been fetched (the server looks empty.) But if I login to the mail website the unfetched mail is there to view for all accounts. I reverted to version 5.50 and now I can see the unfetched mail for all accounts in my 3rd party software. Therefore my question is: Is there a problem (bug??) with 5.51 which stops me from seeing unfetched pop3 mail or do I have to add something to the config file to make it work properly? Thanks...Colin

1 0

Re: [stunnel-users] V5.51 no support for OpenSSL 1.0.2 ?
by Peter Pentchev 05 Apr '19

05 Apr '19

On Fri, Apr 05, 2019 at 01:39:04PM +0000, Duncan Morris wrote: > Hi, > > The latest version of options.c, in the V5.51 source, uses a new function, which appears to only be present in OpenSSL 1.1.0 onwards. > > key_buf=OPENSSL_hexstr2buf(key_str, &key_len); > > Is it intentional that support for OpenSSL 1.0.2 has been dropped? But there is also this segment of code... #else /* OpenSSL older than 1.1.0 */ #define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x) #define OPENSSL_hexstr2buf string_to_hex #endif /* OpenSSL 1.1.0 or newer */ So it should build with OpenSSL 1.0.2, too. Have you actually experienced problems building it? G'luck, Peter -- Peter Pentchev roam(a){ringlet.net,debian.org,FreeBSD.org} pp(a)storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

1 0

Is there a Win32 installer that supports sslVersionMin = TLS1.2?
by kent loving 01 Apr '19

01 Apr '19

I need to run a client on Win XP that connects to a server using TLS 1.2 or higher. Jose Alf posted that he made a test build of 5.50 in a win32 installer but uses OpenSSL 1.0.2p. And it does not seem to be official. The changelog says version 5.49, which has a win32 installer, also uses OpenSSL 1.0.2p. I can't tell if it supports TLS1.2. The man page implies I need OpenSSL 1.1.1 to get the sslVersionMin option. And, OpenSSL says v1.0.2 support ends in 9 months. Any advice is appreciated. Thanks, Kent Loving

3 2

OpenVPN with stunnel
by Heikki Lavaste 25 Mar '19

25 Mar '19

Hi, To bypass the office firewall to access home server, I'm trying to run openvpn over port 443 with stunnel. I managed to get to this point: Log on client side 2019.03.22 22:15:13 LOG5[38]: Connection closed: 352 byte(s) sent to TLS, 2067 byte(s) sent to socket 2019.03.22 22:15:19 LOG5[39]: Service [openvpn] accepted connection from 127.0.0.1:51265 2019.03.22 22:15:19 LOG5[39]: s_connect: connected x.x.x.x:443 2019.03.22 22:15:19 LOG5[39]: Service [openvpn] connected remote server from x.x.x.x:51266 2019.03.22 22:15:19 LOG5[39]: Connection closed: 352 byte(s) sent to TLS, 2067 byte(s) sent to socket Log on server side: Mar 22 22:21:54 ssh-server-heikki stunnel[2797]: LOG5[2797:140127128753920]: connect_blocking: connected 127.0.0.1:8443 Mar 22 22:21:54 ssh-server-heikki stunnel[2797]: LOG5[2797:140127128753920]: Service [openvpn] connected remote server from 127.0.0.1:49366 Mar 22 22:21:54 ssh-server-heikki stunnel[2797]: LOG5[2797:140127128753920]: Connection closed: 2067 byte(s) sent to SSL, 352 byte(s) sent to socket Config: Client [openvpn] client = yes accept = localhost:1337 connect = x.x.x.xg:443 cert = C:\Users\heikki_lavaste\Documents\stunnel\stunnel.pem verifyChain = yes verify = 2 CAfile = C:\Users\heikki_lavaste\Documents\stunnel\ca-cert.pem checkHost = stunnel.heikki-lab.local sslVersion = TLSv1 Server chroot = /var/run/stunnel sslVersion = TLSv1 pid = /stunnel.pid setuid = nobody setgid = nobody socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 cert = /etc/stunnel/stunnel.pem [openvpn] accept = 443 connect = localhost:8443 cert = /etc/stunnel/stunnel.pem The issue is probably nothing to do with stunnel but if somebody can help me figure this out, that'd be appreciated. Kind Regards Heikki

2 1

ERR_SSL_VERSION_INTERFERENCE on Google Chrome v 73.0.3683.86 and stunnel v5.51b1
by Kolan Koala 25 Mar '19

25 Mar '19

I cannot get TLS 1.3 to work with Chrome. TLS 1.3 works fine in firefox quantum v 66.0.1 over the same hardware, so this is not caused by middleboxes. It is a fault with stunnel or Chrome. ERR_SSL_VERSION_INTERFERENCE error occurs in Chrome and will not connect. For now the solution is to turn off TLS v1.3 in stunnel configuration and force TLS v1.2, but this is not a long term solution. Does anyone have a solution to use TLS 1.3 with chrome and stunnel together? Kolan

1 0

No more Win32 stunnel?
by John Hall 21 Mar '19

21 Mar '19

I've only just discovered that stunnel is seemingly no longer being updated for Win32; at any rate there has been no version 5.50 released for Win32. It would have been nice if there had been an announcement to that effect, as until now I was only subscribed to the announcements mailing list and had thus been in blissful ignorance. (For some reason I never saw ANY announcement for 5.50 - in fact I still seem to be on 5.47.) Given that there are a number of ports to different OSs by various people, is there any chance that someone might supply a Win32 port for future versions? (Sadly I lack the knowledge to do that myself.) -- John Hall

3 4