stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

[PATCH] only use aysnc-signal-safe functions after fork
by Philip Craig 15 Oct '15

15 Oct '15

POSIX requires that multi-threaded processes only use async-signal-safe functions after calling fork(). For more info on the problems this avoids, see the rationale at: http://pubs.opengroup.org/onlinepubs/9699919799/functions/pthread_atfork.ht… The specific problem this patch solves is that, when there are multiple simultaneous requests, stunnel is often hanging on a futex syscall when a child process calls free as a result of tls_alloc(). This problem is experienced when using uClibc. I haven't tested, but I believe the malloc implementation in glibc does not have this problem. --- stunnel-5.24.orig/src/client.c +++ stunnel-5.24/src/client.c @@ -1100,6 +1100,8 @@ NOEXPORT SOCKET connect_local(CLI *c) { NOEXPORT SOCKET connect_local(CLI *c) { /* spawn local process */ char *name, host[40], port[6]; + char *env[10]; + int i, envc; int fd[2], pid; X509 *peer_cert; #ifdef HAVE_PTHREAD_SIGMASK @@ -1115,19 +1117,55 @@ NOEXPORT SOCKET connect_local(CLI *c) { } else if(make_sockets(fd)) longjmp(c->err, 1); + set_nonblock(fd[1], 0); /* switch back to blocking mode */ + + envc = 0; + + if(!getnameinfo(&c->peer_addr.sa, c->peer_addr_len, + host, 40, port, 6, NI_NUMERICHOST|NI_NUMERICSERV)) { + /* just don't set these variables if getnameinfo() fails */ + env[envc++] = str_printf("REMOTE_HOST=%s", host); + env[envc++] = str_printf("REMOTE_PORT=%s", port); + if(c->opt->option.transparent_src) { +#ifndef LIBDIR +#define LIBDIR "." +#endif +#ifdef MACH64 + env[envc++] = str_dup("LD_PRELOAD_32=" LIBDIR "/libstunnel.so"); + env[envc++] = str_dup("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so"); +#elif __osf /* for Tru64 _RLD_LIST is used instead */ + env[envc++] = str_dup("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT"); +#else + env[envc++] = str_dup("LD_PRELOAD=" LIBDIR "/libstunnel.so"); +#endif + } + } + + if(c->ssl) { + peer_cert=SSL_get_peer_certificate(c->ssl); + if(peer_cert) { + name=X509_NAME2text(X509_get_subject_name(peer_cert)); + env[envc++] = str_printf("SSL_CLIENT_DN=%s", name); + name=X509_NAME2text(X509_get_issuer_name(peer_cert)); + env[envc++] = str_printf("SSL_CLIENT_I_DN=%s", name); + X509_free(peer_cert); + } + } + + env[envc] = NULL; pid=fork(); c->pid=(unsigned long)pid; switch(pid) { case -1: /* error */ + for (i = 0; i < envc; i++) + str_free(env[i]); closesocket(fd[0]); closesocket(fd[1]); ioerror("fork"); longjmp(c->err, 1); case 0: /* child */ - tls_alloc(NULL, c->tls, NULL); /* reuse thread-local storage */ closesocket(fd[0]); - set_nonblock(fd[1], 0); /* switch back to blocking mode */ /* dup2() does not copy FD_CLOEXEC flag */ dup2(fd[1], 0); dup2(fd[1], 1); @@ -1135,36 +1173,6 @@ NOEXPORT SOCKET connect_local(CLI *c) { dup2(fd[1], 2); closesocket(fd[1]); /* not really needed due to FD_CLOEXEC */ - if(!getnameinfo(&c->peer_addr.sa, c->peer_addr_len, - host, 40, port, 6, NI_NUMERICHOST|NI_NUMERICSERV)) { - /* just don't set these variables if getnameinfo() fails */ - putenv(str_printf("REMOTE_HOST=%s", host)); - putenv(str_printf("REMOTE_PORT=%s", port)); - if(c->opt->option.transparent_src) { -#ifndef LIBDIR -#define LIBDIR "." -#endif -#ifdef MACH64 - putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so"); - putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so"); -#elif __osf /* for Tru64 _RLD_LIST is used instead */ - putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT"); -#else - putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so"); -#endif - } - } - - if(c->ssl) { - peer_cert=SSL_get_peer_certificate(c->ssl); - if(peer_cert) { - name=X509_NAME2text(X509_get_subject_name(peer_cert)); - putenv(str_printf("SSL_CLIENT_DN=%s", name)); - name=X509_NAME2text(X509_get_issuer_name(peer_cert)); - putenv(str_printf("SSL_CLIENT_I_DN=%s", name)); - X509_free(peer_cert); - } - } #ifdef HAVE_PTHREAD_SIGMASK sigemptyset(&newmask); sigprocmask(SIG_SETMASK, &newmask, NULL); @@ -1176,11 +1184,13 @@ NOEXPORT SOCKET connect_local(CLI *c) { signal(SIGTERM, SIG_DFL); signal(SIGQUIT, SIG_DFL); signal(SIGINT, SIG_DFL); - execvp(c->opt->exec_name, c->opt->exec_args); + execve(c->opt->exec_name, c->opt->exec_args, env); ioerror(c->opt->exec_name); /* execvp failed */ _exit(1); default: /* parent */ s_log(LOG_INFO, "Local mode child started (PID=%lu)", c->pid); + for (i = 0; i < envc; i++) + str_free(env[i]); closesocket(fd[1]); return fd[0]; }

2 2

Re: [stunnel-users] (no subject)
by Adrián Mihálko 10 Oct '15

10 Oct '15

Some good news, I remove client = yes as you suggested: 2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599 openssl_client log: http://pastebin.com/7bg3sf7J The problem is now that the site loads forever, nothing happens. (this certificate (:1988) is other than the original (:41952). This is not problem? curl test: $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk * Trying 192.168.1.17... * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: localhost > GET /DYMO/DLS/Printing/Check HTTP/1.1 > Host: 192.168.1.17:1988 > User-Agent: curl/7.43.0 > Accept: */* > waiting forever. 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo(a)gmail.com>: > In the first mail I wrote ports bad, of course in the log I am using the > good ones. > > [myservice] > cert = stunnel.pem > client = yes > accept = 0.0.0.0:1988 > connect = localhost:41952 > > > 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo(a)gmail.com>: > >> Sorry, curl was only for testing. >> >> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect >> 192.168.1.17:1988 >> CONNECTED(00000003) >> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: >> >> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file >> stunnel.conf >> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected >> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] >> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem >> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem >> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication >> to prevent MITM attacks >> 2015.10.09 12:23:21 LOG5[main]: Configuration successful >> 2015.10.09 12:23:21 LOG5[main]: Logging to >> C:\Users\adrianmihalko\AppData\Local\stunnel.log >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection >> from 192.168.1.25:49454 >> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 >> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server >> from ::1:50564 >> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated >> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA >> (128-bit encryption) >> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) >> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, >> 505 byte(s) sent to socket >> >> If I am connecting to the :41952: >> >> openssl s_client -connect 192.168.1.17:41952 >> ... >> >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1724 bytes and written 712 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES128-SHA >> Server public key is 4096 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES128-SHA >> ... >> >> >> 2015-10-09 10:55 GMT+02:00 test rig <testrig(a)z1p.biz>: >> >>> >>> Ouch #2 missing... >>> >>> Hi Adrian, looks good to me so far - mostly. Try to replace the >>> client=yes with a client=no on the server >>> >>> You are connection to :9999 with curl(?) >>> Try verify it via "openssl s_client -connect yourserverip:1988" command >>> >>> Best Regards >>> Michael >>> >>> --- Ursprüngliche Nachricht --- >>> *Von:* "test rig" <testrig(a)z1p.biz> >>> *Datum:* 09.10.2015 09:48:02 >>> *An:* "stunnel-users(a)stunnel.org." <stunnel-users(a)stunnel.org> >>> *Betreff:* Re: [stunnel-users] (no subject) >>> >>> Hi Adrian, looks good to me so far - mostly. Try to replace the >>> client=yes with a client=no on the server >>> >>> --- Ursprüngliche Nachricht --- >>> *Von:* Adrián Mihálko >>> *Datum:* 09.10.2015 08:15:19 >>> *An:* stunnel-users(a)stunnel.org >>> *Betreff:* [stunnel-users] (no subject) >>> >>> Dear stunnel users, >>> >>> I have a little service which listen only on https://localhost:4952 and >>> checks source hostname. I want to connect on "listen:1988" and redirect >>> requests with stunnel to "localhost:4952" >>> >>> https://192.168.1.10:1988 -> redirect https://localhost:4952 >>> >>> >>> I am trying to configure stunnel like this >>> >>> [myservice] >>> cert = stunnel.pem >>> client = yes >>> accept = 0.0.0.0:1988 >>> connect = localhost:4952 >>> >>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check >>> -v >>> * Trying 192.168.1.25... >>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) >>> * WARNING: using IP address, SNI is being disabled by the OS. >>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847 >>> * Closing connection 0 >>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25: >>> -9847 >>> >>> stunnel.log: >>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection >>> from 192.168.1.24:60748 >>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 >>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 >>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 >>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote >>> server from 127.0.0.1:50503 >>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost >>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated >>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA >>> (128-bit encryption) >>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) >>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to >>> SSL, 505 byte(s) sent to socket >>> >>> I am tried verify = 1 to 4, either works. :( >>> >>> Best Regards, >>> Adrian >>> >>> >>> >>> ______________________________________________________ >>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>> internet. >>> >>> >>> >>> ______________________________________________________ >>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>> internet. >>> >>> _______________________________________________ >>> stunnel-users mailing list >>> stunnel-users(a)stunnel.org >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >>> >> >

3 6

(no subject)
by Adrián Mihálko 09 Oct '15

09 Oct '15

Dear stunnel users, I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952" https://192.168.1.10:1988 -> redirect https://localhost:4952 I am trying to configure stunnel like this [myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952 remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v * Trying 192.168.1.25... * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) * WARNING: using IP address, SNI is being disabled by the OS. * Unknown SSL protocol error in connection to 192.168.1.25:-9847 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847 stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket I am tried verify = 1 to 4, either works. :( Best Regards, Adrian

2 3

Stunnel for windows dependencies
by test rig 09 Oct '15

09 Oct '15

2 2

stunnel 5.24 released
by Michal Trojnara 08 Oct '15

08 Oct '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Users, I have released version 5.24 of stunnel. The ChangeLog entry: Version 5.24, 2015.10.08, urgency: MEDIUM * New features - Custom CRL verification was replaced with the internal OpenSSL functionality. - *BSD support for "transparent = destination" and client-side "protocol = socks". This feature should work at least on FreeBSD, OpenBSD and OS X. - Added a new "protocolDomain" option for the NTLM authentication (thx to Andreas Botsikas). - Improved compatibility of the NTLM phase 1 message (thx to Andreas Botsikas). - "setuid" and "setgid" options are now also available in service sections. They can be used to set owner and group of the Unix socket specified with "accept". - Added support for the new OpenSSL 1.0.2 SSL options. - Added OPENSSL_NO_EGD support (thx to Bernard Spil). - VC autodetection added to makew32.bat (thx to Andreas Botsikas). * Bugfixes - Fixed the RESOLVE [F0] TOR extension support in SOCKS5. - Fixed the error code reported on the failed bind() requests. - Fixed the sequential log id with the FORK threading. - Restored the missing Microsoft.VC90.CRT.manifest file. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: ab2e5a1034d422951ddad21b572eb7fa8efb4c4ce04bc86536c6845f3d02b07e stunnel-5.24.tar.gz f6c38d51c2708f3eddbad651091bf0b59e4149a1d0c1e3b227b033f126c6dbee stunnel-5.24-installer.exe ed2a2c5f280970bd5f5efcecbc1dbbd06f66efb68102af31c27d33e3beb48bb5 stunnel-5.24-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWFoHsAAoJEC78f/DUFuAUQrAP/iUz2fHvvjkIcJvoR2kMeJfZ NFHE/zGIP6qHbf5Fe5SvOA/ygzQcBppa+FJN9S0uL5z0rLkDghqeWoFzPfLIVrfM y2IJ4SZ1HEESyjaZkCxY0C7Ow1kKdlMPLHv81p+Tk/Zm4qKJ/lIkP+q7XMbNmWjW BOYBLeWPtro1OjKm7v07VkzRGJupj1PHjUgPDAQRxdzqsl6fO7xY9n8b9Nh7Cwc2 1mJhsx8J40M7abftYwpG6Mycu2EOo0lIJ9rm6xZahyekzatsaIhlw2o5gx5GWJvN xj9zpkxntTVQysgP4QVdJZ+Kl17ZZmOS4k+3OqXDgdt51Ck2ty46y9NbhkulIUA8 BzH3KXZCaiBFb/sPdBtW8qmvv0azJLR0b1HfKsZQrtIB/SH0slB9rgsLkidjekKG n7FHf5dlncfAbf8KstJRv41PTYcbtQMGI/+sre2YsqG2/MSJgPfCL2Wj0bTOSmOR 7t6jHX6SItnWtAJ4+3yhlh33B4WYOYBbu3FA3Pw7Wgxur9AOV63MH/Mf96KdMFGS dqoLQh+fp/KoSw1A9OUREtQnxHnbF5MMoU4Z1pTO0FxvdCMnYCg4okiwLqbOKcuM J0T543Deq9XU7v9jDkcgUyQzBYU8lG+G9UdSH11B8phuP7pBUQ35cd62Fl9NWv9I zNjRZIOnbBp6F6hqilb4 =F+az -----END PGP SIGNATURE-----

1 0

Log File Not Appending
by K Monz 06 Oct '15

06 Oct '15

Hi, I am a new STUNNEL user, so I apologize if this is a ridiculously simple and insignificant problem. I have STUNNEL running in a Windows 7 (32 bit) environment, and have the following in stunnel.conf: output = C:\STUNNEL\stunnel.log log = append The log file is placed where I've asked, but the contents represent only the most current STUNNEL execution. I am trying to have a running log in this file. STUNNEL is, of course, doing what it is supposed to do, it is only the logging that has me puzzled. Thanks, in advance.

2 1

Error on Windows 2008r2
by Chris 01 Oct '15

01 Oct '15

Just downloaded and installed the latest windows version. When trying to run stunnel I get the following error: The application has failed to start because its side-by-side configuration is incorrect..... When I check the application event view logs I see "Activation context generation failed for "C:\Program Files (x86)\stunnel\bin\stunnel.exe". Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found. Please use sxstrace.exe for detailed diagnosis." It seems I might be missing a pre-req but I can't not determine what that is. Any ideas? Thanks, Chris

1 0

Support for DTLS
by Kanungo, Rajesh 25 Sep '15

25 Sep '15

Hi, I am looking for support for a DTLS proxy. Does Stunnel support DTLS and, if yes, how do I configure it? Here is the scenario: 1. Remote Server supports DTLS. 2. My client does not support DTLS (yet). Support all our platforms is a pretty arduous task. Possible solutions: 1. Ask customer to use Stunnel, drop DTLS and use plain UDP, and use Stunnel/TCP. Other clients support only DTLS so this does not work. 2. Use VPN. Requires customer configuration. Less painful than 1. 3. Use a UDP-DTLS proxy. Regards Rajesh Kanungo North America Security CTO Department, Itron, Inc. (408) 431-3035 Rajesh.kanungo(a)itron.com

1 0

Missing pid from log file since ~5.19
by Philippe Anctil 17 Sep '15

17 Sep '15

Hi, After upgrading to stunnel 5.19 I noticed the log file no long reports the pid of stunnel processes. Instead I find the constant string [0]. Sep 14 12:15:30 hostname stunnel: LOG6[0]: SSL closed (SSL_read) This information is very useful to isolate individual connections. Do later stunnel versions report the pid correctly? I am using fork mode. My syslog is defined as local6.debug and stunnel.conf contains debug=local6.info. Thank you. -- Philippe Anctil

2 3

How to install CA at client side?
by MingHeng Wang 15 Sep '15

15 Sep '15

Hello Stunnel maintainers, I try to use real certificates of my web server for stunnel. I combine private key, my site's cert, and ca-bundle into a pem file, and it works fine when the client doesn't verify any certificate. Then I specify CAfile which is the ca bundle file from my registrar, at client side and turn on verification and always get errors below, whatever level 2 or 3: Sep 15 14:53:28 y400 stunnel[11666]: LOG5[11]: Service [http-proxy3] connected remote server from 192.168.1.104:45746 Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: CERT: Pre-verification error: unable to get issuer certificate Sep 15 14:53:28 y400 stunnel[11666]: LOG4[11]: Rejected by CERT at depth=2: However, level 4 works. I want to prevent man-in-middle-attack, so can level 4 achieve that regarding to my current setup? Both server and client side use stunnel 5.17 which are fairly recent.

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users