stunnel-users

stunnel-users@stunnel.org

6 participants
3294 discussions

Windows Failover Clustering Support
by Cynthia Haselton 22 Apr '13

22 Apr '13

All, A (hopefully) quick question: Is stunnel supported on Windows Failover Clusters...specifically as a clustered service or to encrypt connections to/from a clustered IP? Thanks in advance, CJH

2 4

Customizing encryption
by John 19 Apr '13

19 Apr '13

HI guys, I need to take off SSL and use another encryption, need some hints since i'm new to stunnel. Thanks in advance,John

1 0

limited number of ports
by Terren Suydam 09 Apr '13

09 Apr '13

Hi, There appears to be a limit to the number of services you can define. Services beyond the 64th service appear to get set up without any log warnings or errors, yet don't pass traffic. The code uses select() & FD_SET to accept() an incoming connection & in Windows (using Windows Server 2008) the default is 64 sockets for that so wondering if I can just recompile, setting FD_SETSIZE to something larger. I'll try it either way, just wanted to put it out there to see if anyone else has ever run into this. Thanks, Terren

4 10

Trying to Upgrade stunnel, but compile isn't working?
by Michael D. Setzer II 03 Apr '13

03 Apr '13

I have been using stunnel for a long time, but was just trying to compile the latest version from source, and it compiles, but doesn't work like the older version, so I must have some option wrong. With the current version on my Fedora 14 machine using the latest version it loads the stunnel ports and works, but the newer version does seem to load or give an error message. I've tested the stunnel from Fedora 16 and Fedora 17, and they work fine with the stunnel.conf to load the settings. Current version info from Fedora 14 system. stunnel 4.34 on x86_64-redhat-linux-gnu with OpenSSL 1.0.0e-fips 6 Sep 2011 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!aNULL:!eNULL:!SSLv2 curve = sect163r2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none The new build does this. stunnel 4.56 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0e-fips 6 Sep 2011 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Global options: debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none Have also tried it with --disable-fips With the new version I have to provide the /etc/stunnel/stunnel.conf, but it doesn't load any of the options. Sure it is just a simple configure setting I am missing. Thanks. +----------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mikes@kuentos.guam.net mailto:msetzerii@gmail.com http://www.guam.net/home/mikes Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +----------------------------------------------------------+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS SETI 14305761.074364 | EINSTEIN 10610832.119852 ROSETTA 6726167.419674 | ABC 15903532.519753

2 2

Log Rotation on Windows
by Brian Wilkins 03 Apr '13

03 Apr '13

I know that log rotation on Windows is on the TO-DO list. Is there a way to rotate the log at startup using some other means or during use? I suppose I could start stunnel with a batch file and do the log rotation before starting. Is there any other way? Brian

1 0

32/64 bit interposition on Solaris
by Norm Jacobs 29 Mar '13

29 Mar '13

I was recently working with stunnel on Solaris and ran across the following code in client.c: putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so"); This appears to have been put in place to interpose a stunnel version of getpeername() on the downstream application. This works great when libstunnel.so has the same bittedness as the downstream application, but Solaris allows users to install and run both 32 and 64 bit applications on the same system. If the stunnel exectuable is a 32 bit application and the downstream application is a 64 bit application, the runtime linker falls over because of the mismatch with the interposed library. To avoid this problem, stunnel should use LD_PRELOAD_32 and LD_PRELOAD_64 on Solaris. I have put together a patch to client.c that sets both LD_PRELOAD_* environment variables to something that seems to make sense on Solaris, but have used a fairly hacky way of enabling it when I build. The client.c changes that I put together are: # On Solaris, fix stunnel so that the linker know where both the 32 and 64 bit # interposer libraries are. If you use LD_PRELOAD with the wrong bittedness # of interposer, the runtime linker hits a fatal error in trying to load # mismatched ELF objects. # diff -r -u stunnel-4.55.orig/src/client.c stunnel-4.55/src/client.c --- stunnel-4.55.orig/src/client.c 2013-02-28 00:17:58.000000000 -0800 +++ stunnel-4.55/src/client.c 2013-03-21 22:55:21.098479331 -0700 @@ -1096,9 +1096,14 @@ /* just don't set these variables if getnameinfo() fails */ putenv(str_printf("REMOTE_HOST=%s", host)); if(c->opt->option.transparent_src) { - putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so"); - /* for Tru64 _RLD_LIST is used instead */ +#ifdef MACH64 + putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so"); + putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so"); +#elif __osf /* for Tru64 _RLD_LIST is used instead */ putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT"); +#else + putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so"); +#endif } } This adds more appropriate environment variables into the calling environment on Solaris. It still needs some work to integrate better with the build. Anyway, I thought that I would raise the issue and at least offer a direction to work from. I am happy to work with someone on a better resolution to this. -Norm

1 0

use of CRYPTO_NUM_LOCKS
by Norm Jacobs 29 Mar '13

29 Mar '13

A while ago, the Solaris security group noticed that stunnel uses CRYPTO_NUM_LOCKS to size a lock table in the code at compile time. They noted that there is function CRYPTO_num_locks() that can do the same thing at runtime and have requested that the function be used so that FIPS/non-FIPS support can be switched on by users simply using interposition. As a result of this, I put together this patch that switches to code to use the function instead of macro. -Norm # stunnel should use CRYPTO_num_locks() function instead of CRYPTO_NUM_LOCKS # macro. The function interogates libcrypto at run-time for sizing and the # macro at compile time. If you interpose a a version at runtime to switch # between FIPS/non-FIPS support, the lock table may not be sized correctly. # diff -r -u stunnel-4.55.orig/src/sthreads.c stunnel-4.55/src/sthreads.c --- stunnel-4.55.orig/src/sthreads.c 2012-08-09 14:44:18.000000000 -0700 +++ stunnel-4.55/src/sthreads.c 2013-03-21 23:29:34.912001586 -0700 @@ -212,7 +212,7 @@ #ifdef USE_PTHREAD static pthread_mutex_t stunnel_cs[CRIT_SECTIONS]; -static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS]; +static pthread_mutex_t *lock_cs; void enter_critical_section(SECTION_CODE i) { pthread_mutex_lock(stunnel_cs+i); @@ -275,13 +275,15 @@ int sthreads_init(void) { int i; + int num_locks = CRYPTO_num_locks(); /* initialize stunnel critical sections */ for(i=0; i<CRIT_SECTIONS; i++) pthread_mutex_init(stunnel_cs+i, NULL); /* initialize OpenSSL locking callback */ - for(i=0; i<CRYPTO_NUM_LOCKS; i++) + lock_cs = calloc(num_locks, sizeof (*lock_cs)); + for(i=0; i<num_locks; i++) pthread_mutex_init(lock_cs+i, NULL); CRYPTO_set_id_callback(stunnel_thread_id); CRYPTO_set_locking_callback(locking_callback);

1 0

SSL VPN configuration confusion
by TJ 28 Mar '13

28 Mar '13

I'm using stunnel v4.56 on Linux (Ubuntu) and trying to configure a routed tunnel in conjunction with pppd. I could do with some help to figure it out - my biggest problem is not knowing what a good connection configuration or log looks like. I've read lots of (old) patchy articles on how it is done but the instructions are either hopelessly out of date, or plain wrong. During extensive trial and error I found what appeared to be bugs in the Ubuntu distro-packaged v4.42 but as I don't yet know what a successful connection log looks like they may have been red herrings. The main issue I was trying to build out of was (on the server): SSL accepted: new session negotiated Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 TTY=/dev/pts/4 allocated Local mode child started (PID=17247) Remote FD=1 initialized TCP_NODELAY: Socket operation on non-socket (88) Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket linger (remote): Socket operation on non-socket (88) Service vpn finished (0 left) At this point there would be no pppX interfaces. I created an up-to-date Debian/Ubuntu package for v4.56 which has been more successful. Both ends of the link have the same x86 (i386) package installed. On the server again: stunnel: LOG6[23986:3073268544]: SSL accepted: new session negotiated stunnel: LOG6[23986:3073268544]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-SHA (128-bit encryption) stunnel: LOG6[23986:3073268544]: Compression: null, expansion: null stunnel: LOG7[23986:3073268544]: TTY=/dev/pts/5 allocated stunnel: LOG6[23986:3073268544]: Local mode child started (PID=23989) stunnel: LOG7[23986:3073268544]: Remote socket (FD=14) initialized stunnel: LOG3[23986:3073268544]: TCP_NODELAY: Socket operation on non-socket (88) stunnel: LOG4[23986:3073268544]: Failed to set remote socket options pppd[23989]: pppd options in effect: pppd[23989]: debug^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: updetach^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: linkname pella^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ktune^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: unit 3^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: dump^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: nomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noauth^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: ^I^I# (from /etc/ppp/options) pppd[23989]: notty^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: crtscts^I^I# (from /etc/ppp/options) pppd[23989]: local^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noaccomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: asyncmap 0^I^I# (from /etc/ppp/options) pppd[23989]: nopcomp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: silent^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: lcp-echo-failure 4^I^I# (from /etc/ppp/options) pppd[23989]: lcp-echo-interval 30^I^I# (from /etc/ppp/options) pppd[23989]: hide-password^I^I# (from /etc/ppp/options) pppd[23989]: novj^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipdefault^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noccp^I^I# (from /etc/ppp/peers/pella-vpn) pppd[23989]: noipx^I^I# (from /etc/ppp/options) pppd[23989]: pppd 2.4.5 started by root, uid 0 pppd[23989]: using channel 19 udevd[2122]: device 0xb7b0a6e8 has devpath '/devices/virtual/net/ppp3' udevd[2122]: created empty file '/run/udev/data/n27' for '/devices/virtual/net/ppp3' pppd[23989]: Using interface ppp3 pppd[23989]: Connect: ppp3 <--> /dev/pts/6 Both ends of the link have ppp interfaces but neither have IP addresses. The server configuration is: ----- /etc/stunnel/pella-vpn.conf ----- CAfile = /etc/stunnel/vpn.pem cert = /etc/stunnel/vpn.pem key = /etc/stunnel/vpn.pem output = /var/log/stunnel-vpn.log #verify = 2 debug = 7 client = no foreground = no [vpn] accept = 109.74.x.y:9876 exec = /usr/sbin/pppd execargs = pppd call pella-vpn 10.254.241.1:10.254.241.2 pty = yes ---------- ----- /etc/ppp/peers/pella-vpn ----- unit 3 notty ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach linkname pella debug dump ---------- # ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) The client configuration is: ---- /etc/network/interfaces ----- # SSL VPN to Pella iface ppp3 inet ppp unit 3 provider pella-vpn pre-up /sbin/ifconfig ppp0 up ---------- ----- /etc/ppp/peers/pella-vpn ----- # ensure we use ppp3 (ppp0-2 are already in use) unit 3 ktune local noipdefault noccp noauth novj nomp nopcomp noaccomp silent updetach logfd 2 linkname pella pty "/usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn" user "tj" # debugging debug dump ---------- ----- /etc/stunnel/pella.conf.vpn ----- pid = /var/run/stunnel4/pella.pid debug = debug output = /var/log/stunnel-pella.log foreground = no client=yes connect = 109.74.x.y:9876 CAfile = /etc/stunnel/vpn.pem # verify the peer's certificate verify = 2 ---------- # ifup ppp3 pppd options in effect: debug # (from /etc/ppp/peers/pella-vpn) updetach # (from command line) logfd 2 # (from /etc/ppp/peers/pella-vpn) linkname pella # (from /etc/ppp/peers/pella-vpn) ktune # (from /etc/ppp/peers/pella-vpn) unit 3 # (from command line) dump # (from /etc/ppp/peers/pella-vpn) nomp # (from /etc/ppp/peers/pella-vpn) noauth # (from /etc/ppp/peers/pella-vpn) user tj # (from /etc/ppp/peers/pella-vpn) # (from /etc/ppp/options) pty /usr/bin/stunnel4 /etc/stunnel/pella.conf.vpn # (from /etc/ppp/peers/pella-vpn) crtscts # (from /etc/ppp/options) local # (from /etc/ppp/peers/pella-vpn) noaccomp # (from /etc/ppp/peers/pella-vpn) asyncmap 0 # (from /etc/ppp/options) nopcomp # (from /etc/ppp/peers/pella-vpn) silent # (from /etc/ppp/peers/pella-vpn) lcp-echo-failure 4 # (from /etc/ppp/options) lcp-echo-interval 30 # (from /etc/ppp/options) hide-password # (from /etc/ppp/options) novj # (from /etc/ppp/peers/pella-vpn) noipdefault # (from /etc/ppp/peers/pella-vpn) noccp # (from /etc/ppp/peers/pella-vpn) noipx # (from /etc/ppp/options) using channel 43 Using interface ppp3 Connect: ppp3 <--> /dev/pts/5 # ifconfig ppp3 ppp3 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # netstat -natp | grep stun tcp 0 0 82.71.a.b:34437 109.74.x.y:9876 ESTABLISHED 24105/stunnel4

1 2

Fw: High memory usage problem.
by mkanet＠yahoo.com 27 Mar '13

27 Mar '13

Jeremy, I know there's an android build of stunnel. Im not trying to be funny, but are you running stunnel on your mobile phone? :) The latest android mobile phones include quadcore CPU's with 2GB's of RAM It would be interesting to see how much of a load a mobile phone can handle with a USB to RJ45 Ethernet interface. Edit: I tried sending this earlier, but it doesn't look like it went through. My apologies in case this is a duplicate. ------------------------ Thanks for taking the time to read this. We're operating on a low spec system that can not be modified at this point. stunnel was introduced at the last minute, without consideration to resource requirements and now consumes enough ram to cause the kernel to issue OOM exceptions. So in short, we are trying to trade increased CPU usage for less memory usage and have tried setting “sessions” to 3600 to reduce memory pressure, but unfortunately it doesn't last. Our current solution is to cron a restart of stunnel on a regular basis, but would prefer to limit number of threads or number of cache entries or something else altogether similarly gentler. Thanks again for your consideration and assistance in this! If there's any specific information I can give, please let me know. Regards, Jeremy

3 7

environment/user variable
by Sebastian Rose-Indorf 26 Mar '13

26 Mar '13

Hello, Stunnel is a very helpful tool. But I miss the support of a environment/user variable to reference the configuration file or the folder of the configuration file: such as %GNUPGHOME% in GnuPG or %OPENSSL_CONF% in OpenSSL. Sebastian

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users