stunnel-users

stunnel-users@stunnel.org

5 participants
3293 discussions

421 mismatched
by d.arlo.421642＠gmail.com 07 Aug '24

07 Aug '24

Hi I am running stunnel on my local pc win10. Trying to stunnel to https://api.interactsms.com/HTTP_API/V1/sendmessage.aspx?user=User1&passwor… Password1&api_id=9876&to=353879999999&text=HelloWorld&from=YourCompany which gives me wrong user name and password which is fine. if I Stunnel this http://localhost:8083/HTTP_API/V1/sendmessage.aspx?user=User1&password=Pass… I get Misdirected Request The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection. Is this a problem with the site or my Stunnel config? when I installed Stunnel, I used localhost for the CN. I have tried downloading the client, intermediate and CA cert with the below config... ;cert = D:\Program Files (x86)\stunnel\config\sms\interactsms-com.pem ;CAfile= D:\Program Files (x86)\stunnel\config\sms\godaddyca.pem this is current config... [sms] client = yes accept = 8083 connect = api.interactsms.com:443 cert = D:\Program Files (x86)\stunnel\config\stunnel.pem

3 3

OCSP: The root CA certificate was not found
by akos.schneemaier＠gmail.com 06 Aug '24

06 Aug '24

Hi, this is my first post on this mailing list. I did extensive search and tried to resolve the issue I have in pfsense with stunnel. Pfsense CE 2.7.2 uses stunnel 5.71. In my config I created certificate using the acme package with Let's ecrypt. The created certificate works fine in pfsense wenb consol and also with stunnel 5.68 on Debian, but it does not work with stunnel 5.71 on Pfsense. All connections going through stunnel get are timing out and the stunnel log has the following in it: ``` Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: Service [XXXX] accepted connection from xxxxxx:46415 Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: Peer certificate not required Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: OCSP: The root CA certificate was not found Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: OCSP: Connecting the AIA responder "http://r10.o.lencr.org" Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: Error resolving "r10.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY) Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: OCSP: Failed to resolve the OCSP responder address Jul 19 00:56:05 router1 stunnel[2933]: LOG6[6]: OCSP: No OCSP stapling response to send Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading Jul 19 00:56:05 router1 stunnel[2933]: LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ``` So far i tried: 1. Creating new certificate with acme 2. Unisntall and reinstall both acme and stunnel 3. Tried new cetrificate provider (zerossl) 4. tried adding "OCSPrequire = no" to stunnel.conf based on https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@stunnel.org/… None of the above fixed the issue and not I am not sure how to resolve it. I have another Pfsense installation where all these things work fine. I compaired the stunnel.conf files, but there are identical (except the certificate ofcourse). I looked into the source code and found that the error message is comming from ocsp_params_append_root_ca function in opcs.c, but I ma not a C programer and neither familiar with the stunnel code to figure out more. I hope someone from the stunnel list has some ideas how to proceed based on the logs above. Thank you!

3 2

Error stnnul linked to PDM (solidwork)
by hugo.sarkissian＠coval.com 30 Jul '24

30 Jul '24

Hello, I have this error : 2024.07.30 15:01:37 LOG7[1]: TLS alert (write): fatal: record overflow 2024.07.30 15:01:37 LOG3[1]: error queue: ssl/record/rec_layer_s3.c:645: error:0A000139:SSL routines::record layer failure 2024.07.30 15:01:37 LOG3[1]: SSL_accept: ssl/record/methods/tls_common.c:654: error:0A0000C6:SSL routines::packet length too long 2024.07.30 15:01:37 LOG5[1]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2024.07.30 15:01:37 LOG7[1]: Local descriptor (FD=1184) closed 2024.07.30 15:01:37 LOG7[1]: Service [ssmtp] finished (0 left) my conf is: ; Configuration de Stunnel ; Niveau de journalisation debug = 7 output = stunnel.log ; Service SMTP sécurisé [ssmtp] accept = 127.0.0.1:25 connect = 127.0.0.1:587 cert = C:\Program Files (x86)\stunnel\config\stunnel.pem key = C:\Program Files (x86)\stunnel\config\stunnel.pem ; Protocoles et suites de chiffrement sslVersion = all ciphers = ALL:!aNULL:!MD5 renegotiation = no options = NO_SSLv2 TIMEOUTclose = 0 can you help me please i don't understant

1 0

stunnel not able to daisy-chain transparent connections
by ftsanetamot 29 Jul '24

29 Jul '24

Hello, I struggled recently, with combining sslh and nginx daisy-chaining ip-transparent connections, and realised the same problem, other users reported, when using stunnel. Now that I have found a fix, which solves my problem with sslh, I checked into the stunnel code, and adapted my proposed fix for stunnel: diff client.c_original client.c 1721a1722,1723 > if (setsockopt(c->fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof on)) > sockerror("setsockopt SO_REUSEADD"); 1769a1772,1776 > int on = 1; > #ifdef IP_TRANSPARENT > if (setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on)) > sockerror("setsockopt SO_IP_TRANSPARENT");> #endif I described my findings here in Detail: https://github.com/ftasnetamot/sslh/blob/2024-07-28--documentation/doc/Dais… This article helped me to figure out, what is wrong: https://blog.cloudflare.com/how-to-stop-running-out-of-ephemeral-ports-and-… I wrote as well some weeks earlier two documents, describing how to configure ip-transparent connections only with routing and no firewall rules involved. The same works 1:1 with stunnel. https://github.com/yrutschle/sslh/blob/master/doc/simple_transparent_proxy.… https://github.com/yrutschle/sslh/blob/master/doc/scenarios-for-simple-tran… Happy tunneling .f Sicher versendet mit [Proton Mail](https://proton.me/).

1 0

How to verify a certificate
by William Wood 24 Jul '24

24 Jul '24

I have tried everything I can think of, and even though I have certificates that are marked as "valid" when I look at the lock icon for an https: site, I get a verification "fail": CERT: Pre-verification error: self-signed certificate in certificate chain From everything I have read, my understanding is that every chain of certificates starts with a self-signed certificate I have even queried my Windows certificate management, and the issuer of the certificate is Entrust, which is on the list of trusted issuers. Within openssl, I get the same error: error 18 at 0 depth lookup: self signed certificate There is talk of a CApath, as well as lists of trusted issuers, but I do not understand anything within the documentation for stunnel which suggests how to access this information and incorporate it in the functioning of the program. Any help would be much appreciated! Thanks in advance -William Wood

2 1

Almost there - openssl verifies remote certificate, but stunnel still fails
by William Wood 24 Jul '24

24 Jul '24

In Windows 10 I have done the following: 1. Created a directory C:\Certificates\ 2. From the Microsoft Management Concole (MMC) I have exported all the "Trusted Root Certificate Authorities\Certificates" as Personal Information exchange .PFX with a passcode 3. Using a Powershell environment, I change directories to C:\Certificates\ and run openssl From the openssl prompt convert the above .PFX file to a .pem file openssl pkcs12 -in All_Trusted.pfx -out All_Trusted.pem -nodes 4. Next I run the following openssl command OpenSSL s_client -CApath c:\Certificates\ -connect api.gainfutures.com:9400 -CAfile All_Trusted.pem After a bunch of output, I get the notification Verification: OK This tells me that the verification has passed the remote certificate. Using this to inform my stunnel configuration, I configure: [GainFuturesConnect] client = yes accept = 127.0.0.1:8080 connect = 192.111.85.171:9400 CAfile = C:\Certificates\All_Trusted.pem CApath = C:\Certificates\ securityLevel = 1 verifyChain = yes checkHost = api.gainfutures.com:9400 sslVersion = TLSv1.2 sslVersionMax = TLSv1.2 ciphers = DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 Although the preverification succeeds at each "depth", the verification fails at the end: CERT: Pre-verification succeeded (**Note, this is a change from before I added the above CAfile and CApath values**) CERT: Subject checks failed Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com Remove session callback TLS alert (write): fatal: internal error SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed So my question becomes two parts: 1. How do I get the Subject checks to pass for CERT; 2. How do I get rid of the TLS "write" alert which is an internal error? Thank you -William Wood

1 0

Re: Trying to get stunnel to verify remote server certificate
by William Wood 18 Jul '24

18 Jul '24

Thank you Mike for your reply. I apologize for my lack of experience with networks. One thing that I personally did not understand in using stunnel is that my SSL traffic that I want to "wrap" needs to be directed at the "accept" port, and that the stunnel wrap THEN sends it out over the connect port with the SSL "magic" applied. With that in mind, I have amended my configuration, and I have a new problem (s?): client = yes accept = 127.0.0.1:8080 connect = 192.111.85.171:9400 cert = C:\Certificates\WMW_trade_csr.pem CAfile = C:\Certificates\ca-cert1.pem securityLevel = 0 verifyPeer = yes checkHost = api.gainfutures.com sslVersion = TLSv1.2 sslVersionMax = TLSv1.2 This binds the service to 127.0.0.1:8080 So far so good. When I start my program, which directs its output stream to the "accept" port, the stunnel log now responds as I send messages: (I have pulled out just the last part before the error) 2024.07.18 12:19:45 LOG6[1150]: Peer certificate required 2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): before SSL initialization 2024.07.18 12:19:45 LOG7[1150]: Initializing application specific data for session authenticated 2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS write client hello 2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS write client hello 2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS read server hello This looks okay to me so far 2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2 2024.07.18 12:19:45 LOG6[1150]: CERT: Pre-verification error ignored: self-signed certificate in certificate chain 2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled 2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2 2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2 2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded 2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled 2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2 2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K 2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded 2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled 2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K 2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com 2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded 2024.07.18 12:19:45 LOG6[1150]: CERT: Host name "api.gainfutures.com" matched with "*.gainfutures.com" 2024.07.18 12:19:45 LOG4[1150]: CERT: Certificate not found in local repository not sure what this indicates (not found in local repository) 2024.07.18 12:19:45 LOG4[1150]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com 2024.07.18 12:19:45 LOG7[1150]: Remove session callback 2024.07.18 12:19:45 LOG7[1150]: TLS alert (write): fatal: bad certificate 2024.07.18 12:19:45 LOG3[1150]: SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed After looking on the internet, I think that the [TLS alert (write): fatal: bad certificate] may refer to the cert = (file.pem), which in this case is a certificate I had made and verified by a trusted authority. The rejected by CERT is clearly referring to the certificate which comes from the server located at the other end of the "connect" port. I have looked specifically at this certificate, and the chain is comprised of two authenticated certificates, with a self-authenticated third certificate. As an example, when I change the "checkHost =" to an IP address, the error message changes: 2024.07.18 12:40:45 LOG7[1157]: CERT: Pre-verification succeeded *2024.07.18 12:40:45 LOG4[1157]: CERT: Subject checks failed *2024.07.18 12:40:45 LOG4[1157]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com 2024.07.18 12:40:45 LOG7[1157]: Remove session callback *2024.07.18 12:40:45 LOG7[1157]: TLS alert (write): fatal: unknown CA What seems to be consistent is that the remote certificate is being rejected because there is a self-authenticated certificate as the third part of the chain. I have tried the following: CAfile = C:\Certificates\ca-cert.pem (CA file which comes with openssl, I believe) which gives the same results. CAfile = C:\Certificates\ca-cert1.pem (Here I have added the chain certificates from file gain-futures-chain.pem) same results CAfile = C:\Certificates\ca-cert2.pem (Here I have added the chain certificates from file gain-futures-chainpumpbut removed the self-signed part) same results CAfile =C:\Certificates\ca-cert3.pem (ca-cert3.pem contains ONLY the certificates from gain-futures-chain.pem) same results CAfile =C:\Certificates\gain-futures-chain.pem This causes the service NOT to be bound, and throws what look like a bunch of openssl errors So it appears that I am actually probing the certificate that the remote server is sending me. I am still not clear on the role of CAfile, because of the behavior I have outlined. Do I need somehow to find a CAfile which recognizes and validates the certificate from the remote server? Thank you again! -William Wood

1 0

Trying to get stunnel to verify remote server certificate
by William Wood 15 Jul '24

15 Jul '24

I have downloaded the remote certificates, and configured stunnel: client = no accept = 127.0.0.1:9400 connect = 192.111.85.171:9400 cert = C:\Certificates\gain-futures-chain.pem verifyChain = yes verifyPeer = yes checkHost = 192.111.85.171 checkIP = api.gainfutures.com sslVersion = TLSv1.1 options = NO_SSLv2 options = NO_SSLv3 OCSPaia = yes This results in the failure to initialize the tLS context: 2024.07.15 08:40:50 LOG7[service]: Found 1 ready file descriptor(s) 2024.07.15 08:40:50 LOG7[service]: FD=580 ifds=r-x ofds=r-- 2024.07.15 08:40:50 LOG7[service]: FD=640 ifds=r-x ofds=--- 2024.07.15 08:40:50 LOG7[service]: Dispatching a signal from the signal pipe 2024.07.15 08:40:50 LOG7[service]: Processing SIGNAL_RELOAD_CONFIG 2024.07.15 08:40:50 LOG6[service]: Initializing inetd mode configuration 2024.07.15 08:40:50 LOG7[service]: Running on Windows 6.2 2024.07.15 08:40:50 LOG5[service]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2024.07.15 08:40:50 LOG5[service]: UTF-8 byte order mark not detected 2024.07.15 08:40:50 LOG5[service]: FIPS mode disabled 2024.07.15 08:40:50 LOG6[service]: Compression disabled 2024.07.15 08:40:50 LOG7[service]: No PRNG seeding was required 2024.07.15 08:40:50 LOG6[service]: Initializing service [GainFuturesConnect] 2024.07.15 08:40:50 LOG7[service]: Initializing context [GainFuturesConnect] 2024.07.15 08:40:50 LOG6[service]: OpenSSL security level is used: 2 2024.07.15 08:40:50 LOG7[service]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2024.07.15 08:40:50 LOG7[service]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2024.07.15 08:40:50 LOG7[service]: TLS options: 0x2100000 (+0x2000000, -0x0) 2024.07.15 08:40:50 LOG6[service]: Session resumption enabled 2024.07.15 08:40:50 LOG6[service]: Loading certificate from file: C:\Certificates\gain-futures-chain.pem 2024.07.15 08:40:50 LOG3[service]: error queue: ssl/ssl_rsa.c:472: error:0A080002:SSL routines::system lib 2024.07.15 08:40:50 LOG3[service]: error queue: crypto/bio/bss_file.c:300: error:10080002:BIO routines::system lib 2024.07.15 08:40:50 LOG3[service]: SSL_CTX_use_certificate_chain_file: crypto/bio/bss_file.c:297: error:80000002:system library::No such file or directory 2024.07.15 08:40:50 LOG3[service]: Service [GainFuturesConnect]: Failed to initialize TLS context 2024.07.15 08:40:50 LOG3[service]: Configuration failed 2024.07.15 08:40:50 LOG7[service]: Deallocating temporary section defaults 2024.07.15 08:40:50 LOG7[service]: Cleaning up context [(null)] 2024.07.15 08:40:50 LOG7[service]: Deallocating section [GainFuturesConnect] 2024.07.15 08:40:50 LOG7[service]: Cleaning up context [GainFuturesConnect] 2024.07.15 08:40:50 LOG3[service]: Failed to reload the configuration file This is the best I can gather regarding getting verification of the REMOTE certificate. The problem is that I am unable to connect if I cannot verify their certificate - they are not looking at my certificate. Any help would be appreciated. Thank you! -William Wood

2 1

Help installing stunnel 5.72 as service in windows 10
by William Wood 04 Jul '24

04 Jul '24

Apparently to get stunnel to work, I have to install it as a service in Windows. In order to do this, I fire up a powershell, change directories to the stunnel\bin\, and run the command: .\stunnel -install This results in the error message: OpenSCManager: error 5: Access is denied Not sure what to do, as I am running as an administrator Any help would be appreciated Thanks -William Wood

2 2

How to connect to a website through a port
by William Wood 02 Jul '24

02 Jul '24

Hi - I am trying to connect securely to a website from a Windows 10 machine: gainfutures.com through the port: 9400 I am told I need to do this using SSL. I have a python script which successfully connects through their non-secure ports. I am given no other information about what is needed for the connection, so I am asking how to do this. I have added to the configuration file: accept=gainfutures.com:9400 connect=gainfutures:9400 The "accept" line results in the error: Can't assign requested address (WSAEADDRNOTAVAIL) (10049) the "connect" line has no effect in the messages. Any suggestions would be much appreciated. Thank you -WW

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users