My suggestion is that you use a higher level toolkit that internally calls OpenSSL, for example libcurl, which have binds for many programming languages.
Which development platform are you planning to use?
Regards, Jose -----Original Message----- From: "Zubair Ali Mansoor" zubair@01systems.net Sender: stunnel-users-bounces@stunnel.org Date: Thu, 22 Dec 2011 11:50:15 To: stunnel-users@stunnel.org Subject: [stunnel-users] building browser like client application based on OpenSSL
Hi,
Can I develop an application based on OpenSSL such that it can communicate with all trusted sites ? Like browser can communicates? Actually I have desktop application that uses SSL. Now this application may communicate with any trusted server application. How can I achieve this ?
Thanks,
Zubair
-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of stunnel-users-request@stunnel.org Sent: Wednesday, December 21, 2011 9:27 PM To: stunnel-users@stunnel.org Subject: stunnel-users Digest, Vol 89, Issue 21
Send stunnel-users mailing list submissions to stunnel-users@stunnel.org
To subscribe or unsubscribe via the World Wide Web, visit http://stunnel.mirt.net/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request@stunnel.org
You can reach the person managing the list at stunnel-users-owner@stunnel.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."
Today's Topics:
1. Re: Configuring VeriSign certificate with STunnel (Michal Trojnara) 2. stunnel segfault, please advise (Mehdi Bennani) 3. Re: Configuring VeriSign certificate with STunnel (Ludovic LEVET) 4. Segfault with stunnel (yassine ayachi) 5. Re: Segfault with stunnel (Scott Damron) 6. unsubscribe (Brian McGinity) 7. Re: Missing bytes? (Arthur Murray) 8. Re: Segfault with stunnel (yassine ayachi)
----------------------------------------------------------------------
Message: 1 Date: Wed, 21 Dec 2011 13:30:45 +0100 From: Michal Trojnara Michal.Trojnara@mirt.net To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Configuring VeriSign certificate with STunnel Message-ID: f039775ca5efe5be73a2858b88f0ebc2@mirt.net Content-Type: text/plain; charset=UTF-8; format=flowed
Zubair Ali Mansoor wrote:
2011.12.21 13:31:30 LOG3[5144:2256]: SSL_CTX_use_certificate_chain_file: D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
I don't think this problem is specific to stunnel: https://encrypted.google.com/search?q=%22ASN1_CHECK_TLEN%3Awrong+tag%22+veri sign
Mike
------------------------------
Message: 2 Date: Wed, 21 Dec 2011 07:34:19 -0500 From: Mehdi Bennani mehdibennani@hotmail.com To: stunnel-users@stunnel.org Subject: [stunnel-users] stunnel segfault, please advise Message-ID: SNT134-W33BCBEA69CFD9694C37B7EC3A50@phx.gbl Content-Type: text/plain; charset="iso-8859-1"
Hi you guys,
I proposed stunnel as a potential solution to our product about 4-5 months ago and I am in the process of testing a prototype I have built around that proposition. I am using stunnel v. 4.41. I am relatively new to stunnel myself.
The env. is as follows: We are trying to secure an rdp connection from a java applet running in a web browser into a windows 2008 server machine behind our firewall. Presently, the java applet opens up an RDP connection into a machine (I will call it the SSL machine) where Stunnel is presently installed. Stunnel then forwards properly the incoming traffic (from portA) into its final destination (i.e: the windows Server 2008 machine) on port B. Further, I have configured Stunnel to use an SSL certificate. (Although, I have not been able to test that yet to make sure it works)
Anyhow, it is all working as expected and I am pretty happy about the proof of concept. However, while testing it a bit, I noticed that it was relatively easy to bring stunnel down. The way I went about it, was to simply run a "telnet IP_of_MySSLMachine portA" from any DOS command window from any machine with internet access. From the Stunnel logs, I can tell that I get a response from Stunnel and on the DOS window side, I have a cursor waiting for input.... Writing any gibberish into that DOS windows and waiting a little bit makes stunnel stop and die in the SSL machine. I found nothing in the stunnel log, but grepping in the /var/log/, I found the segfault
sslmahine:/var/log/# grep stunnel messages kernel: [1996904.624042] stunnel [19696]: segfault at 8 ip b768d361 sp b7601210 error 4 in libc-2.7.so[b7621000+138000]
After another telnet execution, few days later: sslmahine:/var/log/# grep stunnel messages kernel: [4930384.164316] stunnel [14540]: segfault at 8 ip b7629b61 error 6 in libc-2.7.so[b75bd000+138000]
Basically, if I don't issue that telnet command, stunnel works properly. As soon as I issue that command and start typing few things in that DOS console, stunnel dies. I have to manually restart it.
Question: I was wondering if you guys could shed some light into this behavior. Is it a known behavior/bug? Is there a way to solve it by maybe upgrading into a later version of stunnel? Also, I was thinking to block telnet altogether at the firewall level, but then I am not sure what other protocols could people use to hack into the system...so should I block all of them? And, finally is there a more secure way to setup stunnel?
Thank you in advance
Mehdi/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/63f295 a2/attachment-0001.html
------------------------------
Message: 3 Date: Wed, 21 Dec 2011 14:09:07 +0100 From: Ludovic LEVET llevet@ludosoft.org To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Configuring VeriSign certificate with STunnel Message-ID: 4EF1DA73.7010105@ludosoft.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed
verify the format of your cert by :
openssl x509 -inform DER -in stunnel.pem -noout -text
or
openssl x509 -inform PEM -in stunnel.pem -noout -text
Ludovic.
Le 21/12/2011 13:30, Michal Trojnara a ?crit :
Zubair Ali Mansoor wrote:
2011.12.21 13:31:30 LOG3[5144:2256]: SSL_CTX_use_certificate_chain_file: D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
I don't think this problem is specific to stunnel: https://encrypted.google.com/search?q=%22ASN1_CHECK_TLEN%3Awrong+tag%2 2+verisign
Mike
------------------------------
Message: 4 Date: Wed, 21 Dec 2011 16:51:00 +0000 From: yassine ayachi ayachi.yassine@gmail.com To: stunnel-users@stunnel.org Subject: [stunnel-users] Segfault with stunnel Message-ID: CAKjL==brtu09bgvqcyMctFKKVvYCaGGOivDHqo9G-Qs2+uA+hw@mail.gmail.com Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log --- [rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine -------------- next part -------------- An HTML attachment was scrubbed... URL: http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/c7a37c fc/attachment-0001.html
------------------------------
Message: 5 Date: Wed, 21 Dec 2011 10:57:22 -0600 From: Scott Damron sdamron@gmail.com To: yassine ayachi ayachi.yassine@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Segfault with stunnel Message-ID: CA+WRXa9qZUd1T2fPqAFGDH-4otxjicTx+gpy0otGjefO1N5o3g@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
------------------------------
Message: 6 Date: Wed, 21 Dec 2011 11:54:02 -0600 From: "Brian McGinity" brian@databaseknowledge.com To: stunnel-users@stunnel.org Subject: [stunnel-users] unsubscribe Message-ID: 001401ccc009$87062fb0$95128f10$@com Content-Type: text/plain; charset="us-ascii"
Unsubscribe
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/c8605a c3/attachment-0001.html
------------------------------
Message: 7 Date: Wed, 21 Dec 2011 10:04:21 -0800 From: Arthur Murray amurrayfsf@gmail.com To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Missing bytes? Message-ID: CAEk9t8D-tyMAYAbsNrC_oCX8853GbMBGiuLXz4OjD_pTZkXpHw@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
On Fri, Dec 16, 2011 at 9:32 AM, Arthur Murray amurrayfsf@gmail.com wrote:
I tried really hard to reproduce your issue, but it works just fine on each of the three machines I used for testing.
Please send us: ?- The output of "stunnel -version", and ?- All lines of stunnel debug log (enable debug logging with "debug = 7") corresponding to this connection.
Mike
I have put all of it here:
Are you able to reproduce this problem or is it just me?
------------------------------
Message: 8 Date: Wed, 21 Dec 2011 18:26:48 +0000 From: yassine ayachi ayachi.yassine@gmail.com To: Scott Damron sdamron@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Segfault with stunnel Message-ID: CAKjL==bA44dj7Bojd8PVyHqHozDfOJ2h7v1WX6c96rF-fnaf=Q@mail.gmail.com Content-Type: text/plain; charset="iso-8859-1"
Hi Scott,
I am not quite sure to understand your answer. Let me add some more info to make it clear onto how I get the segfault.:
A java applet (from web browser) is invoking the stunnel machine on the port 1957 stunnel then redirects the traffic into the remote_machine, so I only have the server stunnel portion installed (in the stunnel machine ).
when I run a telnet on any machine connected to the internet this way: telnet stunnel_machine 1957 the stunnel on the stunnel machine dies...with the error posted previously.
Greetings, -- Yassine
2011/12/21 Scott Damron sdamron@gmail.com
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on
the
machine running stunnel, the process stunnel was killed alone leaving
this
in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault
at 8
ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/9c9a04 57/attachment.html
------------------------------
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
End of stunnel-users Digest, Vol 89, Issue 21 *********************************************
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users