Robert,

I'm running version 5.63 running with openssl 3.0.2 on Windows build 19044 and stunnel runs as a service without any issues.

Carter Browne

On 4/15/2022 4:48 AM, STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE) wrote:
Hi Robert,

If your only reason to migrate is to mitigate an OpenSSL vuln, you can try to
replace the openssl.exe binary and the DLLs used in your currently working
Stunnel version. Since there is no compatibility breaking changes in latest
OpenSSL releases, Stunnel should be able to load it without complaining. I
currently do this with the 1.1.1 branch, and it is working flawlessly so far :)
Can't say for sure for the 3.0.0 branch, but it's worth a try.

You can find up-to-date pre-built binaries here:
http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Binaries_.2
8required_for_SSL-enabled_components.29

Other options are also listed on the official OpenSSL wiki:
https://wiki.openssl.org/index.php/Binaries 

Best regards,

Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication


-----Message d'origine-----
De : robert.croteau--- via stunnel-users <stunnel-users@stunnel.org>
Envoyé : vendredi 15 avril 2022 09:21
À : stunnel-users@stunnel.org
Objet : [stunnel-users] Windows service won't start. ""The Stunnel TLS wrapper
service
is marked as an interactive service."

Window 10 LTCS (1089):
"The Stunnel TLS wrapper service is marked as an interactive service.
However, the
system is configured to not allow interactive services.  This service may not
function
properly."

looks like starting with version 5.61, this above error appears in the System
Event log.
I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of
them.
From the release notes, seems that windows services code might have been
affected:
New features for the Windows platform
- Added client mode allowing authenticated users to view logs, reconfigure and
terminate running stunnel services.
- Added support for multiple GUI and service instances distinguised by the
location of
stunnel.conf.

On GitHub, I also noticed that in the source code for src/ui_win_gui.c the
service is
created as follows:

service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME,
        SERVICE_ALL_ACCESS,
        SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
        SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path,
        NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line
1622
the SERVICE_INTERACTIVE_PROCESS flag is set

Is this flag necessary? I guess that would be the culprit.

my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability

 anyone has a workaround for this?

Microsoft has fully disabled Interactive Service Detection starting with
Windows 10
Build 1803 and Windows Server 2016 and 2019. So, it looks like that that
Interactive
services are no longer allowed and this can't be circumvented by changing some
registry setting like it seems it was possible before.

thank you
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an
email
to stunnel-users-leave@stunnel.org
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#

_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org