Hi,
I have a problem using stunnel with mIRC:
I was using a pretty old version of stunnel.exe that was packed with a mIRC script and could be ran as a command-line-only application without a configuration file (supplying all necessary informations parameters). I know that current mIRC version have their own ssl support, but I prefer an old version without because it has much better performance. The old one was used by "stunnel.exe -c -d localhost:<localport> -r <irc-server-ip>:<irc-server-port>" in command line and "/server localhost:<localport>" in irc.
A few of my servers stopped supporting an old ssl version, this old stunnel.exe is no longer compatible to the new (open)ssl dll files and so I had to upgrade to the most recent version of stunnel - and I have some problems make it run properly.
Here you can see my configuration file (stunnel.conf):
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may useful for troubleshooting) ;debug = 7 ;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms ;fips = no
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode ;cert = stunnel.pem ;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; **************************************************************************
; Example SSL server mode services
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
;[ssmtp] ;accept = 465 ;connect = 25
; Example SSL client mode services
;[gmail-pop3] ;client = yes ;accept = 127.0.0.1:110 ;connect = pop.gmail.com:995
;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993
;[gmail-smtp] ;client = yes ;accept = 127.0.0.1:25 ;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https] ;accept = 443 ;connect = 80 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL ; Microsoft implementations do not use SSL close-notify alert and thus ; they are vulnerable to truncation attacks ;TIMEOUTclose = 0
; vim:ft=dosini
[abjects] client = yes accept = 127.0.0.1:7001 connect = irc.abjects.net:9999
[Elite-IRC] client = yes accept = 127.0.0.1:7002 connect = SpeedSpace-IRC.eu:6697
[BodenTruppe] client = yes accept = 127.0.0.1:7003 connect = boden-truppe.zapto.org:7001
[LinkNet] client = yes accept = 127.0.0.1:7004 connect = irc.link-net.nl:7000
The first connect always works properly (as shown in the log below):
2013.09.03 12:30:45 LOG5[10696:9140]: stunnel 4.56 on x86-pc-msvc-1500 platform 2013.09.03 12:30:45 LOG5[10696:9140]: Compiled/running with OpenSSL 1.0.1e-fips11 Feb 2013 2013.09.03 12:30:45 LOG5[10696:9140]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2013.09.03 12:30:45 LOG5[10696:9140]: Reading configuration from file stunnel.conf 2013.09.03 12:30:45 LOG5[10696:9140]: FIPS mode is enabled 2013.09.03 12:30:45 LOG5[10696:9140]: Configuration successful 2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] accepted connection from 127.0.0.1:3397 2013.09.03 12:30:53 LOG5[10696:10756]: connect_blocking: connected 188.126.73.62:9999 2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] connected remote server from 192.168.1.10:3398 2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] accepted connection from 127.0.0.1:3399 2013.09.03 12:30:54 LOG5[10696:14396]: connect_blocking: connected 194.126.217.98:7000 2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] connected remote server from 192.168.1.10:3400 2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] accepted connectionfrom 127.0.0.1:3401 2013.09.03 12:30:54 LOG5[10696:2916]: connect_blocking: connected 178.254.22.94:7001 2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] connected remote server from 192.168.1.10:3402 2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] accepted connection from 127.0.0.1:3403 2013.09.03 12:30:54 LOG5[10696:12260]: connect_blocking: connected 62.75.235.122:6697 2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] connected remote server from 192.168.1.10:3404
But when I try to reconnect, it doesn't work for 2 of my 4 servers This is an example for what happens to Elite-IRC:
2013.09.03 12:32:22 LOG5[10696:12260]: Connection closed: 1972 byte(s) sent to SSL, 26903 byte(s) sent to socket 2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] accepted connection from 127.0.0.1:3429 2013.09.03 12:32:23 LOG5[10696:17168]: connect_blocking: connected 62.75.235.122:6697 2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] connected remote server from 192.168.1.10:3430 2013.09.03 12:32:23 LOG3[10696:17168]: SSL_connect: Peer suddenly disconnected 2013.09.03 12:32:23 LOG5[10696:17168]: Connection reset: 0 byte(s) sent to SSL,0 byte(s) sent to socket
The frist line shows the manual disconnect occured by executing "/server localhost:7002" in mIRC. The second line shows the new incoming connection from my mIRC. The third line? ... I got no clue why it has to block anything. The fourth line: Successfully connected to IRC-Server? And then the fifth line occurs. I'm not sure if I interpret it right, but for some reason tstunnel.exe is kicking out my connected mIRC client which makes mIRC to tell me "[10053] Software caused connection abort".
The whole lines in mIRC are:
[12:34pm] * Connect retry #1 localhost (7003) ------------------------------------------------------------ [12:34pm] * [10053] Software caused connection abort ------------------------------------------------------------ [12:34pm] * Disconnected
By the way, I have packed libeay32.dll, ssleay32.dll, stunnel.conf and tstunnel.exe in a subdir in mIRC directory and I'm starting it using "tstunnel.exe stunnel.conf"
When this error occurs, I have to kill tstunnel.exe and start it again - then everything works fine again. For 1 of 4 servers, I also had this error with the old command-line stunnel.exe and I just wrote a script killing (only this) stunnel.exe and restarting it when this mIRC error occurs. Unfortunately this is no longer possible when tstunnel.exe is using a configuration file and one process is managing all connections.
Is there any way I can fix this? (Maybe by fixing the logout of my local mIRC from my local tstunnel.exe?)
Best regards