Hi,

I have a problem using stunnel with mIRC:

I was using a pretty old version of stunnel.exe that was packed with a mIRC script and could be ran as a command-line-only application without a configuration file (supplying all necessary informations parameters).
I know that current mIRC version have their own ssl support, but I prefer an old version without because it has much better performance.
The old one was used by "stunnel.exe -c -d localhost:<localport> -r <irc-server-ip>:<irc-server-port>" in command line and "/server localhost:<localport>" in irc.

A few of my servers stopped supporting an old ssl version, this old stunnel.exe is no longer compatible to the new (open)ssl dll files and so I had to upgrade to the most recent version of stunnel - and I have some problems make it run properly.

Here you can see my configuration file (stunnel.conf):
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; Disable FIPS mode to allow non-approved protocols and algorithms
;fips = no

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
;cert = stunnel.pem
;key = stunnel.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

; Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

;[https]
;accept  = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini

[abjects]
client = yes
accept = 127.0.0.1:7001
connect = irc.abjects.net:9999

[Elite-IRC]
client = yes
accept = 127.0.0.1:7002
connect = SpeedSpace-IRC.eu:6697

[BodenTruppe]
client = yes
accept = 127.0.0.1:7003
connect = boden-truppe.zapto.org:7001

[LinkNet]
client = yes
accept = 127.0.0.1:7004
connect = irc.link-net.nl:7000


The first connect always works properly (as shown in the log below):
2013.09.03 12:30:45 LOG5[10696:9140]: stunnel 4.56 on x86-pc-msvc-1500 platform
2013.09.03 12:30:45 LOG5[10696:9140]: Compiled/running with OpenSSL 1.0.1e-fips11 Feb 2013
2013.09.03 12:30:45 LOG5[10696:9140]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2013.09.03 12:30:45 LOG5[10696:9140]: Reading configuration from file stunnel.conf
2013.09.03 12:30:45 LOG5[10696:9140]: FIPS mode is enabled
2013.09.03 12:30:45 LOG5[10696:9140]: Configuration successful
2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] accepted connection from 127.0.0.1:3397
2013.09.03 12:30:53 LOG5[10696:10756]: connect_blocking: connected 188.126.73.62:9999
2013.09.03 12:30:53 LOG5[10696:10756]: Service [abjects] connected remote server from 192.168.1.10:3398
2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] accepted connection from 127.0.0.1:3399
2013.09.03 12:30:54 LOG5[10696:14396]: connect_blocking: connected 194.126.217.98:7000
2013.09.03 12:30:54 LOG5[10696:14396]: Service [LinkNet] connected remote server from 192.168.1.10:3400
2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] accepted connectionfrom 127.0.0.1:3401
2013.09.03 12:30:54 LOG5[10696:2916]: connect_blocking: connected 178.254.22.94:7001
2013.09.03 12:30:54 LOG5[10696:2916]: Service [BodenTruppe] connected remote server from 192.168.1.10:3402
2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] accepted connection from 127.0.0.1:3403
2013.09.03 12:30:54 LOG5[10696:12260]: connect_blocking: connected 62.75.235.122:6697
2013.09.03 12:30:54 LOG5[10696:12260]: Service [Elite-IRC] connected remote server from 192.168.1.10:3404


But when I try to reconnect, it doesn't work for 2 of my 4 servers
This is an example for what happens to Elite-IRC:
2013.09.03 12:32:22 LOG5[10696:12260]: Connection closed: 1972 byte(s) sent to SSL, 26903 byte(s) sent to socket
2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] accepted connection from 127.0.0.1:3429
2013.09.03 12:32:23 LOG5[10696:17168]: connect_blocking: connected 62.75.235.122:6697
2013.09.03 12:32:23 LOG5[10696:17168]: Service [Elite-IRC] connected remote server from 192.168.1.10:3430
2013.09.03 12:32:23 LOG3[10696:17168]: SSL_connect: Peer suddenly disconnected
2013.09.03 12:32:23 LOG5[10696:17168]: Connection reset: 0 byte(s) sent to SSL,0 byte(s) sent to socket

The frist line shows the manual disconnect occured by executing "/server localhost:7002" in mIRC.
The second line shows the new incoming connection from my mIRC.
The third line? ... I got no clue why it has to block anything.
The fourth line: Successfully connected to IRC-Server?
And then the fifth line occurs. I'm not sure if I interpret it right, but for some reason tstunnel.exe is kicking out my connected mIRC client which makes mIRC to tell me "[10053] Software caused connection abort".

The whole lines in mIRC are:
[12:34pm] * Connect retry #1 localhost (7003)
————————————————————
[12:34pm] * [10053] Software caused connection abort
————————————————————
[12:34pm] * Disconnected

By the way, I have packed libeay32.dll, ssleay32.dll, stunnel.conf and tstunnel.exe in a subdir in mIRC directory
and I'm starting it using "tstunnel.exe stunnel.conf"

When this error occurs, I have to kill tstunnel.exe and start it again - then everything works fine again.
For 1 of 4 servers, I also had this error with the old command-line stunnel.exe and I just wrote a script killing (only this) stunnel.exe and restarting it when this mIRC error occurs. Unfortunately this is no longer possible when tstunnel.exe is using a configuration file and one process is managing all connections.


Is there any way I can fix this?
(Maybe by fixing the logout of my local mIRC from my local tstunnel.exe?)

Best regards