Good afternoon,

I'm trying to use stunnel to secure a legacy application's communications. I can't seem to get it setup and working. Can anyone provide any hints where I'm going wrong?


Here's what I'm trying to accomplish:

A windows service on a client machine connects to a server on port 7000 using TCP. I'd like to encrypt the communication between client and server.


Here's what I've tried:

Created a new server that accepts ssl connections on port 7443. Got a certificate for the server and installed it.

Installed stunnel on my windows machine (version 7.43 from the distribution archive file).
Installed libssl32.dll and libeay32.dll in the same directory as stunnel.exe ( from the openssl-0.9.8h-1 binary distribution).

Installed it as a service using "stunnel -install"

Configured stunnel as follows:
debug=7
output=C:\p4\internal\Utility\Proxy\proxy.log
service=Proxy
taskbar=no

[exchange]
accept=7000
client=yes
connect=proxy.blah.com:7443

I changed my hosts file to trick the old application:

server.blah.com  127.0.0.1
proxy.blah.com  IP-address-of-server.blah.com

"server.blah.com" now resolves to the machine it's running on (i.e. stunnel).
"proxy.blah.com" goes to the real server. stunnel should connect to the server.

I start the stunnel service and try to connect. It looks like it's working but the stunnel service just shuts down with no message.


2010.04.19 13:16:21 LOG5[4924:3716]: stunnel 4.33 on x86-pc-mingw32-gnu with OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:16:21 LOG5[4924:3716]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange accepted connection from 127.0.0.1:4134
2010.04.19 13:16:49 LOG6[4924:3748]: connect_blocking: connecting x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: connect_blocking: connected x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange connected remote server from x.253.120.19:4135
2010.04.19 13:20:24 LOG5[3668:3856]: Reading configuration from file stunnel.conf
2010.04.19 13:20:24 LOG7[3668:3856]: Snagged 64 random bytes from C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: Wrote 1024 new random bytes to C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: RAND_status claims sufficient entropy for the PRNG
2010.04.19 13:20:24 LOG7[3668:3856]: PRNG seeded successfully
2010.04.19 13:20:24 LOG7[3668:3856]: SSL context initialized for service exchange
2010.04.19 13:20:24 LOG5[3668:3856]: Configuration successful
2010.04.19 13:20:24 LOG5[3668:3856]: No limit detected for the number of clients
2010.04.19 13:20:24 LOG7[3668:3856]: FD=312 in non-blocking mode
2010.04.19 13:20:24 LOG7[3668:3856]: Option SO_REUSEADDR set on accept socket
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange bound to 0.0.0.0:7000
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange opened FD=312
2010.04.19 13:20:24 LOG5[3668:3856]: stunnel 4.33 on x86-pc-mingw32-gnu with OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:20:24 LOG5[3668:3856]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.04.19 13:21:02 LOG7[3668:4556]: Service exchange accepted FD=372 from 127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:4556]: Creating a new thread
2010.04.19 13:21:02 LOG7[3668:4556]: New thread created
2010.04.19 13:21:02 LOG7[3668:3756]: Service exchange started
2010.04.19 13:21:02 LOG7[3668:3756]: FD=372 in non-blocking mode
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange accepted connection from 127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:3756]: FD=396 in non-blocking mode
2010.04.19 13:21:02 LOG6[3668:3756]: connect_blocking: connecting x.80.60.32:7443
2010.04.19 13:21:02 LOG7[3668:3756]: connect_blocking: s_poll_wait x.80.60.32:7443: waiting 10 seconds
2010.04.19 13:21:02 LOG5[3668:3756]: connect_blocking: connected x.80.60.32:7443
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange connected remote server from x.253.120.19:4157
2010.04.19 13:21:02 LOG7[3668:3756]: Remote FD=396 initialized
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): before/connect initialization
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server certificate A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server done A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client key exchange A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write change cipher spec A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write finished A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 flush data
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read finished A

The client thinks the connection is closed:

No connection could be made because the target machine actively refused it 127.0.0.1:7000
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at Service.ConnUtility.Connect()

Any suggestions?

Thanks