Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log --- [rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Scott,
I am not quite sure to understand your answer. Let me add some more info to make it clear onto how I get the segfault.:
A java applet (from web browser) is invoking the stunnel machine on the port 1957 stunnel then redirects the traffic into the remote_machine, so I only have the server stunnel portion installed (in the stunnel machine ).
when I run a telnet on any machine connected to the internet this way: telnet stunnel_machine 1957 the stunnel on the stunnel machine dies...with the error posted previously.
Greetings, -- Yassine
2011/12/21 Scott Damron sdamron@gmail.com
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957 on
the
machine running stunnel, the process stunnel was killed alone leaving
this
in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault
at 8
ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Right...so, here is a sample config, I will add emphasis on the parts you need to make sure you have.
; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode cert = /newcert.pem key = /newkey.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3, TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid
; Some performance tunings ;socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log
; Use it for client mode client = yes
; Service-level configuration
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
;[ssmtp] ;accept = 465 ;connect = 25
[https] accept = 10.x.x.x:443 http://10.32.75.46:443 connect = 11.x.x.x:443 http://10.32.75.46:443 ; here you need to have an IP address for each accept and connect, as well as a port. If you are connecting to localhost, put 127.0.0.1. ;TIMEOUTclose = 0
; vim:ft=dosini
On Wed, Dec 21, 2011 at 12:26 PM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi Scott,
I am not quite sure to understand your answer. Let me add some more info
to
make it clear onto how I get the segfault.:
A java applet (from web browser) is invoking the stunnel machine on the
port
1957 stunnel then redirects the traffic into the remote_machine, so I only have the server stunnel portion installed (in the stunnel machine ).
when I run a telnet on any machine connected to the internet this way: telnet stunnel_machine 1957 the stunnel on the stunnel machine dies...with the error posted
previously.
Greetings,
Yassine
2011/12/21 Scott Damron sdamron@gmail.com
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957
on
the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Scott,
Thank you for your reply, however I am still consistently 'killing' stunnel with a segfault. It is very simple to reproduce and it is consistent. I am using stunnel v.4.41 (and I am trying to secure an RDP connection -not an http one-) With or without the client mode, I get the segfault. I tried both cases.
To 'kill' stunnel, all I do is run the following from any machine: telnet stunnel_machine 1957
---> stunnel_machine [listens on 1957] ---> remote_machine [listens on 3389]
stunnel is configured to listen on port 1957 and forward into 3389 [rdps] accept = 1957 connect = machine2:3389
In production, my deployment environment will be: Java Applet (an rdp client, not http) ---> stunnel_machine [listens on 1957] ---> machine2 [listens on 3389]
The java applet is an RDP client (not http) which issues rdp calls that I want encrypted (hence stunnel)
Please advise, Thank you
Yassine
2011/12/21 Scott Damron sdamron@gmail.com
Right...so, here is a sample config, I will add emphasis on the parts you need to make sure you have.
; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode cert = /newcert.pem key = /newkey.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3, TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid
; Some performance tunings ;socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log
; Use it for client mode client = yes
; Service-level configuration
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
;[ssmtp] ;accept = 465 ;connect = 25
[https] accept = 10.x.x.x:443 http://10.32.75.46:443 connect = 11.x.x.x:443 http://10.32.75.46:443 ; here you need to have an IP address for each accept and connect, as well as a port. If you are connecting to localhost, put 127.0.0.1. ;TIMEOUTclose = 0
; vim:ft=dosini
On Wed, Dec 21, 2011 at 12:26 PM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi Scott,
I am not quite sure to understand your answer. Let me add some more info
to
make it clear onto how I get the segfault.:
A java applet (from web browser) is invoking the stunnel machine on the
port
1957 stunnel then redirects the traffic into the remote_machine, so I
only
have the server stunnel portion installed (in the stunnel machine ).
when I run a telnet on any machine connected to the internet this way: telnet stunnel_machine 1957 the stunnel on the stunnel machine dies...with the error posted
previously.
Greetings,
Yassine
2011/12/21 Scott Damron sdamron@gmail.com
You need to have an IP address for the local connection and you need the client portion enabled as well.
Scott
On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi ayachi.yassine@gmail.com wrote:
Hi all,
I'am trying to encrypt a connection between two hosts using stunnel. ----- here is my config file ---- cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = debug output = stunnel.log
[rdps] accept = 1957 connect = remote_machine:3389
Avery think was working fine until I tried to telnet to the port 1957
on
the machine running stunnel, the process stunnel was killed alone leaving this in /var/log/messages :
Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]:
segfault
at 8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
Does anybody have an idea about this problem,
thanks in advance,
Yassine
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
yassine ayachi wrote:
I am using stunnel v.4.41
[cut]
Please advise,
This page may be helpful: http://www.stunnel.org/?page=lists
Mike
Thanks Scott, Michal,
I switched to the latest version and the error disappeared,
Cheers
2011/12/22 Michal Trojnara Michal.Trojnara@mirt.net
yassine ayachi wrote:
I am using stunnel v.4.41
[cut]
Please advise,
This page may be helpful: http://www.stunnel.org/?page=**lists http://www.stunnel.org/?page=lists
Mike
______________________________**_________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/**mailman/listinfo/stunnel-usershttp://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Scott Damron -
yassine ayachi