Hi,
I am also having no luck using the stunnel-4.5* series. The last/latest working for me is 4.49.
$ uname -a Darwin SciFi.homeip.net 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386 i386 iMac6,1 Darwin
(altho this is a C2D machine, running most tasks in 64-bit mode, Apple has left the EFI/BIOS/kernels at 32-bit… yes I can boot+run 10.7/Lion, but that is a total separate topic altogether [don't get me started]…)
I mainly use stunnel with Pan, to connect to Giganews, Astraweb, and Gmane (which is what I'm using now to post this message). I use the simple 127.0.0.1:port mechanism.
(I've been working with one of Pan's new developers, to try their new GnuTLS support; but until that works, stunnel is my known supposedly-functioning fallback.)
I've tested every 4.5x release, including today's 4.52b1 & b2 -- all act the same, in that Pan tries to connect to stunnel, and that's all I see, nothing further happens.
Also, the 4.5-series produces much-less log-listing, as you'll see in my attachments below.
I am fine while relegated to using stunnel-4.49, but we have a further issue, in that the "verify=<number>" option seems to reject the certs & what-not coming from these servers, for any <number> higher than 0 (yes I saw the maillist discussion about what 4 means there, and tried it also). I've been mildly joking with the Pan developer on how to be sure we are /really/ in secure mode. ;)
Now, the details.
I manually start stunnel on a login-root terminal window, this way: # stunnel /usr/local/etc/stunnel/stunnel.conf -sockets
With these sample log-lists (below), I'm trying to get one single short post in a newsgroup. I made sure Pan did not save this post in its cache, such that it does try to fetch the post from the NNTP server. (Currently, Pan is set to use Astraweb as my primary feed.)
Here's what 4.49 will show on the terminal (this works: I can see the modem blinking, and can see/read the post): ---start--- 2012.01.11 10:24:51 LOG7[3782:2697274688]: Clients allowed=500 2012.01.11 10:24:51 LOG7[3782:2697274688]: signal_pipe: FD=3 allocated (non-blocking mode) 2012.01.11 10:24:51 LOG7[3782:2697274688]: signal_pipe: FD=4 allocated (non-blocking mode) 2012.01.11 10:24:51 LOG5[3782:2697274688]: stunnel 4.49 on i386-apple-darwin10.8.0 platform 2012.01.11 10:24:51 LOG5[3782:2697274688]: Compiled/running with OpenSSL 1.1.0-dev xx XXX xxxx 2012.01.11 10:24:51 LOG5[3782:2697274688]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:SELECT,IPv6 2012.01.11 10:24:51 LOG5[3782:2697274688]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf 2012.01.11 10:24:51 LOG6[3782:2697274688]: Compression enabled using zlib method 2012.01.11 10:24:51 LOG7[3782:2697274688]: PRNG seeded successfully 2012.01.11 10:24:52 LOG6[3782:2697274688]: Initializing SSL context for service nntp_gn 2012.01.11 10:24:52 LOG7[3782:2697274688]: Verify directory set to /certs 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /certs revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /crls revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: SSL options set: 0x00000004 2012.01.11 10:24:52 LOG6[3782:2697274688]: SSL context initialized 2012.01.11 10:24:52 LOG6[3782:2697274688]: Initializing SSL context for service nntp_aw 2012.01.11 10:24:52 LOG7[3782:2697274688]: Verify directory set to /certs 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /certs revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /crls revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: SSL options set: 0x00000004 2012.01.11 10:24:52 LOG6[3782:2697274688]: SSL context initialized 2012.01.11 10:24:52 LOG6[3782:2697274688]: Initializing SSL context for service nntp_gm 2012.01.11 10:24:52 LOG7[3782:2697274688]: Verify directory set to /certs 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /certs revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: Added /crls revocation lookup directory 2012.01.11 10:24:52 LOG7[3782:2697274688]: SSL options set: 0x00000004 2012.01.11 10:24:52 LOG6[3782:2697274688]: SSL context initialized 2012.01.11 10:24:52 LOG5[3782:2697274688]: Configuration successful 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=5 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=6 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=6 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=8 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=8 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=9 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=9 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=10 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=10 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: libwrap_init: FD=11 allocated (blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: accept socket: FD=11 allocated (non-blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: Option SO_REUSEADDR set on accept socket 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_gn bound to 0.0.0.0:12000 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_gn opened FD=11 2012.01.11 10:24:52 LOG7[3782:2697274688]: accept socket: FD=12 allocated (non-blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: Option SO_REUSEADDR set on accept socket 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_aw bound to 0.0.0.0:12001 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_aw opened FD=12 2012.01.11 10:24:52 LOG7[3782:2697274688]: accept socket: FD=13 allocated (non-blocking mode) 2012.01.11 10:24:52 LOG7[3782:2697274688]: Option SO_REUSEADDR set on accept socket 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_gm bound to 0.0.0.0:12002 2012.01.11 10:24:52 LOG7[3782:2697274688]: Service nntp_gm opened FD=13 2012.01.11 10:24:52 LOG7[3782:2697274688]: Created pid file /stunnel.pid 2012.01.11 10:25:53 LOG7[3782:2697274688]: local socket: FD=14 allocated (non-blocking mode) 2012.01.11 10:25:53 LOG7[3782:2697274688]: Service nntp_aw accepted FD=14 from 127.0.0.1:52241 2012.01.11 10:25:53 LOG7[3782:2952859648]: Service nntp_aw started 2012.01.11 10:25:53 LOG7[3782:2952859648]: Option TCP_NODELAY set on local socket 2012.01.11 10:25:53 LOG7[3782:2952859648]: Waiting for a libwrap process 2012.01.11 10:25:53 LOG7[3782:2952859648]: Acquired libwrap process #0 2012.01.11 10:25:53 LOG7[3782:2952859648]: Releasing libwrap process #0 2012.01.11 10:25:53 LOG7[3782:2952859648]: Released libwrap process #0 2012.01.11 10:25:53 LOG7[3782:2952859648]: Service nntp_aw permitted by libwrap from 127.0.0.1:52241 2012.01.11 10:25:53 LOG5[3782:2952859648]: Service nntp_aw accepted connection from 127.0.0.1:52241 2012.01.11 10:25:53 LOG7[3782:2952859648]: remote socket: FD=15 allocated (non-blocking mode) 2012.01.11 10:25:53 LOG6[3782:2952859648]: connect_blocking: connecting 216.151.153.83:563 2012.01.11 10:25:53 LOG7[3782:2952859648]: connect_blocking: s_poll_wait 216.151.153.83:563: waiting 10 seconds 2012.01.11 10:25:54 LOG5[3782:2952859648]: connect_blocking: connected 216.151.153.83:563 2012.01.11 10:25:54 LOG5[3782:2952859648]: Service nntp_aw connected remote server from 192.168.1.65:52242 2012.01.11 10:25:54 LOG7[3782:2952859648]: Remote FD=15 initialized 2012.01.11 10:25:54 LOG7[3782:2952859648]: Option TCP_NODELAY set on remote socket 2012.01.11 10:25:54 LOG7[3782:2952859648]: SNI: host name: ssl.astraweb.com 2012.01.11 10:25:54 LOG7[3782:2952859648]: Starting certificate verification: depth=3, /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com 2012.01.11 10:25:54 LOG6[3782:2952859648]: CERT: Verification not enabled 2012.01.11 10:25:54 LOG5[3782:2952859648]: Certificate accepted: depth=3, /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com 2012.01.11 10:25:54 LOG7[3782:2952859648]: Starting certificate verification: depth=2, /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2012.01.11 10:25:54 LOG6[3782:2952859648]: CERT: Verification not enabled 2012.01.11 10:25:54 LOG5[3782:2952859648]: Certificate accepted: depth=2, /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2012.01.11 10:25:54 LOG7[3782:2952859648]: Starting certificate verification: depth=1, /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 2012.01.11 10:25:54 LOG6[3782:2952859648]: CERT: Verification not enabled 2012.01.11 10:25:54 LOG5[3782:2952859648]: Certificate accepted: depth=1, /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 2012.01.11 10:25:54 LOG7[3782:2952859648]: Starting certificate verification: depth=0, /O=*.astraweb.com/OU=Domain Control Validated/CN=*.astraweb.com 2012.01.11 10:25:54 LOG6[3782:2952859648]: CERT: Verification not enabled 2012.01.11 10:25:54 LOG5[3782:2952859648]: Certificate accepted: depth=0, /O=*.astraweb.com/OU=Domain Control Validated/CN=*.astraweb.com 2012.01.11 10:25:54 LOG6[3782:2952859648]: SSL connected: new session negotiated 2012.01.11 10:25:54 LOG6[3782:2952859648]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2012.01.11 10:26:06 LOG7[3782:2952859648]: Socket closed on read 2012.01.11 10:26:06 LOG7[3782:2952859648]: Sending SSL write shutdown 2012.01.11 10:26:06 LOG6[3782:2952859648]: SSL_shutdown successfully sent close_notify 2012.01.11 10:26:06 LOG3[3782:2952859648]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 2012.01.11 10:26:06 LOG5[3782:2952859648]: Connection closed: 147 bytes sent to SSL, 1446 bytes sent to socket 2012.01.11 10:26:06 LOG7[3782:2952859648]: Service nntp_aw finished (0 left) 2012.01.11 10:26:06 LOG7[3782:2952859648]: str_stats: 0 block(s), 0 data byte(s), 0 control byte(s) ^C2012.01.11 10:26:11 LOG7[3782:2697274688]: Dispatching signals from the signal pipe 2012.01.11 10:26:11 LOG3[3782:2697274688]: Received signal 2; terminating 2012.01.11 10:26:11 LOG7[3782:2697274688]: Service nntp_gn closed FD=11 2012.01.11 10:26:11 LOG7[3782:2697274688]: Service nntp_aw closed FD=12 2012.01.11 10:26:11 LOG7[3782:2697274688]: Service nntp_gm closed FD=13 2012.01.11 10:26:11 LOG7[3782:2697274688]: str_stats: 76 block(s), 4835 data byte(s), 2584 control byte(s) 2012.01.11 10:26:11 LOG7[3782:2697274688]: removing pid file /stunnel.pid # _ ---end---
Here's what 4.52b2 shows, much like other 4.5x versions (note it shows much-less than 4.49) -- Pan tried to connect starting at 10:21:27, timing-out twice at least, before I made it go off-line etc.: ---start--- 2012.01.11 10:20:22 LOG7[3549:3146608]: Clients allowed=500 2012.01.11 10:20:22 LOG5[3549:3146608]: stunnel 4.52 on x86_64-apple-darwin10.8.0 platform 2012.01.11 10:20:22 LOG5[3549:3146608]: Compiled/running with OpenSSL 1.1.0-dev xx XXX xxxx 2012.01.11 10:20:22 LOG5[3549:3146608]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:SELECT,IPv6 2012.01.11 10:20:22 LOG5[3549:3146608]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf 2012.01.11 10:20:22 LOG6[3549:3146608]: Compression enabled: 2 algorithm(s) 2012.01.11 10:20:22 LOG7[3549:3146608]: PRNG seeded successfully 2012.01.11 10:20:23 LOG6[3549:3146608]: Initializing SSL context for service nntp_gn 2012.01.11 10:20:23 LOG7[3549:3146608]: Verify directory set to /certs 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /certs revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /crls revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: SSL options set: 0x00000004 2012.01.11 10:20:23 LOG6[3549:3146608]: SSL context initialized 2012.01.11 10:20:23 LOG6[3549:3146608]: Initializing SSL context for service nntp_aw 2012.01.11 10:20:23 LOG7[3549:3146608]: Verify directory set to /certs 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /certs revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /crls revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: SSL options set: 0x00000004 2012.01.11 10:20:23 LOG6[3549:3146608]: SSL context initialized 2012.01.11 10:20:23 LOG6[3549:3146608]: Initializing SSL context for service nntp_gm 2012.01.11 10:20:23 LOG7[3549:3146608]: Verify directory set to /certs 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /certs revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: Added /crls revocation lookup directory 2012.01.11 10:20:23 LOG7[3549:3146608]: SSL options set: 0x00000004 2012.01.11 10:20:23 LOG6[3549:3146608]: SSL context initialized 2012.01.11 10:20:23 LOG5[3549:3146608]: Configuration successful 2012.01.11 10:20:23 LOG7[3549:3146608]: Service nntp_gn bound FD=13 to 0.0.0.0:12000 2012.01.11 10:20:23 LOG7[3549:3146608]: Service nntp_aw bound FD=14 to 0.0.0.0:12001 2012.01.11 10:20:23 LOG7[3549:3146608]: Service nntp_gm bound FD=15 to 0.0.0.0:12002 2012.01.11 10:20:23 LOG7[3549:3146608]: Created pid file /stunnel.pid 2012.01.11 10:21:27 LOG7[3549:3146608]: Service nntp_aw accepted FD=16 from 127.0.0.1:52237 2012.01.11 10:22:01 LOG7[3549:3146608]: Service nntp_aw accepted FD=17 from 127.0.0.1:52238 ^C2012.01.11 10:22:32 LOG7[3549:3146608]: Dispatching signals from the signal pipe 2012.01.11 10:22:32 LOG3[3549:3146608]: Received signal 2; terminating 2012.01.11 10:22:32 LOG7[3549:3146608]: Service nntp_gn closed FD=13 2012.01.11 10:22:32 LOG7[3549:3146608]: Service nntp_aw closed FD=14 2012.01.11 10:22:32 LOG7[3549:3146608]: Service nntp_gm closed FD=15 2012.01.11 10:22:32 LOG7[3549:3146608]: str_stats: 55 block(s), 4163 data byte(s), 1870 control byte(s) 2012.01.11 10:22:32 LOG7[3549:3146608]: removing pid file /stunnel.pid # _ ---end---
Here's my stunnel.conf with superfluous comments removed: ---/usr/local/etc/stunnel/stunnel.conf--- foreground = yes key = /usr/local/etc/stunnel/stunnel.pem sslVersion = all ciphers = ALL chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid compression = zlib verify = 0 CApath = /certs CRLpath = /crls debug = 7 client = yes TIMEOUTclose = 0
; service-level configuration
[nntp_gn] accept = 12000 connect = news.giganews.com:563
[nntp_aw] accept = 12001 connect = ssl.astraweb.com:563
[nntp_gm] accept = 12002 connect = 80.91.229.10:563
; vim:ft=dosini ---end---
To generate the aforementioned stunnel.pem, I followed the steps shown here: https://baltazaar.wordpress.com/2008/03/03/configuring-pan-newsreader-with-stunnel-ssl/
Here is my build-log for 4.52b2, similar to my other builds: ---start--- $ cat ./dothis.sh # ./configure \ --enable-dependency-tracking \ --enable-static \ --enable-shared \ --enable-ipv6 \ --with-ssl=/usr/local/ssl \
# $ ./dothis.sh configure: **************************************** initialization checking for a BSD-compatible install... /usr/local/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/local/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... x86_64-apple-darwin10.8.0 checking host system type... x86_64-apple-darwin10.8.0 checking for gcc... gcc-4.2 checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc-4.2 accepts -g... yes checking for gcc-4.2 option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc-4.2... gcc3 checking whether gcc-4.2 and cc understand -c and -o together... yes checking whether make sets $(MAKE)... (cached) yes configure: **************************************** compiler/linker flags checking whether gcc-4.2 accepts -pthread... yes checking whether gcc-4.2 accepts -fstack-protector... yes checking whether gcc-4.2 accepts -Wall... yes checking whether gcc-4.2 accepts -Wextra... yes checking whether gcc-4.2 accepts -Wno-long-long... yes checking whether gcc-4.2 accepts -pedantic... yes configure: **************************************** libtool checking for a sed that does not truncate output... /usr/local/bin/sed checking for grep that handles long lines and -e... /usr/local/bin/grep checking for egrep... /usr/local/bin/grep -E checking for fgrep... /usr/local/bin/grep -F checking for ld used by gcc-4.2... /usr/libexec/gcc/i686-apple-darwin10/4.2.1/ld checking if the linker (/usr/libexec/gcc/i686-apple-darwin10/4.2.1/ld) is GNU ld... no checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm checking the name lister (/usr/bin/nm) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 196608 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... yes checking for /usr/libexec/gcc/i686-apple-darwin10/4.2.1/ld option to reload object files... -r checking for objdump... no checking how to recognize dependent libraries... pass_all checking for ar... ar checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm output from gcc-4.2 object... ok checking for dsymutil... dsymutil checking for nmedit... nmedit checking for lipo... lipo checking for otool... otool checking for otool64... no checking for -single_module linker flag... yes checking for -exported_symbols_list linker flag... yes checking how to run the C preprocessor... cpp-4.2 checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for dlfcn.h... yes checking for objdir... .libs checking if gcc-4.2 supports -fno-rtti -fno-exceptions... no checking for gcc-4.2 option to produce PIC... -fno-common -DPIC checking if gcc-4.2 PIC flag -fno-common -DPIC works... yes checking if gcc-4.2 static flag -static works... no checking if gcc-4.2 supports -c -o file.o... yes checking if gcc-4.2 supports -c -o file.o... (cached) yes checking whether the gcc-4.2 linker (/usr/libexec/gcc/i686-apple-darwin10/4.2.1/ld) supports shared libraries... yes checking dynamic linker characteristics... darwin10.8.0 dyld checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: **************************************** types checking size of unsigned char... 1 checking size of unsigned short... 2 checking size of unsigned int... 4 checking size of unsigned long... 4 checking for socklen_t... yes checking for struct sockaddr_un... yes checking for struct addrinfo... yes configure: **************************************** PTY device files checking for "/dev/ptmx"... yes checking for "/dev/ptc"... no configure: **************************************** entropy sources checking for "/dev/urandom"... yes configure: **************************************** default group checking for default group... nogroup configure: **************************************** header files checking ucontext.h usability... no checking ucontext.h presence... no checking for ucontext.h... no checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking tcpd.h usability... yes checking tcpd.h presence... yes checking for tcpd.h... yes checking stropts.h usability... no checking stropts.h presence... no checking for stropts.h... no checking grp.h usability... yes checking grp.h presence... yes checking for grp.h... yes checking for unistd.h... (cached) yes checking util.h usability... yes checking util.h presence... yes checking for util.h... yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking pty.h usability... no checking pty.h presence... no checking for pty.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking sys/poll.h usability... yes checking sys/poll.h presence... yes checking for sys/poll.h... yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking sys/un.h usability... yes checking sys/un.h presence... yes checking for sys/un.h... yes checking sys/ioctl.h usability... yes checking sys/ioctl.h presence... yes checking for sys/ioctl.h... yes checking sys/filio.h usability... yes checking sys/filio.h presence... yes checking for sys/filio.h... yes checking sys/resource.h usability... yes checking sys/resource.h presence... yes checking for sys/resource.h... yes checking for struct msghdr.msg_control... yes checking for linux/netfilter_ipv4.h... no configure: **************************************** libraries checking for library containing gethostbyname... none required checking for library containing yp_get_default_domain... none required checking for library containing socket... none required checking for library containing openpty... none required checking for library containing dlopen... none required checking for library containing shl_load... no checking for library containing inflateEnd... -lz configure: **************************************** thread model checking for pthread_create in -lc_r... no checking for pthread_create in -lc... yes checking for pthread_create in -lpthread... yes configure: PTHREAD thread model detected configure: **************************************** library functions checking for snprintf... yes checking for vsnprintf... yes checking for openpty... yes checking for _getpty... no checking for daemon... yes checking for waitpid... yes checking for wait4... yes checking for setsid... yes checking for setgroups... yes checking for chroot... yes checking for sysconf... yes checking for getrlimit... yes checking for pthread_sigmask... yes checking for localtime_r... yes checking for getcontext... yes checking for __makecontext_v2... no checking for poll... yes checking for gethostbyname2... yes checking for endhostent... yes checking for getnameinfo... yes checking for getaddrinfo... yes checking for broken poll() implementation... yes (poll() disabled) checking for pipe2... no checking for accept4... no configure: **************************************** optional features checking whether to enable IPv6 support... yes checking whether to disable TCP wrappers library support... autodetecting checking for hosts_access in -lwrap... yes checking whether to enable FIPS mode support... autodetecting configure: **************************************** SSL checking for SSL directory... /usr/local/ssl checking /usr/local/ssl/include/openssl/engine.h usability... yes checking /usr/local/ssl/include/openssl/engine.h presence... yes checking for /usr/local/ssl/include/openssl/engine.h... yes checking /usr/local/ssl/include/openssl/ocsp.h usability... yes checking /usr/local/ssl/include/openssl/ocsp.h presence... yes checking for /usr/local/ssl/include/openssl/ocsp.h... yes checking for FIPS_mode_set... no configure: **************************************** write the results configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating src/stunnel3 config.status: creating doc/Makefile config.status: creating tools/Makefile config.status: creating tools/stunnel.conf-sample config.status: creating tools/stunnel.init config.status: creating tools/stunnel.service config.status: creating src/config.h config.status: executing depfiles commands config.status: executing libtool commands configure: **************************************** success
$ make -w make: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52' Making all in src make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' make all-am make[2]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' /bin/sh ../libtool --tag=CC --mode=compile gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT env.lo -MD -MP -MF .deps/env.Tpo -c -o env.lo env.c libtool: compile: gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT env.lo -MD -MP -MF .deps/env.Tpo -c env.c -fno-common -DPIC -o .libs/env.o libtool: compile: gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT env.lo -MD -MP -MF .deps/env.Tpo -c env.c -o env.o >/dev/null 2>&1 mv -f .deps/env.Tpo .deps/env.Plo /bin/sh ../libtool --tag=CC --mode=link gcc-4.2 -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -avoid-version -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -o libstunnel.la -rpath /usr/local/lib/stunnel env.lo -lz -L/usr/local/ssl/lib -L/usr/local/lib/libquicktime -L/usr/local/lib -L/usr/X11/lib -L/usr/lib -lpthread -lwrap libtool: link: gcc-4.2 -dynamiclib -Wl,-undefined -Wl,dynamic_lookup -o .libs/libstunnel.dylib .libs/env.o -lz -L/usr/local/ssl/lib -L/usr/local/lib/libquicktime -L/usr/local/lib -L/usr/X11/lib -L/usr/lib /usr/local/lib/libpthread.dylib -lwrap -mtune=core2 -march=core2 -arch i386 -mtune=core2 -march=core2 -arch i386 -install_name /usr/local/lib/stunnel/libstunnel.dylib -Wl,-single_module libtool: link: dsymutil .libs/libstunnel.dylib || : warning: no debug symbols in executable (-arch i386) libtool: link: ar cru .libs/libstunnel.a env.o libtool: link: ranlib .libs/libstunnel.a libtool: link: ( cd ".libs" && rm -f "libstunnel.la" && ln -s "../libstunnel.la" "libstunnel.la" ) gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-str.o -MD -MP -MF .deps/stunnel-str.Tpo -c -o stunnel-str.o `test -f 'str.c' || echo './'`str.c mv -f .deps/stunnel-str.Tpo .deps/stunnel-str.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-file.o -MD -MP -MF .deps/stunnel-file.Tpo -c -o stunnel-file.o `test -f 'file.c' || echo './'`file.c mv -f .deps/stunnel-file.Tpo .deps/stunnel-file.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-client.o -MD -MP -MF .deps/stunnel-client.Tpo -c -o stunnel-client.o `test -f 'client.c' || echo './'`client.c mv -f .deps/stunnel-client.Tpo .deps/stunnel-client.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-log.o -MD -MP -MF .deps/stunnel-log.Tpo -c -o stunnel-log.o `test -f 'log.c' || echo './'`log.c mv -f .deps/stunnel-log.Tpo .deps/stunnel-log.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-options.o -MD -MP -MF .deps/stunnel-options.Tpo -c -o stunnel-options.o `test -f 'options.c' || echo './'`options.c mv -f .deps/stunnel-options.Tpo .deps/stunnel-options.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-protocol.o -MD -MP -MF .deps/stunnel-protocol.Tpo -c -o stunnel-protocol.o `test -f 'protocol.c' || echo './'`protocol.c mv -f .deps/stunnel-protocol.Tpo .deps/stunnel-protocol.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-network.o -MD -MP -MF .deps/stunnel-network.Tpo -c -o stunnel-network.o `test -f 'network.c' || echo './'`network.c mv -f .deps/stunnel-network.Tpo .deps/stunnel-network.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-resolver.o -MD -MP -MF .deps/stunnel-resolver.Tpo -c -o stunnel-resolver.o `test -f 'resolver.c' || echo './'`resolver.c mv -f .deps/stunnel-resolver.Tpo .deps/stunnel-resolver.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-ssl.o -MD -MP -MF .deps/stunnel-ssl.Tpo -c -o stunnel-ssl.o `test -f 'ssl.c' || echo './'`ssl.c mv -f .deps/stunnel-ssl.Tpo .deps/stunnel-ssl.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-ctx.o -MD -MP -MF .deps/stunnel-ctx.Tpo -c -o stunnel-ctx.o `test -f 'ctx.c' || echo './'`ctx.c mv -f .deps/stunnel-ctx.Tpo .deps/stunnel-ctx.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-verify.o -MD -MP -MF .deps/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' || echo './'`verify.c mv -f .deps/stunnel-verify.Tpo .deps/stunnel-verify.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-sthreads.o -MD -MP -MF .deps/stunnel-sthreads.Tpo -c -o stunnel-sthreads.o `test -f 'sthreads.c' || echo './'`sthreads.c mv -f .deps/stunnel-sthreads.Tpo .deps/stunnel-sthreads.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-stunnel.o -MD -MP -MF .deps/stunnel-stunnel.Tpo -c -o stunnel-stunnel.o `test -f 'stunnel.c' || echo './'`stunnel.c stunnel.c: In function ‘daemonize’: stunnel.c:459: warning: ‘daemon’ is deprecated (declared at /usr/include/stdlib.h:289) mv -f .deps/stunnel-stunnel.Tpo .deps/stunnel-stunnel.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-pty.o -MD -MP -MF .deps/stunnel-pty.Tpo -c -o stunnel-pty.o `test -f 'pty.c' || echo './'`pty.c mv -f .deps/stunnel-pty.Tpo .deps/stunnel-pty.Po gcc-4.2 -DHAVE_CONFIG_H -I. -I/usr/kerberos/include -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' -DCONFDIR='"/usr/local/etc/stunnel"' -DPIDFILE='"/usr/local/var/run/stunnel/stunnel.pid"' -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include -I/WhichXcode/Headers/FlatCarbon -I/usr/include -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -MT stunnel-libwrap.o -MD -MP -MF .deps/stunnel-libwrap.Tpo -c -o stunnel-libwrap.o `test -f 'libwrap.c' || echo './'`libwrap.c mv -f .deps/stunnel-libwrap.Tpo .deps/stunnel-libwrap.Po /bin/sh ../libtool --tag=CC --mode=link gcc-4.2 -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -L/usr/local/ssl/lib64 -L/usr/local/ssl/lib -lssl -lcrypto -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -o stunnel stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o stunnel-options.o stunnel-protocol.o stunnel-network.o stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o stunnel-sthreads.o stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o -lz -L/usr/local/ssl/lib -L/usr/local/lib/libquicktime -L/usr/local/lib -L/usr/X11/lib -L/usr/lib -lpthread -lwrap libtool: link: gcc-4.2 -pthread -fstack-protector -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -Wall -Wextra -Wno-long-long -pedantic -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386 -o stunnel stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o stunnel-options.o stunnel-protocol.o stunnel-network.o stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o stunnel-sthreads.o stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o -L/usr/local/ssl/lib64 -L/usr/local/ssl/lib -lssl -lcrypto -lz -L/usr/local/lib/libquicktime -L/usr/local/lib -L/usr/X11/lib -L/usr/lib /usr/local/lib/libpthread.dylib -lwrap -pthread ld: warning: directory not found for option '-L/usr/local/ssl/lib64' make[2]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' Making all in doc make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' Making all in tools make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52' make: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52'
$ sudo make -w install Password: make: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52' Making install in src make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' make[2]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' test -z "/usr/local/bin" || /usr/local/bin/mkdir -p "/usr/local/bin" /bin/sh ../libtool --mode=install /usr/local/bin/install -c stunnel '/usr/local/bin' libtool: install: /usr/local/bin/install -c stunnel /usr/local/bin/stunnel test -z "/usr/local/bin" || /usr/local/bin/mkdir -p "/usr/local/bin" /usr/local/bin/install -c stunnel3 '/usr/local/bin' test -z "/usr/local/lib/stunnel" || /usr/local/bin/mkdir -p "/usr/local/lib/stunnel" /bin/sh ../libtool --mode=install /usr/local/bin/install -c libstunnel.la '/usr/local/lib/stunnel' libtool: install: /usr/local/bin/install -c .libs/libstunnel.dylib /usr/local/lib/stunnel/libstunnel.dylib libtool: install: /usr/local/bin/install -c .libs/libstunnel.lai /usr/local/lib/stunnel/libstunnel.la libtool: install: /usr/local/bin/install -c .libs/libstunnel.a /usr/local/lib/stunnel/libstunnel.a libtool: install: chmod 644 /usr/local/lib/stunnel/libstunnel.a libtool: install: ranlib /usr/local/lib/stunnel/libstunnel.a ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib/stunnel
If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `DYLD_LIBRARY_PATH' environment variable during execution
See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/src' Making install in doc make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' make[2]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' make[2]: Nothing to be done for `install-exec-am'. test -z "/usr/local/share/doc/stunnel" || /usr/local/bin/mkdir -p "/usr/local/share/doc/stunnel" /usr/local/bin/install -c -m 644 stunnel.html stunnel.pl.html stunnel.fr.html '/usr/local/share/doc/stunnel' test -z "/usr/local/share/man/man8" || /usr/local/bin/mkdir -p "/usr/local/share/man/man8" /usr/local/bin/install -c -m 644 stunnel.8 stunnel.pl.8 stunnel.fr.8 '/usr/local/share/man/man8' make[2]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/doc' Making install in tools make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[2]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[2]: Nothing to be done for `install-exec-am'. test -z "/usr/local/etc/stunnel" || /usr/local/bin/mkdir -p "/usr/local/etc/stunnel" /usr/local/bin/install -c -m 644 stunnel.conf-sample '/usr/local/etc/stunnel' if test ! -r /usr/local/etc/stunnel/stunnel.pem; then \ if test -r "/dev/urandom"; then \ dd if="/dev/urandom" of=stunnel.rnd bs=256 count=1; \ RND="-rand stunnel.rnd"; \ else \ RND=""; \ fi; \ /usr/local/ssl/bin/openssl req -new -x509 -days 365 $RND \ -config ./stunnel.cnf \ -out stunnel.pem -keyout stunnel.pem; \ /usr/local/ssl/bin/openssl gendh $RND 1024 >> stunnel.pem; \ /usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout -in stunnel.pem; \ /usr/local/bin/install -c -m 600 stunnel.pem /usr/local/etc/stunnel/stunnel.pem; \ rm stunnel.pem; \ fi /usr/local/bin/install -c -d -m 1770 /usr/local/var/lib/stunnel chgrp nogroup /usr/local/var/lib/stunnel if uname | grep SunOS; then \ /usr/local/bin/install -c -d -m 755 /usr/local/var/lib/stunnel/dev; \ mknod /usr/local/var/lib/stunnel/dev/zero c 13 12; \ chmod 666 /usr/local/var/lib/stunnel/dev/zero; \ fi test -z "/usr/local/share/doc/stunnel/examples" || /usr/local/bin/mkdir -p "/usr/local/share/doc/stunnel/examples" /usr/local/bin/install -c -m 644 ca.html ca.pl importCA.html importCA.sh script.sh stunnel.spec stunnel.init stunnel.service '/usr/local/share/doc/stunnel/examples' make[2]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52/tools' make[1]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52' make[2]: Entering directory `/Volumes/RamDisk/Safari/stunnel-4.52' make[2]: Nothing to be done for `install-exec-am'. test -z "/usr/local/share/doc/stunnel" || /usr/local/bin/mkdir -p "/usr/local/share/doc/stunnel" /usr/local/bin/install -c -m 644 INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS '/usr/local/share/doc/stunnel' make[2]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52' make[1]: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52' make: Leaving directory `/Volumes/RamDisk/Safari/stunnel-4.52'
$ _ ---end---
If it matters, I have a local checkout of the openssl-cvs repo here, and use it instead-of Apple's.
[BTW I have a personal project to "jump off this fruity ship" ASAP. I've written about this in earlier posts (several months ago) to the Pan maillist, if anyone is interested.]
Thanks for any help at all.
SciFi wrote:
$ uname -a Darwin SciFi.homeip.net 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386 i386 iMac6,1 Darwin
I couldn't reproduce your problem. It just works for me.
$ uname -a Darwin PowerBook.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh
I am fine while relegated to using stunnel-4.49, but we have a further issue, in that the "verify=<number>" option seems to reject the certs & what-not coming from these servers, for any <number> higher than 0 (yes I saw the maillist discussion about what 4 means there, and tried it also).
Are you sure you've put your peer certificates in /usr/local/var/lib/ stunnel/certs, and then executed c_rehash there? In most cases it's better to use CAfile instead of CApath.
I manually start stunnel on a login-root terminal window, this way: # stunnel /usr/local/etc/stunnel/stunnel.conf -sockets
You are supposed to use *either* stunnel.conf or -sockets as a parameter. See the manual for details.
key = /usr/local/etc/stunnel/stunnel.pem
There is no point in specifying your private key in client mode, unless you also specify your certificate *and* configure remote servers to perform authentication based on client certificates. In your case (connecting some public services) it just doesn't make sense.
sslVersion = all ciphers = ALL
It doesn't look very secure.
chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup
For troubleshooting it's best to avoid these options.
CApath = /certs CRLpath = /crls
Again it's better to use CAfile instead. Do you really use CRLs?
Thanks for any help at all.
My troubleshooting tip:
Start with stable OpenSSL, and a minimal configuration:
foreground = yes pid = debug = 7 client = yes
[nntp_gn] accept = 12000 connect = news.giganews.com:563
[nntp_aw] accept = 12001 connect = ssl.astraweb.com:563
[nntp_gm] accept = 12002 connect = 80.91.229.10:563
Try to get it working. Useful Mac OS X diagnostic commands: dtruss, lastwords.
Then add other options one by one.
Mke
Hi,
Thank you very much for taking time to help.
I rebuilt stunnel-4.52b2, changing my ./configure to "--with-ssl=/usr" so to use Apple's version.
Then I made a new .conf file with your minimal lines: ---start--- foreground = yes pid = debug = 7 client = yes
[nntp_gn] accept = 12000 connect = news.giganews.com:563
[nntp_aw] accept = 12001 connect = ssl.astraweb.com:563
[nntp_gm] accept = 12002 connect = 80.91.229.10:563 ---end---
That much worked. :)
But I am still highly skeptical whether we are _really_ secure along the pipe. So I added the "verify = 0" line (placed just under the "client = yes" line shown above), and now we get a Bus Error whenever we make Pan go into session with Astraweb (in this case trying to fetch a simple text post).
I did a backtrace:
# gdb stunnel GNU gdb 6.3.50-20050815 (Apple version gdb-1705) (Tue Jul 5 07:28:08 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ...... done
(gdb) set args /usr/local/etc/stunnel/stunnel2.conf (gdb) run Starting program: /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel2.conf Reading symbols for shared libraries .+++++. done 2012.01.11 20:48:52 LOG7[25326:2697274688]: Clients allowed=500 2012.01.11 20:48:52 LOG5[25326:2697274688]: stunnel 4.52 on x86_64-apple-darwin10.8.0 platform 2012.01.11 20:48:52 LOG5[25326:2697274688]: Compiled with OpenSSL 1.1.0-dev xx XXX xxxx 2012.01.11 20:48:52 LOG5[25326:2697274688]: Running with OpenSSL 0.9.8r 8 Feb 2011 2012.01.11 20:48:52 LOG5[25326:2697274688]: Update OpenSSL shared libraries or rebuild stunnel 2012.01.11 20:48:52 LOG5[25326:2697274688]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:SELECT,IPv6 2012.01.11 20:48:52 LOG5[25326:2697274688]: Reading configuration from file /usr/local/etc/stunnel/stunnel2.conf 2012.01.11 20:48:52 LOG7[25326:2697274688]: Compression not enabled 2012.01.11 20:48:52 LOG7[25326:2697274688]: PRNG seeded successfully 2012.01.11 20:48:52 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gn 2012.01.11 20:48:52 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:52 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_aw 2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gm 2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG5[25326:2697274688]: Configuration successful 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gn bound FD=11 to 0.0.0.0:12000 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_aw bound FD=12 to 0.0.0.0:12001 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gm bound FD=13 to 0.0.0.0:12002 2012.01.11 20:48:53 LOG7[25326:2697274688]: No pid file being created 2012.01.11 20:49:06 LOG7[25326:2697274688]: Service nntp_aw accepted FD=14 from 127.0.0.1:58969 2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw started 2012.01.11 20:49:06 LOG7[25326:2952859648]: Waiting for a libwrap process 2012.01.11 20:49:06 LOG7[25326:2952859648]: Acquired libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Releasing libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Released libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw permitted by libwrap from 127.0.0.1:58969 2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw accepted connection from 127.0.0.1:58969 2012.01.11 20:49:06 LOG6[25326:2952859648]: connect_blocking: connecting 216.151.153.14:563 2012.01.11 20:49:06 LOG7[25326:2952859648]: connect_blocking: s_poll_wait 216.151.153.14:563: waiting 10 seconds 2012.01.11 20:49:06 LOG5[25326:2952859648]: connect_blocking: connected 216.151.153.14:563 2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw connected remote server from 192.168.1.65:58970 2012.01.11 20:49:06 LOG7[25326:2952859648]: Remote FD=15 initialized 2012.01.11 20:49:06 LOG7[25326:2952859648]: SNI: host name: ssl.astraweb.com
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000020 [Switching to process 25326 thread 0x1403] 0x94b0b2d6 in X509_get_subject_name () (gdb) bt #0 0x94b0b2d6 in X509_get_subject_name () #1 0x0000f213 in verify_callback () #2 0x94ac68ce in X509_verify_cert_orig () #3 0x94a487af in X509_verify_cert () #4 0x946159fb in ssl_verify_cert_chain () #5 0x9460624c in ssl3_get_server_certificate () #6 0x94608748 in ssl3_connect () #7 0x00002ed7 in init_ssl () #8 0x000040a3 in client_try () #9 0x00005206 in client_run () #10 0x00005490 in client_main () #11 0x000054c3 in client_thread () #12 0x9a193259 in _pthread_start () #13 0x9a1930de in thread_start () (gdb) quit The program is running. Exit anyway? (y or n) y
# _
I'm sorry, that's about as deep as I know to go. ;) But I should be able to do more tests with detailed instructions if needed.
For now, I will comment-out the "verify" line, and use this build with your basic .conf file even tho it makes me remain highly paranoid. ;(
(I have further questions about your reply; I'll postpone them once I know I can use the 4.5-series properly, then go forward from there.)
Thank you(-all) again.
SciFi wrote:
2012.01.11 20:48:52 LOG5[25326:2697274688]: stunnel 4.52 on x86_64- apple-darwin10.8.0 platform 2012.01.11 20:48:52 LOG5[25326:2697274688]: Compiled with OpenSSL 1.1.0-dev xx XXX xxxx 2012.01.11 20:48:52 LOG5[25326:2697274688]: Running with OpenSSL 0.9.8r 8 Feb 2011 2012.01.11 20:48:52 LOG5[25326:2697274688]: Update OpenSSL shared libraries or rebuild stunnel
[cut]
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000020 [Switching to process 25326 thread 0x1403] 0x94b0b2d6 in X509_get_subject_name () (gdb) bt #0 0x94b0b2d6 in X509_get_subject_name () #1 0x0000f213 in verify_callback ()
[cut]
I'm sorry, that's about as deep as I know to go. ;)
The level of details is perfectly fine. Different numeric part of the OpenSSL version number indicates major changes in code *and* data structures. This is very likely to cause crashes. The architecture details of 0.9.8 and 1.1.0 are very different.
I modified stunnel to make it independent from the layout of X509_STORE_CTX data structure: ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.52b3.tar.gz It's still better to run stunnel with the version of OpenSSL it was compiled with.
But I should be able to do more tests with detailed instructions if needed.
For now, I will comment-out the "verify" line, and use this build with your basic .conf file even tho it makes me remain highly paranoid. ;(
That's good. Without certificate-based authentication, SSL is vulnerable to man-in-the-middle attacks.
Mike
-
Michal Trojnara -
SciFi