help - stunnel-users

26 Jun 2023


      Hello, I am trying to configure stunnel on windows (version 5.69)
I am using the capi engine with below conf.
I am sending the logs to logstash and not sure if it is working or not.
My questions are:
1) I dont see anything in the log after initializing the service. When it
sends the logs through stunnel, should i see an entry in the logs?
2) When using capi engine, should i limit the ssl version still ? in your
website i see that the tls version supposed to be limited but is it an old
info?
3) in your website again it mentions that i should specify the security
level to zero for capi engine, is it also a valid info? if yes, do i need
to set it in global section or service level?
https://www.stunnel.org/config_windows.html
fips = yes
taskbar = yes
engine = capi
output = C:\Logs\stunnel\stunnel.log
debug = debug
[logging_service_for_filebeat]
engineId = capi
client = yes
accept = {{ stunnel_logging_port_filebeat }}
delay = yes
connect = {{ logstash_vip }}:{{ stunnel_logging_port_filebeat }}
ciphers =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
sessionCacheSize = 5000
sessionCacheTimeout = 300
socket = l:TCP_NODELAY=1
# the only FIPS 140-2 compliant protocol
sslVersion = TLSv1.2
CApath = <ca path>
verifyChain = yes
checkHost = <ca host>
verify = 2
Log:
023.06.26 14:37:39 LOG6[service]: Initializing inetd mode configuration
2023.06.26 14:37:39 LOG7[service]: Running on Windows 6.2
2023.06.26 14:37:39 LOG7[service]: No limit detected for the number of
clients
2023.06.26 14:37:39 LOG5[service]: stunnel 5.69 on x64-pc-mingw32-gnu
platform
2023.06.26 14:37:39 LOG5[service]: Compiled/running with OpenSSL 3.0.8 7
Feb 2023
2023.06.26 14:37:39 LOG5[service]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2023.06.26 14:37:39 LOG7[service]: errno: (*_errno())
2023.06.26 14:37:39 LOG6[service]: Initializing inetd mode configuration
2023.06.26 14:37:39 LOG7[service]: Running on Windows 6.2
2023.06.26 14:37:39 LOG5[service]: Reading configuration from file
C:\Program Files (x86)\stunnel\config\stunnel.conf
2023.06.26 14:37:39 LOG5[service]: UTF-8 byte order mark not detected
2023.06.26 14:37:39 LOG7[service]: Enabling support for engine "capi"
2023.06.26 14:37:39 LOG6[service]: Logging not supported by engine #1 (capi)
2023.06.26 14:37:39 LOG6[service]: UI not supported by engine #1 (capi)
2023.06.26 14:37:39 LOG7[service]: Initializing engine #1 (capi)
2023.06.26 14:37:39 LOG6[service]: Engine #1 (capi) initialized
2023.06.26 14:37:39 LOG5[service]: FIPS provider enabled
2023.06.26 14:37:39 LOG5[service]: FIPS mode enabled
2023.06.26 14:37:39 LOG6[service]: Compression disabled
2023.06.26 14:37:39 LOG7[service]: No PRNG seeding was required
2023.06.26 14:37:39 LOG6[service]: Initializing service
[logging_service_for_filebeat]
2023.06.26 14:37:39 LOG6[service]: stunnel default security level set: 2
2023.06.26 14:37:39 LOG7[service]: Ciphers:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
2023.06.26 14:37:39 LOG7[service]: TLSv1.3 ciphersuites:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
2023.06.26 14:37:39 LOG7[service]: TLS options: 0x2100000 (+0x0, -0x0)
2023.06.26 14:37:39 LOG6[service]: Session resumption enabled
2023.06.26 14:37:39 LOG6[service]: Client certificate engine (capi) enabled
2023.06.26 14:37:39 LOG7[service]: No certificate or private key specified
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA:xxx
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA:xxx
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx
2023.06.26 14:37:39 LOG6[service]: DH initialization skipped: client section
2023.06.26 14:37:39 LOG7[service]: ECDH initialization
2023.06.26 14:37:39 LOG7[service]: ECDH initialized with curves
X25519:P-256:X448:P-521:P-384
2023.06.26 14:37:39 LOG6[service]: Initializing service
[logging_service_for_winlogbeat]
2023.06.26 14:37:39 LOG6[service]: stunnel default security level set: 2
2023.06.26 14:37:39 LOG7[service]: Ciphers:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
2023.06.26 14:37:39 LOG7[service]: TLSv1.3 ciphersuites:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
2023.06.26 14:37:39 LOG7[service]: TLS options: 0x2100000 (+0x0, -0x0)
2023.06.26 14:37:39 LOG6[service]: Session resumption enabled
2023.06.26 14:37:39 LOG6[service]: Client certificate engine (capi) enabled
2023.06.26 14:37:39 LOG7[service]: No certificate or private key specified
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx
2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx
2023.06.26 14:37:39 LOG6[service]: DH initialization skipped: client section
2023.06.26 14:37:39 LOG7[service]: ECDH initialization
2023.06.26 14:37:39 LOG7[service]: ECDH initialized with curves
X25519:P-256:X448:P-521:P-384
2023.06.26 14:37:39 LOG5[service]: Configuration successful
2023.06.26 14:37:39 LOG7[service]: Deallocating deployed section defaults
2023.06.26 14:37:39 LOG7[service]: Binding service
[logging_service_for_filebeat]
2023.06.26 14:37:39 LOG7[service]: Listening file descriptor created
(FD=632)
2023.06.26 14:37:39 LOG7[service]: Setting accept socket options (FD=632)
2023.06.26 14:37:39 LOG7[service]: Option SO_EXCLUSIVEADDRUSE set on accept
socket
2023.06.26 14:37:39 LOG6[service]: Service [logging_service_for_filebeat]
(FD=632) bound to 0.0.0.0:10300
2023.06.26 14:37:39 LOG7[service]: Binding service
[logging_service_for_winlogbeat]
2023.06.26 14:37:39 LOG7[service]: Listening file descriptor created
(FD=648)
2023.06.26 14:37:39 LOG7[service]: Setting accept socket options (FD=648)
2023.06.26 14:37:39 LOG7[service]: Option SO_EXCLUSIVEADDRUSE set on accept
socket
2023.06.26 14:37:39 LOG6[service]: Service [logging_service_for_winlogbeat]
(FD=648) bound to 0.0.0.0:10301
2023.06.26 14:37:39 LOG6[service]: Accepting new connections
2023.06.26 14:37:39 LOG7[per-second]: Per-second thread initialized
2023.06.26 14:37:39 LOG7[per-day]: Per-day thread initialized
2023.06.26 14:37:39 LOG6[per-day]: Executing per-day jobs
2023.06.26 14:37:39 LOG6[per-day]: Per-day jobs completed in 0 seconds
2023.06.26 14:37:39 LOG7[per-day]: Waiting 86400 seconds
-- 
Seray TOKADLI KILIÇ
+420778116052