Hello, I am trying to configure stunnel on windows (version 5.69)
I am using the capi engine with below conf. I am sending the logs to logstash and not sure if it is working or not. My questions are: 1) I dont see anything in the log after initializing the service. When it sends the logs through stunnel, should i see an entry in the logs? 2) When using capi engine, should i limit the ssl version still ? in your website i see that the tls version supposed to be limited but is it an old info? 3) in your website again it mentions that i should specify the security level to zero for capi engine, is it also a valid info? if yes, do i need to set it in global section or service level?
https://www.stunnel.org/config_windows.html
fips = yes taskbar = yes engine = capi output = C:\Logs\stunnel\stunnel.log debug = debug [logging_service_for_filebeat] engineId = capi client = yes accept = {{ stunnel_logging_port_filebeat }} delay = yes connect = {{ logstash_vip }}:{{ stunnel_logging_port_filebeat }} ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256 sessionCacheSize = 5000 sessionCacheTimeout = 300 socket = l:TCP_NODELAY=1 # the only FIPS 140-2 compliant protocol sslVersion = TLSv1.2 CApath = <ca path> verifyChain = yes checkHost = <ca host> verify = 2
Log: 023.06.26 14:37:39 LOG6[service]: Initializing inetd mode configuration 2023.06.26 14:37:39 LOG7[service]: Running on Windows 6.2 2023.06.26 14:37:39 LOG7[service]: No limit detected for the number of clients 2023.06.26 14:37:39 LOG5[service]: stunnel 5.69 on x64-pc-mingw32-gnu platform 2023.06.26 14:37:39 LOG5[service]: Compiled/running with OpenSSL 3.0.8 7 Feb 2023 2023.06.26 14:37:39 LOG5[service]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2023.06.26 14:37:39 LOG7[service]: errno: (*_errno()) 2023.06.26 14:37:39 LOG6[service]: Initializing inetd mode configuration 2023.06.26 14:37:39 LOG7[service]: Running on Windows 6.2 2023.06.26 14:37:39 LOG5[service]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2023.06.26 14:37:39 LOG5[service]: UTF-8 byte order mark not detected 2023.06.26 14:37:39 LOG7[service]: Enabling support for engine "capi" 2023.06.26 14:37:39 LOG6[service]: Logging not supported by engine #1 (capi) 2023.06.26 14:37:39 LOG6[service]: UI not supported by engine #1 (capi) 2023.06.26 14:37:39 LOG7[service]: Initializing engine #1 (capi) 2023.06.26 14:37:39 LOG6[service]: Engine #1 (capi) initialized 2023.06.26 14:37:39 LOG5[service]: FIPS provider enabled 2023.06.26 14:37:39 LOG5[service]: FIPS mode enabled 2023.06.26 14:37:39 LOG6[service]: Compression disabled 2023.06.26 14:37:39 LOG7[service]: No PRNG seeding was required 2023.06.26 14:37:39 LOG6[service]: Initializing service [logging_service_for_filebeat] 2023.06.26 14:37:39 LOG6[service]: stunnel default security level set: 2 2023.06.26 14:37:39 LOG7[service]: Ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256 2023.06.26 14:37:39 LOG7[service]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.06.26 14:37:39 LOG7[service]: TLS options: 0x2100000 (+0x0, -0x0) 2023.06.26 14:37:39 LOG6[service]: Session resumption enabled 2023.06.26 14:37:39 LOG6[service]: Client certificate engine (capi) enabled 2023.06.26 14:37:39 LOG7[service]: No certificate or private key specified 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA:xxx 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA:xxx 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx 2023.06.26 14:37:39 LOG6[service]: DH initialization skipped: client section 2023.06.26 14:37:39 LOG7[service]: ECDH initialization 2023.06.26 14:37:39 LOG7[service]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.06.26 14:37:39 LOG6[service]: Initializing service [logging_service_for_winlogbeat] 2023.06.26 14:37:39 LOG6[service]: stunnel default security level set: 2 2023.06.26 14:37:39 LOG7[service]: Ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256 2023.06.26 14:37:39 LOG7[service]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.06.26 14:37:39 LOG7[service]: TLS options: 0x2100000 (+0x0, -0x0) 2023.06.26 14:37:39 LOG6[service]: Session resumption enabled 2023.06.26 14:37:39 LOG6[service]: Client certificate engine (capi) enabled 2023.06.26 14:37:39 LOG7[service]: No certificate or private key specified 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx 2023.06.26 14:37:39 LOG6[service]: Configured trusted server CA: xxx 2023.06.26 14:37:39 LOG6[service]: DH initialization skipped: client section 2023.06.26 14:37:39 LOG7[service]: ECDH initialization 2023.06.26 14:37:39 LOG7[service]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.06.26 14:37:39 LOG5[service]: Configuration successful 2023.06.26 14:37:39 LOG7[service]: Deallocating deployed section defaults 2023.06.26 14:37:39 LOG7[service]: Binding service [logging_service_for_filebeat] 2023.06.26 14:37:39 LOG7[service]: Listening file descriptor created (FD=632) 2023.06.26 14:37:39 LOG7[service]: Setting accept socket options (FD=632) 2023.06.26 14:37:39 LOG7[service]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.06.26 14:37:39 LOG6[service]: Service [logging_service_for_filebeat] (FD=632) bound to 0.0.0.0:10300 2023.06.26 14:37:39 LOG7[service]: Binding service [logging_service_for_winlogbeat] 2023.06.26 14:37:39 LOG7[service]: Listening file descriptor created (FD=648) 2023.06.26 14:37:39 LOG7[service]: Setting accept socket options (FD=648) 2023.06.26 14:37:39 LOG7[service]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.06.26 14:37:39 LOG6[service]: Service [logging_service_for_winlogbeat] (FD=648) bound to 0.0.0.0:10301 2023.06.26 14:37:39 LOG6[service]: Accepting new connections 2023.06.26 14:37:39 LOG7[per-second]: Per-second thread initialized 2023.06.26 14:37:39 LOG7[per-day]: Per-day thread initialized 2023.06.26 14:37:39 LOG6[per-day]: Executing per-day jobs 2023.06.26 14:37:39 LOG6[per-day]: Per-day jobs completed in 0 seconds 2023.06.26 14:37:39 LOG7[per-day]: Waiting 86400 seconds