Hello I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS. I need a little help in the conf files. Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects? [telnet] accept = 999 connect = 192.168.0.1:993 Thanks Paul Paul J Coviello Senior System Administrator CCS Corporate Headquarters Two Wells Avenue, Newton, MA 02459 617.965.2000, Ext. 4004 [cid:image001.png@01D071ED.C6122490] [cid:image002.gif@01D071ED.C6122490] CCS Commercial, LLC | CCS Resources, Inc. | ClaimAssist, LLC | Credit Control Services, Inc. Customer Contact Solutions, LLC | Enterprise Associates, LLC
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993
Paul, the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1. Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes). Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates. HTH, Ludolf -- Ludolf Holzheid Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993
Thanks Paul -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993
Paul, the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1. Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes). Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates. HTH, Ludolf -- Ludolf Holzheid Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany Tel: +49 621 33996-0 Fax: +49 621 3392239 mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Paul, What are you trying to do: Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else? Carter On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
Setup an incoming encrypted link from a windows telnet session to openvms. -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel Paul, What are you trying to do: Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else? Carter On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
The configuration: [telnet] accept = 999 connect = x.x.x.x:993 client = no will provide that. If you want a single input port to access multiple destinations: [telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis. If each destination is a distinct connection then [telnet1] accept = 999 connect = x.x.x.x:993 client = no [telnet2] accept = 1999 connect = x.x.x.y:993 client = no [telnet3] accept = 2999 connect = x.x.x.z:993 client = no Carter On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
Ok thanks! Now onto the server side... $ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc. And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $ here are the settings in the conf file... $ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [telnet] accept = 993 connect = 23 [ssmtp] accept = 465 connect = 25 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini -----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel The configuration: [telnet] accept = 999 connect = x.x.x.x:993 client = no will provide that. If you want a single input port to access multiple destinations: [telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis. If each destination is a distinct connection then [telnet1] accept = 999 connect = x.x.x.x:993 client = no [telnet2] accept = 1999 connect = x.x.x.y:993 client = no [telnet3] accept = 2999 connect = x.x.x.z:993 client = no Carter On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file. On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file...
$ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
Nope didn’t make a difference, then removed all except for telnet... still fails :-( -----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file. On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file...
$ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output = I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin. Carter On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file...
$ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
Thanks I changed client to no, and it didn't make a difference unless you meant to add one in the telnet section? Also it must be the copy there are no spaces in the file. -----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 2:51 PM To: Coviello, Paul; cbrowne@cbcs-usa.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output = I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin. Carter On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file...
$ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
I meant add client = no to the telnet section. I marked the bad sections below if they actually as they appear in your log file. Carter On 4/8/2015 3:00 PM, Coviello, Paul wrote:
Thanks I changed client to no, and it didn't make a difference unless you meant to add one in the telnet section?
Also it must be the copy there are no spaces in the file.
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 2:51 PM To: Coviello, Paul; cbrowne@cbcs-usa.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output =
I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin.
Carter
On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file... The lines in this section do not line up properly, the ";' should be the first character $ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration The line in this section do not line up properly, ";' or "cert" should start the line. ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem The lines is this section do not line up properly. The lines should start with ";", "debug" and "output".
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
No luck... -----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 3:13 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel I meant add client = no to the telnet section. I marked the bad sections below if they actually as they appear in your log file. Carter On 4/8/2015 3:00 PM, Coviello, Paul wrote:
Thanks I changed client to no, and it didn't make a difference unless you meant to add one in the telnet section?
Also it must be the copy there are no spaces in the file.
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 2:51 PM To: Coviello, Paul; cbrowne@cbcs-usa.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output =
I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin.
Carter
On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file... The lines in this section do not line up properly, the ";' should be the first character $ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration The line in this section do not line up properly, ";' or "cert" should start the line. ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem The lines is this section do not line up properly. The lines should start with ";", "debug" and "output".
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following.
connect = 192.168.0.1:993 connect = 192.168.20.140:993 connect = 192.168.xx.xxx:993 connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote:
Hello
I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS.
I need a little help in the conf files.
Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects?
[telnet] accept = 999 connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
At this point, my only suggestion is to post your stunnel.conf file (preferably without any modifications to the lines) so that maybe someone else can see if there are any obvious issues. On 4/8/2015 3:46 PM, Coviello, Paul wrote:
No luck...
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 3:13 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I meant add client = no to the telnet section.
I marked the bad sections below if they actually as they appear in your log file.
Carter
On 4/8/2015 3:00 PM, Coviello, Paul wrote:
Thanks I changed client to no, and it didn't make a difference unless you meant to add one in the telnet section?
Also it must be the copy there are no spaces in the file.
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 2:51 PM To: Coviello, Paul; cbrowne@cbcs-usa.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output =
I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin.
Carter
On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file... The lines in this section do not line up properly, the ";' should be the first character $ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration The line in this section do not line up properly, ";' or "cert" should start the line. ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem The lines is this section do not line up properly. The lines should start with ";", "debug" and "output".
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following. > connect = 192.168.0.1:993 > connect = 192.168.20.140:993 > connect = 192.168.xx.xxx:993 > connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote: > Hello > > I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS. > > I need a little help in the conf files. > > Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects? > > [telnet] > accept = 999 > connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
Ok thanks here is the 1st version of the file... All I want to do is create a telnet session from a windows terminal emulator to my VMS server. also someone thinks that this version may not play well with SSL 1.4 that I have on VMS as mentioned this is 4.20 Can anyone confirm this ? Thanks Paul STUNNEL_SERVER.CONF;1 ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [telnet] accept = 993 connect = 23 [ssmtp] accept = 465 connect = 25 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini -----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 3:58 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel At this point, my only suggestion is to post your stunnel.conf file (preferably without any modifications to the lines) so that maybe someone else can see if there are any obvious issues. On 4/8/2015 3:46 PM, Coviello, Paul wrote:
No luck...
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 3:13 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I meant add client = no to the telnet section.
I marked the bad sections below if they actually as they appear in your log file.
Carter
On 4/8/2015 3:00 PM, Coviello, Paul wrote:
Thanks I changed client to no, and it didn't make a difference unless you meant to add one in the telnet section?
Also it must be the copy there are no spaces in the file.
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 2:51 PM To: Coviello, Paul; cbrowne@cbcs-usa.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
I think you need a "client = no" added to the telnet section. I am not familiar with your environment to help with the details. I have had issues with the location of the log file. If the default location of where stunnel is not write enabled for the program that could be a problem. In the file below, a number of lines are not on the left hand margin; e.g,; cert = ;key = debug = output =
I don't know if that is an artifact of the copying or present in your configuration file, but they all should be at the left margin.
Carter
On 4/8/2015 2:04 PM, Coviello, Paul wrote:
Nope didn’t make a difference, then removed all except for telnet... still fails :-(
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 1:59 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
You have two listeners on port 993, to the best of my knowledge, they need to be on two different ports. It probably did not get to the point of opening the log file.
On 4/8/2015 12:41 PM, Coviello, Paul wrote:
Ok thanks!
Now onto the server side...
$ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N]: y Enter the password to decrypt the key (please use paired double quotes with it): ""XXXXXXX"" Starting up a Stunnel %RUN-S-PROC_ID, identification of created process is 209F0B0D Stunnel server failed to start up-- check the configuration, etc.
And no logfile is created... $ dir stunnel.log %DIRECT-W-NOFILES, no files found $
here are the settings in the conf file... The lines in this section do not line up properly, the ";' should be the first character $ ty STUNNEL_server.CONF ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration The line in this section do not line up properly, ";' or "cert" should start the line. ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem The lines is this section do not line up properly. The lines should start with ";", "debug" and "output".
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[pop3s] accept = 995 connect = 110
[imaps] accept = 993 connect = 143
[telnet] accept = 993 connect = 23
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
-----Original Message----- From: Carter Browne [mailto:cbcs@comcast.net] Sent: Wednesday, April 08, 2015 12:16 PM To: Coviello, Paul; stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
The configuration:
[telnet] accept = 999 connect = x.x.x.x:993 client = no
will provide that.
If you want a single input port to access multiple destinations:
[telnet] accept = 999 connect = x.x.x.x:993 connect = x.x.x.y:993 connect = x.x.x.z:993 client = no And the destinations will be assigned on a round robin basis.
If each destination is a distinct connection then
[telnet1] accept = 999 connect = x.x.x.x:993 client = no
[telnet2] accept = 1999 connect = x.x.x.y:993 client = no
[telnet3] accept = 2999 connect = x.x.x.z:993 client = no
Carter
On 4/8/2015 12:02 PM, Coviello, Paul wrote:
Setup an incoming encrypted link from a windows telnet session to openvms.
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, April 08, 2015 12:00 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
Paul,
What are you trying to do:
Set up an incoming encrypted link to an outgoing unencrypted link? Set up an incoming unencrypted link to an outgoing encrypted link? Something else?
Carter
On 4/8/2015 11:49 AM, Coviello, Paul wrote:
Let me see so I need to do the following. > connect = 192.168.0.1:993 > connect = 192.168.20.140:993 > connect = 192.168.xx.xxx:993 > connect = 192.168.xx.xxy:993 Thanks Paul
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ludolf Holzheid Sent: Wednesday, April 08, 2015 11:35 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel
On Wed, 2015-04-08 11:18:43 -0400, Coviello, Paul wrote: > Hello > > I'm trying to setup stunnel 4.20 yes it is an old version but the only one on HP's website for VMS. > > I need a little help in the conf files. > > Since I will be using telnet, do I need to put in each machines ip address that will be connecting? So in the example below do I create a listing of connects? > > [telnet] > accept = 999 > connect = 192.168.0.1:993 Paul,
the configuration above makes stunnel listen on local port 999, accepting connections from all IP addresses and forwards the traffic to port 993 of the box with IP address 192.168.0.1.
Depending on the 'client = ...' statement, stunnel expects the traffic at port 999 to be encrypted (server mode, client = no, default), or at port 993 (client mode, client = yes).
Any access control may be implemented via libwrap and (in server mode) via restriction of the accepted certificates.
HTH,
Ludolf
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
-- Carter Browne cbrowne@cbcs-usa.com
On Wed, Apr 8, 2015 at 4:10 PM, Coviello, Paul <pcoviello@ccsusa.com> wrote:
Ok thanks here is the 1st version of the file...
All I want to do is create a telnet session from a windows terminal emulator to my VMS server.
also someone thinks that this version may not play well with SSL 1.4 that I have on VMS as mentioned this is 4.20
Can anyone confirm this ?
Thanks Paul
STUNNEL_SERVER.CONF;1 ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
It's been more than 20 years since I used HP VMS (VAX), but can you do something like this: stunnel /version or if that doesn't work: stunnel version or stunnel -version see the output and verify what you have. For my Cygwin x64 environment, it says this (stock configuration): $ stunnel -version stunnel 5.09 on x86_64-unknown-cygwin platform Compiled/running with OpenSSL 1.0.1k 8 Jan 2015 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none What I would do is to dumb this down and first see if you can get a stunnel client/server communication on the same box (using localhost or 127.0.0.1). I would use iperf to just send dummy data (iperf client and iperf server). Once that works, then move it up to using your network. If you need some example config files, I can provide that. What I did is to use iperf client connect to port 5000, then stunnel client listening on port 5000 and connect to port 6000, then stunnel server listening on port 6000 and connect to port 7000, and iperf server listening on port 7000. Since they're non-privileged ports, you don't need admin access. Are you using certificates? I think you need to generate the stunnel.pem file, and I did it (using cygwin/MinGW/Linux) using these commands below. Information stolen/modified from here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel... Create a self-signed key as follows: In MinGW: cd /c/STUNNEL5 openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 now put in the info pertinent to your organization. then run this command: cat key.pem cert.pem >> stunnel.pem I don't know if you can do that with VMS, some parameters may have to be tweaked and changed to forward-slashes (as typical in VMS). I also saw the logging statement commented out, have you tried uncommenting those two lines (logging verbosity and log file)? Regards, -Rob
No stunnel command is available... This is the doc I followed/following and currently on step 3 http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Rob Lockhart Sent: Wednesday, April 08, 2015 4:28 PM To: stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org> Subject: Re: [stunnel-users] openvms and stunnel On Wed, Apr 8, 2015 at 4:10 PM, Coviello, Paul <pcoviello@ccsusa.com<mailto:pcoviello@ccsusa.com>> wrote: Ok thanks here is the 1st version of the file... All I want to do is create a telnet session from a windows terminal emulator to my VMS server. also someone thinks that this version may not play well with SSL 1.4 that I have on VMS as mentioned this is 4.20 Can anyone confirm this ? Thanks Paul STUNNEL_SERVER.CONF;1 ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration It's been more than 20 years since I used HP VMS (VAX), but can you do something like this: stunnel /version or if that doesn't work: stunnel version or stunnel -version see the output and verify what you have. For my Cygwin x64 environment, it says this (stock configuration): $ stunnel -version stunnel 5.09 on x86_64-unknown-cygwin platform Compiled/running with OpenSSL 1.0.1k 8 Jan 2015 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none What I would do is to dumb this down and first see if you can get a stunnel client/server communication on the same box (using localhost or 127.0.0.1). I would use iperf to just send dummy data (iperf client and iperf server). Once that works, then move it up to using your network. If you need some example config files, I can provide that. What I did is to use iperf client connect to port 5000, then stunnel client listening on port 5000 and connect to port 6000, then stunnel server listening on port 6000 and connect to port 7000, and iperf server listening on port 7000. Since they're non-privileged ports, you don't need admin access. Are you using certificates? I think you need to generate the stunnel.pem file, and I did it (using cygwin/MinGW/Linux) using these commands below. Information stolen/modified from here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel... Create a self-signed key as follows: In MinGW: cd /c/STUNNEL5 openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 now put in the info pertinent to your organization. then run this command: cat key.pem cert.pem >> stunnel.pem I don't know if you can do that with VMS, some parameters may have to be tweaked and changed to forward-slashes (as typical in VMS). I also saw the logging statement commented out, have you tried uncommenting those two lines (logging verbosity and log file)? Regards, -Rob
*From:* stunnel-users [mailto:stunnel-users-bounces@stunnel.org <stunnel-users-bounces@stunnel.org>] *On Behalf Of *Rob Lockhart
*Sent:* Wednesday, April 08, 2015 4:28 PM *To:* stunnel-users@stunnel.org *Subject:* Re: [stunnel-users] openvms and stunnel
On Wed, Apr 8, 2015 at 4:10 PM, Coviello, Paul <pcoviello@ccsusa.com> wrote:
Ok thanks here is the 1st version of the file...
All I want to do is create a telnet session from a windows terminal emulator to my VMS server.
also someone thinks that this version may not play well with SSL 1.4 that I have on VMS as mentioned this is 4.20
Can anyone confirm this ?
Thanks Paul
STUNNEL_SERVER.CONF;1 ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
It's been more than 20 years since I used HP VMS (VAX), but can you do something like this: stunnel /version
or if that doesn't work:
stunnel version
or
stunnel -version
see the output and verify what you have. For my Cygwin x64 environment, it says this (stock configuration):
$ stunnel -version
stunnel 5.09 on x86_64-unknown-cygwin platform
Compiled/running with OpenSSL 1.0.1k 8 Jan 2015
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
Global options:
debug = daemon.notice
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2
curve = prime256v1
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
What I would do is to dumb this down and first see if you can get a stunnel client/server communication on the same box (using localhost or 127.0.0.1). I would use iperf to just send dummy data (iperf client and iperf server). Once that works, then move it up to using your network. If you need some example config files, I can provide that. What I did is to use iperf client connect to port 5000, then stunnel client listening on port 5000 and connect to port 6000, then stunnel server listening on port 6000 and connect to port 7000, and iperf server listening on port 7000. Since they're non-privileged ports, you don't need admin access.
Are you using certificates? I think you need to generate the stunnel.pem file, and I did it (using cygwin/MinGW/Linux) using these commands below. Information stolen/modified from here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel...
Create a self-signed key as follows:
In MinGW:
cd /c/STUNNEL5
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
now put in the info pertinent to your organization.
then run this command:
cat key.pem cert.pem >> stunnel.pem
I don't know if you can do that with VMS, some parameters may have to be tweaked and changed to forward-slashes (as typical in VMS). I also saw the logging statement commented out, have you tried uncommenting those two lines (logging verbosity and log file)?
Regards,
-Rob
On Wed, Apr 8, 2015 at 4:36 PM, Coviello, Paul <pcoviello@ccsusa.com> wrote:
No stunnel command is available...
This is the doc I followed/following and currently on step 3
http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt
That looks to be for Stunnel 3, which is no longer maintained. Please see this message on the main website: The obsolete 3.x branch is no longer maintained. Use stunnel3 <https://www.stunnel.org/downloads/stunnel3> perl script as a drop-in replacement for backward compatibility. https://www.stunnel.org/downloads/stunnel3 If you have perl installed in VMS, you should be able to use that perl script to emulate stunnel 4. I don't know if Stunnel 3 and Stunnel 4 are interoperable, perhaps not?
here is the hp webpage... http://h71000.www7.hp.com/opensource/opensource.html#stunnel Stunnel Stunnel allows you to encrypt arbitrary TCP/IP connections inside an SSL (Secure Sockets Layer) connection from your OpenVMS system to another machine. Stunnel allows you to secure non-SSL aware applications (such as Telnet, IMAP, RCP, and FTP authentication) by having Stunnel provide the encryption, so you do not have to change the original application. Both images and source code are provided. For more information about Stunnel, see http://www.stunnel.org.<http://www.stunnel.org/> The Stunnel kit is a compressed, self-extracting EXE file. To expand the Stunnel source kit, enter one of the following commands: $ RUN STUNNEL-4_20_AXP.EXE ! for Alpha (Updated September 2007) $ RUN STUNNEL-4_20_I64.EXE ! for Integrity servers (Updated September 2007) $ RUN STUNNEL-3_26_VAX.EXE ! for VAX At the Decompress into (file specification): prompt, press return. The system expands the file and names the decompressed file STUNNEL-4_20.BCK or STUNNEL-3_26.BCK. See STUNNEL_README_AXP_I64.TXT<http://h71000.www7.hp.com/opensource/STUNNEL_README_AXP_I64.TXT> (for Alpha and Integrity servers) or STUNNEL_README_VAX.TXT<http://h71000.www7.hp.com/opensource/STUNNEL_README_VAX.TXT> (for VAX) for information about Stunnel on OpenVMS. Download Stunnel for Alpha ><ftp://ftp.hp.com/pub/openvms/opensource/STUNNEL-4_20_AXP.EXE> (September 2007) Download Stunnel for Integrity servers ><ftp://ftp.hp.com/pub/openvms/opensource/STUNNEL-4_20_I64.EXE> (September 2007) Download Stunnel for VAX ><ftp://ftp.hp.com/pub/openvms/opensource/STUNNEL-3_26_VAX.EXE> (November 2002) From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Rob Lockhart Sent: Wednesday, April 08, 2015 4:44 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Rob Lockhart Sent: Wednesday, April 08, 2015 4:28 PM To: stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org> Subject: Re: [stunnel-users] openvms and stunnel On Wed, Apr 8, 2015 at 4:10 PM, Coviello, Paul <pcoviello@ccsusa.com<mailto:pcoviello@ccsusa.com>> wrote: Ok thanks here is the 1st version of the file... All I want to do is create a telnet session from a windows terminal emulator to my VMS server. also someone thinks that this version may not play well with SSL 1.4 that I have on VMS as mentioned this is 4.20 Can anyone confirm this ? Thanks Paul STUNNEL_SERVER.CONF;1 ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration It's been more than 20 years since I used HP VMS (VAX), but can you do something like this: stunnel /version or if that doesn't work: stunnel version or stunnel -version see the output and verify what you have. For my Cygwin x64 environment, it says this (stock configuration): $ stunnel -version stunnel 5.09 on x86_64-unknown-cygwin platform Compiled/running with OpenSSL 1.0.1k 8 Jan 2015 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none What I would do is to dumb this down and first see if you can get a stunnel client/server communication on the same box (using localhost or 127.0.0.1). I would use iperf to just send dummy data (iperf client and iperf server). Once that works, then move it up to using your network. If you need some example config files, I can provide that. What I did is to use iperf client connect to port 5000, then stunnel client listening on port 5000 and connect to port 6000, then stunnel server listening on port 6000 and connect to port 7000, and iperf server listening on port 7000. Since they're non-privileged ports, you don't need admin access. Are you using certificates? I think you need to generate the stunnel.pem file, and I did it (using cygwin/MinGW/Linux) using these commands below. Information stolen/modified from here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel... Create a self-signed key as follows: In MinGW: cd /c/STUNNEL5 openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 now put in the info pertinent to your organization. then run this command: cat key.pem cert.pem >> stunnel.pem I don't know if you can do that with VMS, some parameters may have to be tweaked and changed to forward-slashes (as typical in VMS). I also saw the logging statement commented out, have you tried uncommenting those two lines (logging verbosity and log file)? Regards, -Rob On Wed, Apr 8, 2015 at 4:36 PM, Coviello, Paul <pcoviello@ccsusa.com<mailto:pcoviello@ccsusa.com>> wrote: No stunnel command is available... This is the doc I followed/following and currently on step 3 http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt That looks to be for Stunnel 3, which is no longer maintained. Please see this message on the main website: The obsolete 3.x branch is no longer maintained. Use stunnel3<https://www.stunnel.org/downloads/stunnel3> perl script as a drop-in replacement for backward compatibility. https://www.stunnel.org/downloads/stunnel3 If you have perl installed in VMS, you should be able to use that perl script to emulate stunnel 4. I don't know if Stunnel 3 and Stunnel 4 are interoperable, perhaps not?
On Wed, Apr 8, 2015 at 4:47 PM, Coviello, Paul <pcoviello@ccsusa.com> wrote:
here is the hp webpage...
http://h71000.www7.hp.com/opensource/opensource.html#stunnel
Ok so it appears the HP webpage shows a different version of stunnel than the page you linked before <http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt> (stunnel 3). Nevertheless, if you keep having problems, I suggest starting simple and add to it one at a time, specifically try to get a stunnel client/server session on your local machine. If you can't get that working, it's going to be very difficult to debug. Speaking of debug, have you enabled the debugging options and tried running the stunnel server? You may also want to use ports above 1023 per this link <http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html>. Try killing the server and restarting again with logging enabled and set to 7, and have the log file point to a path for which you have write-access.The latest server log you had commented out the debug and output as well as client, but you should keep that uncommented as follows below: debug = 7 output = stunnel.log client = no If you can use high ports for testing (>1023) using iperf (IPERF.EXE) and that works, then you know it's something perhaps in your VAX firewall that prohibits connecting on port 23 (telnet) from another application. Do this as follows: 1) Create a s4client.conf file with the following contents: sslVersion=TLSv1 FIPS = no socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes [iperf] accept = 127.0.0.1:5000 connect = 127.0.0.1:6000 delay = no 2) Create a s4server.conf file with the following contents (modify as appropriate for the stunnel.pem file location): sslVersion=TLSv1 cert=C:\TEST\stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = no [iperf] accept = 127.0.0.1:6000 connect = 127.0.0.1:7000 delay = no 3) Open up four command prompts in VMS (if you can), one for each of the four corners (quadrants) of the screen. The data flow will be from Q2 (upper-left) to Q1 (upper-right), then to Q4 (lower-right), then finally to Q3 (lower-left). 4) . In Q1 run: s4client.exe s4client.conf . In Q4 run: s4server.exe s4server.conf . In Q3 run: iperfs -p 7000 -s . In Q2 run: iperfc -c localhost -p 5000 -t 1 . If it worked, you should see something like the message below: ------------------------------------------------------------ Client connecting to localhost, TCP port 5000 TCP window size: 63.0 KByte (default) ------------------------------------------------------------ [ 3] local 127.0.0.1 port 50097 connected with 127.0.0.1 port 5000 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 1.0 sec 38.9 MBytes 321 Mbits/sec 5) If that works, change the ports around and use something like 999 for connect (client) and accept (server). Restart the client and server and see if iperf still works. 6) If that works, now try to change connect (server) to port 23, restart client and server, and then telnet to port 5000.
Hi, ok after reading this a little bit better on the big screen vs. my phone... I do have debug on and I can't run iperf on vms. (the file I posted last, was one without any modifications.) It won't start... Here is the file I'm currently using. $ ty STUNNEL_SERVER.CONF; ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 [telnet] accept = 992 connect = 23 client = no ;[ssmtp] ;accept = 465 ;connect = 25 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini From: Rob Lockhart [mailto:rlockhar@gmail.com] Sent: Wednesday, April 08, 2015 6:38 PM To: Coviello, Paul Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel On Wed, Apr 8, 2015 at 4:47 PM, Coviello, Paul <pcoviello@ccsusa.com<mailto:pcoviello@ccsusa.com>> wrote: here is the hp webpage... http://h71000.www7.hp.com/opensource/opensource.html#stunnel Ok so it appears the HP webpage shows a different version of stunnel than the page you linked before<http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt> (stunnel 3). Nevertheless, if you keep having problems, I suggest starting simple and add to it one at a time, specifically try to get a stunnel client/server session on your local machine. If you can't get that working, it's going to be very difficult to debug. Speaking of debug, have you enabled the debugging options and tried running the stunnel server? You may also want to use ports above 1023 per this link<http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html>. Try killing the server and restarting again with logging enabled and set to 7, and have the log file point to a path for which you have write-access.The latest server log you had commented out the debug and output as well as client, but you should keep that uncommented as follows below: debug = 7 output = stunnel.log client = no If you can use high ports for testing (>1023) using iperf (IPERF.EXE) and that works, then you know it's something perhaps in your VAX firewall that prohibits connecting on port 23 (telnet) from another application. Do this as follows: 1) Create a s4client.conf file with the following contents: sslVersion=TLSv1 FIPS = no socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes [iperf] accept = 127.0.0.1:5000<http://127.0.0.1:5000> connect = 127.0.0.1:6000<http://127.0.0.1:6000> delay = no 2) Create a s4server.conf file with the following contents (modify as appropriate for the stunnel.pem file location): sslVersion=TLSv1 cert=C:\TEST\stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = no [iperf] accept = 127.0.0.1:6000<http://127.0.0.1:6000> connect = 127.0.0.1:7000<http://127.0.0.1:7000> delay = no 3) Open up four command prompts in VMS (if you can), one for each of the four corners (quadrants) of the screen. The data flow will be from Q2 (upper-left) to Q1 (upper-right), then to Q4 (lower-right), then finally to Q3 (lower-left). 4) . In Q1 run: s4client.exe s4client.conf . In Q4 run: s4server.exe s4server.conf . In Q3 run: iperfs -p 7000 -s . In Q2 run: iperfc -c localhost -p 5000 -t 1 . If it worked, you should see something like the message below: ------------------------------------------------------------ Client connecting to localhost, TCP port 5000 TCP window size: 63.0 KByte (default) ------------------------------------------------------------ [ 3] local 127.0.0.1 port 50097 connected with 127.0.0.1 port 5000 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 1.0 sec 38.9 MBytes 321 Mbits/sec 5) If that works, change the ports around and use something like 999 for connect (client) and accept (server). Restart the client and server and see if iperf still works. 6) If that works, now try to change connect (server) to port 23, restart client and server, and then telnet to port 5000.
Morning, Finally got stunnel to start... evidently the package on HP's webpage didn't work on vms 8.3-1h1... even though the document said it would. So I got a new executable and stunnel is now started. If someone could explain how this is supposed to be setup it would be greatly appreciated. Thanks Paul Stunnel_Server.conf on VMS Is this enough info? Do I need to run the client piece on here too? ; Service-level configuration [telnet] accept = 993 connect = 23 stunnel.conf on windows 7 what do I want to put in here and where? From: Rob Lockhart [mailto:rlockhar@gmail.com] Sent: Wednesday, April 08, 2015 6:38 PM To: Coviello, Paul Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] openvms and stunnel On Wed, Apr 8, 2015 at 4:47 PM, Coviello, Paul <pcoviello@ccsusa.com<mailto:pcoviello@ccsusa.com>> wrote: here is the hp webpage... http://h71000.www7.hp.com/opensource/opensource.html#stunnel Ok so it appears the HP webpage shows a different version of stunnel than the page you linked before<http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt> (stunnel 3). Nevertheless, if you keep having problems, I suggest starting simple and add to it one at a time, specifically try to get a stunnel client/server session on your local machine. If you can't get that working, it's going to be very difficult to debug. Speaking of debug, have you enabled the debugging options and tried running the stunnel server? You may also want to use ports above 1023 per this link<http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html>. Try killing the server and restarting again with logging enabled and set to 7, and have the log file point to a path for which you have write-access.The latest server log you had commented out the debug and output as well as client, but you should keep that uncommented as follows below: debug = 7 output = stunnel.log client = no If you can use high ports for testing (>1023) using iperf (IPERF.EXE) and that works, then you know it's something perhaps in your VAX firewall that prohibits connecting on port 23 (telnet) from another application. Do this as follows: 1) Create a s4client.conf file with the following contents: sslVersion=TLSv1 FIPS = no socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes [iperf] accept = 127.0.0.1:5000<http://127.0.0.1:5000> connect = 127.0.0.1:6000<http://127.0.0.1:6000> delay = no 2) Create a s4server.conf file with the following contents (modify as appropriate for the stunnel.pem file location): sslVersion=TLSv1 cert=C:\TEST\stunnel.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = no [iperf] accept = 127.0.0.1:6000<http://127.0.0.1:6000> connect = 127.0.0.1:7000<http://127.0.0.1:7000> delay = no 3) Open up four command prompts in VMS (if you can), one for each of the four corners (quadrants) of the screen. The data flow will be from Q2 (upper-left) to Q1 (upper-right), then to Q4 (lower-right), then finally to Q3 (lower-left). 4) . In Q1 run: s4client.exe s4client.conf . In Q4 run: s4server.exe s4server.conf . In Q3 run: iperfs -p 7000 -s . In Q2 run: iperfc -c localhost -p 5000 -t 1 . If it worked, you should see something like the message below: ------------------------------------------------------------ Client connecting to localhost, TCP port 5000 TCP window size: 63.0 KByte (default) ------------------------------------------------------------ [ 3] local 127.0.0.1 port 50097 connected with 127.0.0.1 port 5000 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 1.0 sec 38.9 MBytes 321 Mbits/sec 5) If that works, change the ports around and use something like 999 for connect (client) and accept (server). Restart the client and server and see if iperf still works. 6) If that works, now try to change connect (server) to port 23, restart client and server, and then telnet to port 5000.
participants (4)
-
Carter Browne -
Coviello, Paul -
Ludolf Holzheid -
Rob Lockhart