Hi Guys,

Thanks for your replies.

I tried following commands on verisign c certificate, for both of these do not work. There is error 'unable to load certificate'.

openssl x509 -inform DER -in stunnel.pem -noout -text or openssl x509 -inform PEM -in stunnel.pem -noout -text

however if I run same command (openssl x509 -inform PEM -in stunnel.pem -noout -text) on VeriSign root & Intermediate certificate it works. It shows format should be 'pem'. But somehow certificate is not valid.

I am using following commands to create csr and private key. Are these correct ?

openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr

Thanks,

Zubair

-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of stunnel-users-request@stunnel.org Sent: Wednesday, December 21, 2011 9:27 PM To: stunnel-users@stunnel.org Subject: stunnel-users Digest, Vol 89, Issue 21

Send stunnel-users mailing list submissions to stunnel-users@stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit http://stunnel.mirt.net/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request@stunnel.org

You can reach the person managing the list at stunnel-users-owner@stunnel.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."

Today's Topics:

1. Re: Configuring VeriSign certificate with STunnel (Michal Trojnara) 2. stunnel segfault, please advise (Mehdi Bennani) 3. Re: Configuring VeriSign certificate with STunnel (Ludovic LEVET) 4. Segfault with stunnel (yassine ayachi) 5. Re: Segfault with stunnel (Scott Damron) 6. unsubscribe (Brian McGinity) 7. Re: Missing bytes? (Arthur Murray) 8. Re: Segfault with stunnel (yassine ayachi)

----------------------------------------------------------------------

Message: 1 Date: Wed, 21 Dec 2011 13:30:45 +0100 From: Michal Trojnara Michal.Trojnara@mirt.net To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Configuring VeriSign certificate with STunnel Message-ID: f039775ca5efe5be73a2858b88f0ebc2@mirt.net Content-Type: text/plain; charset=UTF-8; format=flowed

Zubair Ali Mansoor wrote:

2011.12.21 13:31:30 LOG3[5144:2256]: SSL_CTX_use_certificate_chain_file: D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

I don't think this problem is specific to stunnel: https://encrypted.google.com/search?q=%22ASN1_CHECK_TLEN%3Awrong+tag%22+veri sign

Mike

------------------------------

Message: 2 Date: Wed, 21 Dec 2011 07:34:19 -0500 From: Mehdi Bennani mehdibennani@hotmail.com To: stunnel-users@stunnel.org Subject: [stunnel-users] stunnel segfault, please advise Message-ID: SNT134-W33BCBEA69CFD9694C37B7EC3A50@phx.gbl Content-Type: text/plain; charset="iso-8859-1"

Hi you guys,

I proposed stunnel as a potential solution to our product about 4-5 months ago and I am in the process of testing a prototype I have built around that proposition. I am using stunnel v. 4.41. I am relatively new to stunnel myself.

The env. is as follows: We are trying to secure an rdp connection from a java applet running in a web browser into a windows 2008 server machine behind our firewall. Presently, the java applet opens up an RDP connection into a machine (I will call it the SSL machine) where Stunnel is presently installed. Stunnel then forwards properly the incoming traffic (from portA) into its final destination (i.e: the windows Server 2008 machine) on port B. Further, I have configured Stunnel to use an SSL certificate. (Although, I have not been able to test that yet to make sure it works)

Anyhow, it is all working as expected and I am pretty happy about the proof of concept. However, while testing it a bit, I noticed that it was relatively easy to bring stunnel down. The way I went about it, was to simply run a "telnet IP_of_MySSLMachine portA" from any DOS command window from any machine with internet access. From the Stunnel logs, I can tell that I get a response from Stunnel and on the DOS window side, I have a cursor waiting for input.... Writing any gibberish into that DOS windows and waiting a little bit makes stunnel stop and die in the SSL machine. I found nothing in the stunnel log, but grepping in the /var/log/, I found the segfault

sslmahine:/var/log/# grep stunnel messages kernel: [1996904.624042] stunnel [19696]: segfault at 8 ip b768d361 sp b7601210 error 4 in libc-2.7.so[b7621000+138000]

After another telnet execution, few days later: sslmahine:/var/log/# grep stunnel messages kernel: [4930384.164316] stunnel [14540]: segfault at 8 ip b7629b61 error 6 in libc-2.7.so[b75bd000+138000]

Basically, if I don't issue that telnet command, stunnel works properly. As soon as I issue that command and start typing few things in that DOS console, stunnel dies. I have to manually restart it.

Question: I was wondering if you guys could shed some light into this behavior. Is it a known behavior/bug? Is there a way to solve it by maybe upgrading into a later version of stunnel? Also, I was thinking to block telnet altogether at the firewall level, but then I am not sure what other protocols could people use to hack into the system...so should I block all of them? And, finally is there a more secure way to setup stunnel?

Thank you in advance

Mehdi/