Dear Users,
I have released version 5.00 of stunnel.
The ChangeLog entry:
stunnel 5.00 disables some features previously enabled by default. Users should review whether the new defaults are appropriate for their particular deployments. Packages maintainers may consider prepending the old defaults for "fips" (if supported by their OpenSSL library), "pid" and "libwrap" to stunnel.conf during automated updates.
Version 5.00, 2014.03.06, urgency: HIGH: * Security bugfixes - Added PRNG state update in fork threading (CVE-2014-0016). * New global configuration file defaults - Default "fips" option value is now "no", as FIPS mode is only helpful for compliance, and never for actual security. - Default "pid" is now "", i.e. not to create a pid file at startup. * New service-level configuration file defaults - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites. - Default "libwrap" setting is now "no" to improve performance. * New features - OpenSSL DLLs updated to version 1.0.1f. - zlib DLL updated to version 1.2.8. - autoconf scripts upgraded to version 2.69. - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. - New service-level option "redirect" to redirect SSL client connections on authentication failures instead of rejecting them. - New global "engineDefault" configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. - New service-level configuration file option "engineId" to select the engine by identifier, e.g. "engineId = capi". - New global configuration file option "log" to control whether to append (the default), or to overwrite log file while (re)opening. - Different taskbar icon colors to indicate the service state. - New global configuration file options "iconIdle", "iconActive", and "iconError" to select status icon on GUI taskbar. - Removed the limit of 63 stunnel.conf sections on Win32 platform. - Installation of a sample certificate was moved to a separate "cert" target in order to allow unattended (e.g. scripted) installations. - Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time. - Improved readability of error messages printed when stunnel refuses to start due to a critical error. * Bugfixes - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). - Corrected round-robin failover behavior under heavy load. - Numerous fixes in the engine support code. - On Win32 platform .rnd file moved from c:\ to the stunnel folder.
Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html
SHA-256 hash for stunnel-5.00.tar.gz: 88986d52a7ef1aff0cc26fc0a9830361c991baba7ee591d5cf1cc8baef75bc13
Best regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
Thanks for the new Stunnel version!
I have installed Stunnel 5.00 on a W32 system (Vista 64bit).
The GUI option "Edit configuration" finds the configuration file now, too, when the file is not in the installation folder.
But there is the following error message: "INTERNAL ERROR: BAD magic at ..\src\ui_win_gui.c, line 1093".
And then stunnel crashs: "Runtime Error!..."
Best regards Sebastian
On 2014-03-09 21:47, Sebastian Rose-Indorf wrote:
But there is the following error message: "INTERNAL ERROR: BAD magic at ..\src\ui_win_gui.c, line 1093".
Thank you very much for reporting it. Please try: https://www.stunnel.org/downloads/beta/stunnel-5.01b1-installer.exe
This version also includes a compilation fix for Mac OS X.
Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
Very well, seem now to work (W32). Many thanks!
Best regards Sebastian
-----Ursprüngliche Nachricht----- Von: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] Im Auftrag von Michal Trojnara Gesendet: Sonntag, 9. März 2014 23:24 An: stunnel-users@stunnel.org Betreff: Re: [stunnel-users] Runtime Error
On 2014-03-09 21:47, Sebastian Rose-Indorf wrote:
But there is the following error message: "INTERNAL ERROR: BAD magic at ..\src\ui_win_gui.c, line 1093".
Thank you very much for reporting it. Please try: https://www.stunnel.org/downloads/beta/stunnel-5.01b1-installer.exe
This version also includes a compilation fix for Mac OS X.
Mike
On Thu, 06 Mar 2014 01:09:31 +0100 Michal Trojnara Michal.Trojnara@mirt.net wrote:
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
Hi,
System Windows 2000.
Refering to the above, I still can see this in the log, and the file that already exists in c:\ from a year back is being used and modified after each stunnel usage:
Snagged 64 random bytes from C:/.rnd Wrote 1024 new random bytes to C:/.rnd
What I found it happens is that, if a .rnd file is in C:, it is used, if not is not being generated anywhere. I doesn't even appear an entry in the log file.
Also, I found that, after each service connection, to the log is appended these four lines (with debug=7). Should be there from now on?:
str_stats: 3 block(s), 60 data byte(s), 150 control byte(s) str_stats: 20 byte(s) at ..\src\network.c:413 str_stats: 20 byte(s) at ..\src\network.c:412 str_stats: 20 byte(s) at ..\src\network.c:411
Regards.
Hi,
I missed another entry in log. The last line looks like an error.
No limit detected for the number of clients stunnel 5.00 on x86-pc-msvc-1500 platform Compiled/running with OpenSSL 1.0.1f-fips 6 Jan 2014 Threading:WIN32 Sockets:SELECT,IPv4 SSL:ENGINE,OCSP,FIPS errno: (*_errno())
-
Javier -
Michal Trojnara -
Sebastian Rose-Indorf