-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Users,
I have released version 5.20 of stunnel.
The ChangeLog entry:
Version 5.20, 2015.07.09, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt * New features - poll(2) re-enabled on MacOS X 10.5 and later. - Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found. - The SSL library detection algorithm was made a bit smarter. - Warnings about insecure authentication were modified to include the name of the affected service section. - A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev). - Optional debugging symbols are included in the Win32 installer. - Documentation updates (closes Debian bug #781669). * Bugfixes - Signal pipe reinitialization added to prevent turning the main accepting thread into a busy wait loop when an external condition breaks the signal pipe. This bug was found to surface on Win32, but other platforms may also be affected. - Fixed removing the disabled taskbar icon. - Generated temporary DH parameters are used for configuration reload instead of the static defaults. - LSB compatibility fixes added to the stunnel.init script (thx to Peter Pentchev). - Fixed the manual page headers (thx to Gleydson Soares).
Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html
SHA-256 hashes: 4a36a3729a7287d9d82c4b38bf72c4d3496346cb969b86129c5deac22b20292b stunnel-5.20.tar.gz 9d9d38241e972713cd0937e2cf66fdacf3adcb357fbea82d8e46648de4e26fa4 stunnel-5.20-installer.exe cfc1e94cb7c7bf14c832ac8799db4a3438ae7542aa04ec5e9c6695a1a3c3843d stunnel-5.20-android.zip
Best regards, Mike
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Also please let me know if i need to install openSSL before installing this executable. Thank you.
Installation Logs--> MobileLab:Downloads sahnilsurana$ ./stunnel-5.20b8-osx
[ ] Cron started
[ ] Clients allowed=500
[.] stunnel 5.20 on x86_64-apple-darwin14.3.0 platform
[.] Compiled with OpenSSL 0.9.8zd 8 Jan 2015
[.] Running with OpenSSL 0.9.8za 5 Jun 2014
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:SELECT,IPv6 TLS:ENGINE,OCSP
[ ] errno: (*__error())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[!] Cannot open configuration file
[.]
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
[.] -fd <n> - read the config file from a file descriptor
[.] -help - get config file help
[.] -version - display version and defaults
[.] -sockets - display default socket options
Regards, Saurabh Beriwal
On Thu, Jul 9, 2015 at 7:31 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12.07.2015 07:20, Saurabh Beriwal wrote:
Yes, stunnel needs a configuration file to work. It is probably a good time for you to read the fine manual at https://www.stunnel.org/static/stunnel.html
Also please let me know if i need to install openSSL before installing this executable. Thank you.
No, you don't need to install additional OpenSSL library on your OSX.
This is where it tells you how to specify the configuration file name.
Mike
Thank you Michal for the explanation. Now I am able to load configuration file successfully but I am getting error in creating the connection so I just wanted to know the path where I can see the log file. Also is it possible to change .pem file with this executable? On Jul 13, 2015 1:17 PM, "Michal Trojnara" Michal.Trojnara@mirt.net wrote:
Hi Michal,
Thank you for your help! I was able to create connection through stunnel. However i am not sure how to start and stop services using stunnel-5.20b8-osx https://www.stunnel.org/downloads/stunnel-5.20b8-osx executable. I am new to mac OS so i am not aware if there is any standard process for files with this extension. Also this executable works fine on my mac machine but still i wanted to know if there is any requirement for this to work.
Regards, Saurabh Beriwal
On Mon, Jul 13, 2015 at 12:47 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
Hi Michal ,
I know , i am asking too many questions but i am again stuck. Actually now everything is working fine if i provide absolute path for stunnel.pem in configuration file but as per my requirement , i don't want to be dependent on absolute file path and want to generate it dynamically. but i am not able to understand how to do this.Please help.
On Mon, Jul 13, 2015 at 12:47 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15.07.2015 19:07, Saurabh Beriwal wrote:
The following example illustrates using dynamic configuration files:
#!/bin/bash REMOTE_HOST="www.stunnel.org:443" echo "client script connecting $REMOTE_HOST" stunnel -fd 10 11<&0 <<EOT 10<&0 0<&11 11<&- client=yes connect=$REMOTE_HOST EOT echo "client script finished"
Mike
Hi,
I am unable to compile stunnel 5.20 against openssl 1.0.2d (or even 1.0.2c). There a compilation error at some point.
cron.c:151: warning: conflicting types for 'cron_dh_param' cron.c:151: error: static declaration of 'cron_dh_param' follows non-static declaration cron.c:131: error: previous implicit declaration of 'cron_dh_param' was here cron.c: In function 'cron_dh_param':
I'm on on RHEL 5.10. No issues with stunnel 5.19 with either openssl versions.
Thanks.
2015-07-09 10:31 GMT-04:00 Michal Trojnara Michal.Trojnara@mirt.net:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.07.2015 16:24, Philippe Anctil wrote:
Did you configure stunnel with "--with-threads=fork"? It is broken in stunnel 5.20. It is also a bad idea in general.
Otherwise, please send me your config.log.
Mike
Yes I compile with fork.
We have been using that for a very long time. In the 7-8 years range if not a few years more. In the past we decided to use fork to sidestep leaks. We process astronomical numbers of transactions each year on a 24/7 basis and never had any problems.
Can you expand a bit on why it is a bad idea?
Thanks.
2015-07-15 10:27 GMT-04:00 Michal Trojnara Michal.Trojnara@mirt.net:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15.07.2015 16:35, Philippe Anctil wrote:
A few reasons out of the top of my head:
1. Posix/windows threads are required for session cache, which is a major performance improvement. With fork, stunnel needs to negotiate a new TLS session on each TCP connection with the same peer.
2. Posix/windows threads are required for DH parameter regenerations.
3. Fork not the default compilation option and it doesn't get nearly as much testing as posix/windows threads.
Mike
-
Michal Trojnara -
Philippe Anctil -
Saurabh Beriwal