tstunnel.exe fails to start after updating from 5.67 to 5.68 - stunnel-users

20 Feb 2023


      Hello,
I install stunnel to my 64bit Windows 10 22H2 PC with official Windows
installer and use tstunnel.exe to create TLS connection to IMAP server
with configuration file as following ("debug=debug" line is added for
debugging purpose).
----------------------------------------------------------------------
client=yes
verify=2
checkHost=imap.example.org
CApath=C:/Users/yasu/.certs
debug=debug
[13579]
accept=localhost:13579
connect=imap.example.org:143
protocol=imap
----------------------------------------------------------------------
With version 5.67, tstunnel.exe successfully starts as following.
----------------------------------------------------------------------
C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf
2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration
2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2
2023.02.19 04:29:11 LOG7[ui]: No limit detected for the number of clients
2023.02.19 04:29:11 LOG5[ui]: stunnel 5.67 on x64-pc-mingw32-gnu platform
2023.02.19 04:29:11 LOG5[ui]: Compiled/running with OpenSSL 3.0.7 1 Nov 2022
2023.02.19 04:29:11 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2023.02.19 04:29:11 LOG7[ui]: errno: (*_errno())
2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration
2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2
2023.02.19 04:29:11 LOG5[ui]: Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf
2023.02.19 04:29:11 LOG5[ui]: UTF-8 byte order mark not detected
2023.02.19 04:29:11 LOG5[ui]: FIPS mode disabled
2023.02.19 04:29:11 LOG6[ui]: Compression disabled
2023.02.19 04:29:11 LOG7[ui]: No PRNG seeding was required
2023.02.19 04:29:11 LOG6[ui]: Initializing service [13579]
2023.02.19 04:29:11 LOG6[ui]: stunnel default security level set: 2
2023.02.19 04:29:11 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2023.02.19 04:29:11 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
2023.02.19 04:29:11 LOG7[ui]: TLS options: 0x2100000 (+0x0, -0x0)
2023.02.19 04:29:11 LOG6[ui]: Session resumption enabled
2023.02.19 04:29:11 LOG7[ui]: No certificate or private key specified
2023.02.19 04:29:11 LOG6[ui]: DH initialization skipped: client section
2023.02.19 04:29:11 LOG7[ui]: ECDH initialization
2023.02.19 04:29:11 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384
2023.02.19 04:29:11 LOG5[ui]: Configuration successful
2023.02.19 04:29:11 LOG7[ui]: Deallocating deployed section defaults
2023.02.19 04:29:11 LOG7[ui]: Binding service [13579]
2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=524)
2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=524)
2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=524) bound to ::1:13579
2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=528)
2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=528)
2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=528) bound to 127.0.0.1:13579
2023.02.19 04:29:11 LOG7[cron]: Cron thread initialized
2023.02.19 04:29:11 LOG6[cron]: Executing cron jobs
2023.02.19 04:29:11 LOG6[cron]: Cron jobs completed in 0 seconds
2023.02.19 04:29:11 LOG7[cron]: Waiting 86400 seconds
----------------------------------------------------------------------
And if I try `telnet localhost 13579`, then I can successfully connect
to IMAP server.
But after updating from 5.67 to 5.68, it fails to start as following.
----------------------------------------------------------------------
C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[ ] No limit detected for the number of clients
[.] stunnel 5.68 on x64-pc-mingw32-gnu platform
[.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023
[.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_errno())
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[.] Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [13579]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x2100000 (+0x0, -0x0)
[ ] Session resumption enabled
[ ] No certificate or private key specified
[!] No trusted certificates found
[!] Service [13579]: Failed to initialize TLS context
[!] Configuration failed
[ ] Deallocating temporary section defaults
[ ] Deallocating section [13579]
----------------------------------------------------------------------
Why these different results happen? Is it bug of 5.68? Or it there any
incompatible change between 5.67 and 5.68?
---
Yasuhiro Kimura