Hello,
I install stunnel to my 64bit Windows 10 22H2 PC with official Windows installer and use tstunnel.exe to create TLS connection to IMAP server with configuration file as following ("debug=debug" line is added for debugging purpose).
---------------------------------------------------------------------- client=yes verify=2 checkHost=imap.example.org CApath=C:/Users/yasu/.certs debug=debug [13579] accept=localhost:13579 connect=imap.example.org:143 protocol=imap ----------------------------------------------------------------------
With version 5.67, tstunnel.exe successfully starts as following.
---------------------------------------------------------------------- C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf 2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration 2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2 2023.02.19 04:29:11 LOG7[ui]: No limit detected for the number of clients 2023.02.19 04:29:11 LOG5[ui]: stunnel 5.67 on x64-pc-mingw32-gnu platform 2023.02.19 04:29:11 LOG5[ui]: Compiled/running with OpenSSL 3.0.7 1 Nov 2022 2023.02.19 04:29:11 LOG5[ui]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2023.02.19 04:29:11 LOG7[ui]: errno: (*_errno()) 2023.02.19 04:29:11 LOG6[ui]: Initializing inetd mode configuration 2023.02.19 04:29:11 LOG7[ui]: Running on Windows 6.2 2023.02.19 04:29:11 LOG5[ui]: Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf 2023.02.19 04:29:11 LOG5[ui]: UTF-8 byte order mark not detected 2023.02.19 04:29:11 LOG5[ui]: FIPS mode disabled 2023.02.19 04:29:11 LOG6[ui]: Compression disabled 2023.02.19 04:29:11 LOG7[ui]: No PRNG seeding was required 2023.02.19 04:29:11 LOG6[ui]: Initializing service [13579] 2023.02.19 04:29:11 LOG6[ui]: stunnel default security level set: 2 2023.02.19 04:29:11 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2023.02.19 04:29:11 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.02.19 04:29:11 LOG7[ui]: TLS options: 0x2100000 (+0x0, -0x0) 2023.02.19 04:29:11 LOG6[ui]: Session resumption enabled 2023.02.19 04:29:11 LOG7[ui]: No certificate or private key specified 2023.02.19 04:29:11 LOG6[ui]: DH initialization skipped: client section 2023.02.19 04:29:11 LOG7[ui]: ECDH initialization 2023.02.19 04:29:11 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.02.19 04:29:11 LOG5[ui]: Configuration successful 2023.02.19 04:29:11 LOG7[ui]: Deallocating deployed section defaults 2023.02.19 04:29:11 LOG7[ui]: Binding service [13579] 2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=524) 2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=524) 2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=524) bound to ::1:13579 2023.02.19 04:29:11 LOG7[ui]: Listening file descriptor created (FD=528) 2023.02.19 04:29:11 LOG7[ui]: Setting accept socket options (FD=528) 2023.02.19 04:29:11 LOG7[ui]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2023.02.19 04:29:11 LOG6[ui]: Service [13579] (FD=528) bound to 127.0.0.1:13579 2023.02.19 04:29:11 LOG7[cron]: Cron thread initialized 2023.02.19 04:29:11 LOG6[cron]: Executing cron jobs 2023.02.19 04:29:11 LOG6[cron]: Cron jobs completed in 0 seconds 2023.02.19 04:29:11 LOG7[cron]: Waiting 86400 seconds ----------------------------------------------------------------------
And if I try `telnet localhost 13579`, then I can successfully connect to IMAP server.
But after updating from 5.67 to 5.68, it fails to start as following.
---------------------------------------------------------------------- C:\Users\yasu>tstunnel C:\Users\yasu\Temp\tstunnel.conf [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [ ] No limit detected for the number of clients [.] stunnel 5.68 on x64-pc-mingw32-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [ ] Initializing inetd mode configuration [ ] Running on Windows 6.2 [.] Reading configuration from file C:\Users\yasu\Temp\tstunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [13579] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] No certificate or private key specified [!] No trusted certificates found [!] Service [13579]: Failed to initialize TLS context [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [13579] ----------------------------------------------------------------------
Why these different results happen? Is it bug of 5.68? Or it there any incompatible change between 5.67 and 5.68?
--- Yasuhiro Kimura
Hi Kimura-san,
On 20/02/2023 10:58, Yasuhiro Kimura wrote:
[!] No trusted certificates found
The latest release of stunnel started using an OpenSSL function that doesn't work on Windows.
We submitted a pull request to the OpenSSL project and published a beta installer that includes a patched OpenSSL.
Please give it a try: https://www.stunnel.org/downloads/beta/stunnel-5.69b1-win64-installer.exe
Our pull request: https://github.com/openssl/openssl/pull/20312
Best regards, Mike
From: Michał Trojnara via stunnel-users stunnel-users@stunnel.org Subject: [stunnel-users] Re: tstunnel.exe fails to start after updating from 5.67 to 5.68 Date: Mon, 20 Feb 2023 18:00:52 +0100
Hi Kimura-san,
On 20/02/2023 10:58, Yasuhiro Kimura wrote:
[!] No trusted certificates found
The latest release of stunnel started using an OpenSSL function that doesn't work on Windows.
We submitted a pull request to the OpenSSL project and published a beta installer that includes a patched OpenSSL.
Please give it a try: https://www.stunnel.org/downloads/beta/stunnel-5.69b1-win64-installer.exe
Our pull request: https://github.com/openssl/openssl/pull/20312
Best regards, Mike
I tried 5.69b1 and confirmed tstunnel.exe works fine.
Thanks for quick fix!
--- Yasuhiro Kimura