Dear Users, I have released version 4.50 of stunnel. The ChangeLog entry: Version 4.50, 2011.12.03, urgency: MEDIUM: * New features - Added Android port. - Updated INSTALL.FIPS. * Bugfixes - Fixed internal memory allocation problem in inetd mode. - Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL - POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.50.tar.gz: 933467009529bae4f338bb20e758e0ea20b0759130e7695ea2193c4f270e5eaf Best regards, Mike
Hi, Since version 4.49, i'm enable to start stunnel with compression = zlib. I'm on windows 7 64bits. No limit detected for the number of clients stunnel 4.50 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8r-fips 8 Feb 2011 Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6 Reading configuration from file stunnel.conf FIPS mode enabled Failed to initialize zlib compression method Server is down Ludovic LEVET. Le 03/12/2011 14:07, Michal Trojnara a écrit :
Dear Users,
I have released version 4.50 of stunnel.
The ChangeLog entry:
Version 4.50, 2011.12.03, urgency: MEDIUM: * New features - Added Android port. - Updated INSTALL.FIPS. * Bugfixes - Fixed internal memory allocation problem in inetd mode. - Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL - POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan).
Home page: http://www.stunnel.org/ <http://stunnel.mirt.net/> Download: ftp://ftp.stunnel.org/stunnel/ <ftp://stunnel.mirt.net/stunnel/>
SHA-256 hash for stunnel-4.50.tar.gz: 933467009529bae4f338bb20e758e0ea20b0759130e7695ea2193c4f270e5eaf
Best regards, Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Ludovic LEVET <llevet@ludosoft.org> wrote:
Since version 4.49, i'm enable to start stunnel with compression = zlib. I'm on windows 7 64bits.
Hi Ludovic, You are right. With the new FIPS-compliant OpenSSL DLLs I stopped building them against ZLIB library. Not because it is technically impossible or very hard to do, but because it adds some additional complexity and it is not very useful (at least compared to FIPS). Please prove me wrong, and I will update the DLLs. Mike
Hi, Personally, we use stunnel for remote connection to our nntp server's office who is use like repository for our developpements and exchanges. Our database size is very big. So we use compression to exchange data between us to save bandwith. I think that lot of user take avantage of this feature (data compression) like http,nntp,imap ... based on heavy compressible text. So, i hope to see one day, come back of compression feature. Thank's for your jobs. Ludovic. Le 03/12/2011 18:58, Michal Trojnara a écrit :
Ludovic LEVET<llevet@ludosoft.org> wrote:
Since version 4.49, i'm enable to start stunnel with compression = zlib. I'm on windows 7 64bits. Hi Ludovic,
You are right. With the new FIPS-compliant OpenSSL DLLs I stopped building them against ZLIB library. Not because it is technically impossible or very hard to do, but because it adds some additional complexity and it is not very useful (at least compared to FIPS). Please prove me wrong, and I will update the DLLs.
Mike
_______________________________________________
Ludovic LEVET wrote:
Personally, we use stunnel for remote connection to our nntp server's office who is use like repository for our developpements and exchanges. Our database size is very big. So we use compression to exchange data between us to save bandwith.
I think that lot of user take avantage of this feature (data compression) like http,nntp,imap ... based on heavy compressible text. So, i hope to see one day, come back of compression feature.
I'm convinced. I'll try to find a few hours next week to build Zlib and to update OpenSSL. Mike
Hi Mike, Thank's for your quick job ! So, i have a good new and bad new. First : Good new It is working ! Second : Bad new Even if i remove on my conf file 'compression = zlib' (on server and client) the compression is enable. I have see that, by the cpu used by my server for the process stunnel. With version 4.50 (on the client) with a file (500MB) to transfert (at 3.5MB to my home), the cpu of server is at 15% for the process stunnel . With version 4.51b (on the client) with the same file at same speed take 85% of cpu for the process stunnel. Now, to disable compression on my client with 4.51b , i rename the zlib1.dll to zlib1.dll.bak and restart stunnel, after the same transfert take 15% - 18% of cpu on my server for the process stunnel . I think that openssl enable by default compression if remote openssl server suport it by default. my config : client : windows 7 64bits with stunnel 4.50 or 4.51b server : fedora i386 with openssl-1.0.0b and stunnel 4.50 (compiled from me) Thank's. Ludovic. Le 07/12/2011 16:22, Michal Trojnara a écrit :
I wrote:
I'm convinced. I'll try to find a few hours next week to build Zlib and to update OpenSSL.
Please try: ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.51b1-installer.exe
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi mike, It seem that openssl since version 0.9.8b zlib compression is enable by default. This is the problem of cpu usage of stunnel. Is it possible to force it disable it by 'compression = none' in a next version of stunnel ? reference: http://www.mail-archive.com/openssl-users@openssl.org/msg49919.html Thank's. Ludovic. Le 07/12/2011 23:51, Ludovic LEVET a écrit :
Hi Mike,
Thank's for your quick job !
So, i have a good new and bad new.
First : Good new It is working !
Second : Bad new Even if i remove on my conf file 'compression = zlib' (on server and client) the compression is enable. I have see that, by the cpu used by my server for the process stunnel. With version 4.50 (on the client) with a file (500MB) to transfert (at 3.5MB to my home), the cpu of server is at 15% for the process stunnel . With version 4.51b (on the client) with the same file at same speed take 85% of cpu for the process stunnel.
Now, to disable compression on my client with 4.51b , i rename the zlib1.dll to zlib1.dll.bak and restart stunnel, after the same transfert take 15% - 18% of cpu on my server for the process stunnel .
I think that openssl enable by default compression if remote openssl server suport it by default.
my config :
client : windows 7 64bits with stunnel 4.50 or 4.51b server : fedora i386 with openssl-1.0.0b and stunnel 4.50 (compiled from me)
Thank's.
Ludovic.
Le 07/12/2011 16:22, Michal Trojnara a écrit :
I wrote:
I'm convinced. I'll try to find a few hours next week to build Zlib and to update OpenSSL.
Please try: ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.51b1-installer.exe
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- ------------------------------------------------------------------------------------------------------------------------- Ce message inclut une signature numérique. Il certifie que l'expéditeur et le contenue du message sont authentiques. Si votre logiciel de messagerie est compatible, Il doit garantir que le document n'a pas été altéré entre l'instant où l'auteur l'a signé et le moment où le lecteur le consulte. Loi n°2000-230 du 13 mars 2000 Art. 1316, 1316-1, 1316-2, 1316-3, 1316-4 du Code civil. -------------------------------------------------------------------------------------------------------------------------
Ludovic LEVET wrote:
It seem that openssl since version 0.9.8b zlib compression is enable by default. This is the problem of cpu usage of stunnel. Is it possible to force it disable it by 'compression = none' in a next version of stunnel ?
I did some research and the facts are: 1. Stunnel code for "compression" option is obsolete since OpenSSL 0.9.8 (released 05 Jul 2005). The new implementation is compatible with: http://tools.ietf.org/html/rfc1951 2. Starting with OpenSSL 1.0.0 compression can be disabled with "options = NO_COMPRESSION" service-level option. 3. In OpenSSL version >= 0.9.8 and <1.0.0 there is currently no way to disable compression with an stunnel.conf option. My conclusion: I will add "compression = none" global option implemented as: #ifndef OPENSSL_NO_COMP sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif Mike
I wrote:
My conclusion: I will add "compression = none" global option implemented as: #ifndef OPENSSL_NO_COMP sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif
On second thought: This might be probably even better to switch compression off by default. The memory and CPU requirements of compression probably make it a bad choice for ~90% of users. The available parameters will be: - deflate - RFC 3749 https://www.ietf.org/rfc/rfc3749.txt - zlib - OpenSSL 0.9.7 compatibility - rle - OpenSSL 0.9.7 compatibility The default will be to disable compression entirely. What do you think? Mike
Hi Mike, Yes, this is better to disable it by default. But do you project to return on openssl 1.0.0x for next release to control compression ? And why are you move from openssl 1.0.0 to 0.9.8 in version 4.48 to 4.49 ? (for FIPS i suppose) Thank's. Ludovic. Le 09/12/2011 18:46, Michal Trojnara a écrit :
I wrote:
My conclusion: I will add "compression = none" global option implemented as: #ifndef OPENSSL_NO_COMP sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif
On second thought: This might be probably even better to switch compression off by default. The memory and CPU requirements of compression probably make it a bad choice for ~90% of users.
The available parameters will be: - deflate - RFC 3749 https://www.ietf.org/rfc/rfc3749.txt - zlib - OpenSSL 0.9.7 compatibility - rle - OpenSSL 0.9.7 compatibility The default will be to disable compression entirely.
What do you think?
Mike
Ludovic LEVET <llevet@ludosoft.org> wrote:
Hi Mike,
Yes, this is better to disable it by default. But do you project to return on openssl 1.0.0x for next release to control compression ?
And why are you move from openssl 1.0.0 to 0.9.8 in version 4.48 to 4.49 ? (for FIPS i suppose)
Thank's.
Ludovic.
Le 09/12/2011 18:46, Michal Trojnara a écrit :
I wrote:
My conclusion: I will add "compression = none" global option implemented as: #ifndef OPENSSL_NO_COMP sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif
On second thought: This might be probably even better to switch compression off by default. The memory and CPU requirements of compression probably make it a bad choice for ~90% of users.
The available parameters will be: - deflate - RFC 3749 https://www.ietf.org/rfc/rfc3749.txt - zlib - OpenSSL 0.9.7 compatibility - rle - OpenSSL 0.9.7 compatibility The default will be to disable compression entirely.
What do you think?
Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
No. Yes. Mike
So, For your next version (> 4.51) with update code for compression, i will replace openssl 0.9.8 by openssl 1.0.0e given from package 4.47 (for windows of course) then i'm will be able to control compression (but am lost FIPS, not very important for me). This is possible ? (i think...) Ludovic. Le 09/12/2011 19:31, Michal Trojnara a écrit :
Ludovic LEVET<llevet@ludosoft.org> wrote:
Hi Mike,
Yes, this is better to disable it by default. But do you project to return on openssl 1.0.0x for next release to control compression ?
And why are you move from openssl 1.0.0 to 0.9.8 in version 4.48 to 4.49 ? (for FIPS i suppose)
Thank's.
Ludovic.
Le 09/12/2011 18:46, Michal Trojnara a écrit :
I wrote:
My conclusion: I will add "compression = none" global option implemented as: #ifndef OPENSSL_NO_COMP sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif On second thought: This might be probably even better to switch compression off by default. The memory and CPU requirements of compression probably make it a bad choice for ~90% of users.
The available parameters will be: - deflate - RFC 3749 https://www.ietf.org/rfc/rfc3749.txt - zlib - OpenSSL 0.9.7 compatibility - rle - OpenSSL 0.9.7 compatibility The default will be to disable compression entirely.
What do you think?
Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users No. Yes.
Mike
Ludovic LEVET wrote:
For your next version (> 4.51) with update code for compression, i will replace openssl 0.9.8 by openssl 1.0.0e given from package 4.47 (for windows of course) then i'm will be able to control compression (but am lost FIPS, not very important for me). This is possible ? (i think...)
1. This is not possible, as OpenSSL 0.9.8 shared library (DLLs) is not binary-compatible with OpenSSL 1.0.0 shared library. 2. This won't be needed, as compression control in stunnel 4.51 will also work with OpenSSL 0.9.8. Mike
Ok, So, i understand that the methode : sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); will work for 0.9.8 and 1.0.0 openssl.' So, on my server, i can compile version 4.51 on my linux box who have openssl 1.0.0 by default ant it will work (for global connection), i'm just haven't the possibility to disable compression per-connection (lack of SSL_CTX_set_options), but it is perfect for me. Ludo. Le 10/12/2011 07:52, Michal Trojnara a écrit :
Ludovic LEVET wrote:
For your next version (> 4.51) with update code for compression, i will replace openssl 0.9.8 by openssl 1.0.0e given from package 4.47 (for windows of course) then i'm will be able to control compression (but am lost FIPS, not very important for me). This is possible ? (i think...)
1. This is not possible, as OpenSSL 0.9.8 shared library (DLLs) is not binary-compatible with OpenSSL 1.0.0 shared library. 2. This won't be needed, as compression control in stunnel 4.51 will also work with OpenSSL 0.9.8.
Mike
Ludovic LEVET wrote:
It seem that openssl since version 0.9.8b zlib compression is enable by default. This is the problem of cpu usage of stunnel. Is it possible to force it disable it by 'compression = none' in a next version of stunnel ?
Please try: ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.51b3-installer.exe In this version compression is disabled by default. To enable standard (RFC 1951) compression use the new: compression = deflate stunnel.conf option. Mike
Hi Mike, A quick question, I am trying to create a SSL connection using stunnel and the following configuration; debug = 7 output = stunnel.log ;cert = FCAXV_HamfbaaStkhlm1.pem key = FCAXV_HamfbaaStkhlm1_key.pem [SSLHOST] ;Use it for client mode client = yes accept = 127.0.0.1:2525 connect = <server-ip>:10170 And I am getting following log after starting the Stunnel. Does following "Configuration successful" message in the log means that I have established a SSl connection? I am wondering about this because I have not provided any password for the certificate-private key, infact I do not know to do that as well. Can you please explain; 2011.12.12 16:10:01 LOG7[5984:8456]: No limit detected for the number of clients 2011.12.12 16:10:01 LOG7[5984:8456]: make_sockets: s_socket#1: FD=648 allocated (blocking mode) 2011.12.12 16:10:01 LOG7[5984:8456]: make_sockets: s_socket#2: FD=604 allocated (blocking mode) 2011.12.12 16:10:01 LOG7[5984:8456]: make_sockets: s_accept: FD=472 allocated (non-blocking mode) 2011.12.12 16:10:01 LOG5[5984:8456]: stunnel 4.47 on x86-pc-mingw32-gnu platform 2011.12.12 16:10:01 LOG5[5984:8456]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2011.12.12 16:10:01 LOG5[5984:8456]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2011.12.12 16:10:01 LOG5[5984:8456]: Reading configuration from file stunnel.conf 2011.12.12 16:10:01 LOG7[5984:8456]: Snagged 64 random bytes from C:/.rnd 2011.12.12 16:10:02 LOG7[5984:8456]: Wrote 1024 new random bytes to C:/.rnd 2011.12.12 16:10:02 LOG7[5984:8456]: PRNG seeded successfully 2011.12.12 16:10:02 LOG6[5984:8456]: Initializing SSL context for service SSLHOST 2011.12.12 16:10:02 LOG7[5984:8456]: SSL options set: 0x01180004 2011.12.12 16:10:02 LOG6[5984:8456]: SSL context initialized 2011.12.12 16:10:02 LOG5[5984:8456]: Configuration successful 2011.12.12 16:10:02 LOG7[5984:8456]: accept socket: FD=648 allocated (non-blocking mode) 2011.12.12 16:10:02 LOG7[5984:8456]: Option SO_REUSEADDR set on accept socket 2011.12.12 16:10:02 LOG7[5984:8456]: Service SSLHOST bound to 127.0.0.1:2525 2011.12.12 16:10:02 LOG7[5984:8456]: Service SSLHOST opened FD=648 Thank you. Regards, Hamid Shahid.
Perfect, it work without problem on my Seven.64. I will test it on my linux client with openssl 1.0.0 when you put the new release of tar.gz Thank's for your job ! Ludovic. Le 12/12/2011 16:00, Michal Trojnara a écrit :
Ludovic LEVET wrote:
It seem that openssl since version 0.9.8b zlib compression is enable by default. This is the problem of cpu usage of stunnel. Is it possible to force it disable it by 'compression = none' in a next version of stunnel ?
Please try: ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.51b3-installer.exe
In this version compression is disabled by default.
To enable standard (RFC 1951) compression use the new: compression = deflate stunnel.conf option.
Mike
Wow - android binary! What does that mean? I ask that because my droid-foo is fairly low. I know just slapping an android Linux binary on a SDcard isn't quite all it takes ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
participants (4)
-
Hamid.Shahid@sungard.com -
Jason Haar -
Ludovic LEVET -
Michal Trojnara