Hi,
We're using stunnel to provide a secure interface to an old server that doesn't support HTTPS natively. I'd like to implement some access control so that connections are only supported from specific IP addresses. I am using v4.27 of stunnel that I downloaded from HPs website, and am running it from inittab to ensure it is always running. Unfortunately I don't think it's compiled with libwrap. Should I see libwrap listed when I run ldd against the binary (see below for output)?
I think it's possible to run stunnel from inetd. Could I wrapper it here? Is the following entry correct? stunnel stream tcp nowait root /usr/lbin/tcpd /opt/iexpress/stunnel/bin/stunnel stunnel
I think this would work, but I'm concerned that if stunnel was to crash or be killed that there would be nothing restarting it if we ran it from inetd.
Any advice much appreciated Craig
-------------------------------------
# ./stunnel -version stunnel 4.27 on ia64-hp-hpux11.23 with OpenSSL 0.9.7m 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = 5 pid = /opt/iexpress/stunnel/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /opt/iexpress/stunnel/etc/stunnel/stunnel.pem ciphers = ALL:!aNULL:!eNULL+RC4:@STRENGTH key = /opt/iexpress/stunnel/etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
# ldd ./stunnel libdl.so.1 => /usr/lib/hpux32/libdl.so.1 libnsl.so.1 => /usr/lib/hpux32/libnsl.so.1 libpthread.so.1 => /usr/lib/hpux32/libpthread.so.1 libunwind.so.1 => /usr/lib/hpux32/libunwind.so.1 libc.so.1 => /usr/lib/hpux32/libc.so.1 libxti.so.1 => /usr/lib/hpux32/libxti.so.1 libuca.so.1 => /usr/lib/hpux32/libuca.so.1 libdl.so.1 => /usr/lib/hpux32/libdl.so.1
_________________________________________________________________ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Craig Watkinson wrote:
# ./stunnel -version stunnel 4.27 on ia64-hp-hpux11.23 with OpenSSL 0.9.7m 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
It should look like this:
$ stunnel -version stunnel 4.30 on i686-pc-linux-gnu with OpenSSL 1.0.0-beta3 15 Jul 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
BTW: I don't think OpenSSL 0.9.7m is still supported. It might be a good idea to upgrade. 8-)
Mike
Hi Michal,
thanks for the response. Unfortunately upgrading is not an option for us at this time due to the additional testing that would be involved. It is in our plan for the next major release though. Do you have any thoughts on running stunnel from inetd instead?
Cheers Craig
To: stunnel-users@mirt.net Date: Fri, 19 Feb 2010 18:14:15 +0100 From: Michal.Trojnara@mirt.net Subject: Re: [stunnel-users] Access control/TCP wrappers
Craig Watkinson wrote:
# ./stunnel -version stunnel 4.27 on ia64-hp-hpux11.23 with OpenSSL 0.9.7m 23 Feb 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
It should look like this:
$ stunnel -version stunnel 4.30 on i686-pc-linux-gnu with OpenSSL 1.0.0-beta3 15 Jul 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
BTW: I don't think OpenSSL 0.9.7m is still supported. It might be a good idea to upgrade. 8-)
Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_________________________________________________________________ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
-
Craig Watkinson -
Michal Trojnara