From j.francisco.oliveira at gmail.com Mon May 3 15:52:09 2010 From: j.francisco.oliveira at gmail.com (J F) Date: Mon, 3 May 2010 10:52:09 -0300 Subject: [stunnel-users] zlib error in build for W32 Message-ID: <0C23B26A-9E9A-474B-A2FB-88EEA32229CF@gmail.com> Hi, I'm trying to build from source stunnel-4.33 for W32 in a machine with Debian lenny following the guidelines provided in INSTALL.W32. First I received complains from the compiler about zlib.h not found. Then I copied the zlib headers from /usr/include in include directory under openssl tree. Now openssl 1.0 compiles smoothly but when I try to compile stunnel I received the following error: i586-mingw32msvc-gcc -s -o stunnel.exe file.obj client.obj log.obj options.obj protocol.obj network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj stunnel.obj gui.obj resources.obj -L/usr/src/openssl-1.0.0 -lzdll -lcrypto.dll -lssl.dll -lws2_32 -lgdi32 -mwindows /usr/lib/gcc/i586-mingw32msvc/4.2.1-sjlj/../../../../i586-mingw32msvc/bin/ld: cannot find -lzdll collect2: ld returned 1 exit status make: *** [stunnel.exe] Error 1 Am I doing some basic mistake? JF From Michal.Trojnara at mirt.net Tue May 4 11:46:55 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 04 May 2010 11:46:55 +0200 Subject: [stunnel-users] zlib error in build for W32 In-Reply-To: <0C23B26A-9E9A-474B-A2FB-88EEA32229CF@gmail.com> References: <0C23B26A-9E9A-474B-A2FB-88EEA32229CF@gmail.com> Message-ID: <8bbe659cf856350cae8acf237f5c68fc@mirt.net> JF wrote: > I'm trying to build from source stunnel-4.33 for W32 in a machine with > Debian lenny following the guidelines provided in INSTALL.W32. I forgot to update INSTALL.W32 with details required to build zlib: | Download the recent zlib source from http://www.zlib.net/ | Update the PREFIX definition in win32/Makefile.gcc file to: | PREFIX = i586-mingw32msvc- | then build zlib with: | make -f win32/Makefile.gcc | and install it in mingw32 tree: | sudo BINARY_PATH=~/ \ | INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \ | LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \ | make -f win32/Makefile.gcc install Mike From rene.plattner at uibk.ac.at Wed May 5 10:27:16 2010 From: rene.plattner at uibk.ac.at (Rene Plattner) Date: Wed, 05 May 2010 10:27:16 +0200 Subject: [stunnel-users] Safari SSL Problems Message-ID: <4BE12BE4.3040203@uibk.ac.at> Hi, has anyone Problems with Safari? I habe Problems with Safari 3 + 4 on Windows with stunnel Version 4.27 + 4.33 Everytime if I want to connect to an SSL terminated (stunnel) webservice, Safari asks for an client certificate, allthough I set the option verify to default (=none). Kind regards, René Plattner -- -------------------------------------------------------------- Dipl.-Ing. René Plattner Zentraler Informatikdienst (Central IT-Services) Universität Innsbruck Technikerstrasse 23 Tel: ++43512/507-2360 6020 Innsbruck Fax: ++43512/507-2944 Austria E-Mail: rene.plattner at uibk.ac.at Homepage: http://www.uibk.ac.at/zid -------------------------------------------------------------- D92E 1AE3 A8AA 9A57 8E5B 9204 F5D0 95DB 4030 742D http://homepage.uibk.ac.at/~c1021058/keys/0x4030742D.pub -------------------------------------------------------------- From compkarori at gmail.com Sat May 8 05:14:16 2010 From: compkarori at gmail.com (Graham Chiu) Date: Sat, 8 May 2010 15:14:16 +1200 Subject: [stunnel-users] running as a windows service Message-ID: I downloaded and ran the windows binary 4.33. When I use the stunnel.pem it runs fine as a service. I created my own pem ( using Openssl on OpenSolaris ) and it won't run now as a service. I get a timeout message. If I then uninstall it as a service, and run it as an application, it works. Ideas on getting to run as a service with my pem? The log says nothing of note. -- Graham Chiu From andrex at alumni.utexas.net Mon May 10 15:29:13 2010 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Mon, 10 May 2010 09:29:13 -0400 Subject: [stunnel-users] running as a windows service References: Message-ID: <582gu5hjc88q8bcaos5fa0dufcb878afi9@4ax.com> > I downloaded and ran the windows binary 4.33. > When I use the stunnel.pem it runs fine as a service. > > I created my own pem ( using Openssl on OpenSolaris ) and it won't run > now as a service. I get a timeout message. > > If I then uninstall it as a service, and run it as an application, it works. > > Ideas on getting to run as a service with my pem? > The log says nothing of note. Is SYSTEM the owner of your pem file? I don't know for sure with stunnel, but I've set up autossh as a system service in Cygwin, and for that to work SYSTEM has to be the owner of any ssh keys, or the service fails with obscure error messages. Good luck, Andrew. From daren.krive at gmail.com Tue May 11 04:39:34 2010 From: daren.krive at gmail.com (Daren Krive) Date: Mon, 10 May 2010 22:39:34 -0400 Subject: [stunnel-users] Using stunnel to RDP into a SSL-enabled Windows box Message-ID: Hi everyone, First of all I apologize if this has been asked before or if I am totally misunderstanding the purpose of stunnel altogether. If so please bear with my ignorance. I am an IT consultant and I manage about 20+ Windows-based servers. Some of these servers are accessible via VPN while others are accessible directly via RDP over the Internet. For those that are exposed to the net I am using the SSL certificate feature of Remote Desktop by going into “Terminal Services Configuration” and configuring the connection to use an SSL (most of the time a self-signed cert). I can connect to these machines no problem from Windows and I get a “lock” icon in my RDP client. However I cannot connect to these machines using rdestkop under Ubuntu. I have determined that if I turn off the requirement to use SSL on the server side (and instead allow the connection to use the built-in encryption of RDP) then I am able to connect with rdesktop. I would very much like to avoid rebooting just to connect to these servers. I am also not willing to remove the requirement for the SSL connection. Is there a way I can use stunnel on my Ubuntu box to first establish a secure SSL connection and then use rdesktop over that connection? I have searched high and low for info on this and found nothing. I have found instructions on how to use the Windows version of stunnel to secure RDP but that isn’t what I am trying to do. The server is already using an SSL cert to encrypt the connection (not sure how many people know Windows 2003 and up can do this). I am looking to get around the apparent lack of SSL support in rdesktop. Best regards, Daren. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gromovd at gmail.com Tue May 11 08:59:16 2010 From: gromovd at gmail.com (Dmitry Gromov) Date: Tue, 11 May 2010 02:59:16 -0400 Subject: [stunnel-users] Using stunnel to RDP into a SSL-enabled Windows box In-Reply-To: References: Message-ID: Hello. On Mon, May 10, 2010 at 22:39, Daren Krive wrote: > Hi everyone, > > First of all I apologize if this has been asked before or if I am totally > misunderstanding the purpose of stunnel altogether.  If so please bear with > my ignorance. > > I am an IT consultant and I manage about 20+ Windows-based servers.  Some of > these servers are accessible via VPN while others are accessible directly > via RDP over the Internet.  For those that are exposed to the net I am using > the SSL certificate feature of Remote Desktop by going into “Terminal > Services Configuration” and configuring the connection to use an SSL (most > of the time a self-signed cert). > Selecting SSL for security layer is actually for authentication. Even that Microsoft states that encryption is better, if you read their article, you will see that the same encryption strength could be configured without SSL (TLS) authentication. > I can connect to these machines no problem from Windows and I get a “lock” > icon in my RDP client.  However I cannot connect to these machines using > rdestkop under Ubuntu.  I have determined that if I turn off the requirement > to use SSL on the server side (and instead allow the connection to use the > built-in encryption of RDP) then I am able to connect with rdesktop. > rdesktop did not support TLS authentication last time I checked. The developer mentioned on their mailing list that this feature is not used often, so no time is spent on implementing it. > I would very much like to avoid rebooting just to connect to these servers. > I am also not willing to remove the requirement for the SSL connection. > > Is there a way I can use stunnel on my Ubuntu box to first establish a > secure SSL connection and then use rdesktop over that connection? > > I have searched high and low for info on this and found nothing.  I have > found instructions on how to use the Windows version of stunnel to secure > RDP but that isn’t what I am trying to do.  The server is already using an > SSL cert to encrypt the connection (not sure how many people know Windows > 2003 and up can do this).  I am looking to get around the apparent lack of > SSL support in rdesktop. > I do not know if it is possible to use stunnel with RDP in this configuration - it seems like Microsoft is not using SSL but RC4 56 or 128 bit or FIPS-compliant encryption... I'd suggest you set Security layer to Negotiate - this way you will have the most flexible configuration. > Best regards, > Daren. > > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > -- DG NJ From Michal.Trojnara at mirt.net Tue May 11 09:26:12 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 11 May 2010 09:26:12 +0200 Subject: [stunnel-users] Using stunnel to RDP into a SSL-enabled Windows box In-Reply-To: References: Message-ID: Guys, Please find the M$ way to enable TLS for RDP: http://technet.microsoft.com/en-us/library/cc782610%28WS.10%29.aspx It could still be easier to use stunnel. 8-) Mike From daren.krive at gmail.com Tue May 11 18:26:29 2010 From: daren.krive at gmail.com (Daren Krive) Date: Tue, 11 May 2010 12:26:29 -0400 Subject: [stunnel-users] Using stunnel to RDP into a SSL-enabled Windows box In-Reply-To: References: Message-ID: Hi Michal, I have already enabled TLS for RDP as suggested by this article you linked. That is in fact why I asked my question. With TSL enabled (as per that article) I am no longer able to connect via rdesktop under Ubuntu. I am not trying to use stunnel on the Windows side to add SSL support to RDP (RDP already has SSL/TLS configured). I am wondering if stunnel on the Linux side might somehow be used in conjunction with rdesktop to allow rdesktop to connect to a Windows-based server configured with SSL. Or am I misunderstanding the purpose of stunnel? Best regards, Daren On Tue, May 11, 2010 at 3:26 AM, Michal Trojnara wrote: > > Guys, > > Please find the M$ way to enable TLS for RDP: > http://technet.microsoft.com/en-us/library/cc782610%28WS.10%29.aspx > > It could still be easier to use stunnel. 8-) > > Mike > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maqingshan.bj at gmail.com Wed May 12 07:02:25 2010 From: maqingshan.bj at gmail.com (=?GB2312?B?wu3H4Mm9?=) Date: Wed, 12 May 2010 13:02:25 +0800 Subject: [stunnel-users] stunnel Reading configuration ERR Message-ID: hi~ sorry my english is bad~~please go read it first install :./configure --prefix=/home/stunnelsmtp4.3;make;make install but directory is error rm -rf =/home/stunnelsmtp4.3 second install:./configure --prefix=/home/stunnelpop4.3;make;make install but stunnel don't run: /home/stunnelpop4.3/bin/stunnel Reading configuration from file /home/stunnelsmtp4.3/etc/stunnel/stunnel.conf /home/stunnelsmtp4.3/etc/stunnel/stunnel.conf: No such file or directory (2) Cannot read configuration Syntax: stunnel [] ] -fd | -help | -version | -sockets - use specified config file -fd - read the config file from a file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options HELP me!! i can use " /home/stunnelpop4.3/bin/stunnel /home/stunnelpop4.3/etc/stunnel/stunnel.conf " start but i free so bad ~~I want know why Default configuration is "home/stunnelsmtp4.3/etc/stunnel/stunnel.conf"? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Wed May 12 18:53:28 2010 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 12 May 2010 18:53:28 +0200 Subject: [stunnel-users] stunnel Reading configuration ERR In-Reply-To: References: Message-ID: <20100512165328.GC8754@svr5.bihl-wiedemann.de> On Wed, 2010-05-12 13:02:25 +0800, 马青山 wrote: > hi~ > sorry my english is bad~~please go read it > > first install :./configure --prefix=/home/stunnelsmtp4.3;make;make install > but directory is error > rm -rf =/home/stunnelsmtp4.3 > > second install:./configure --prefix=/home/stunnelpop4.3;make;make install > > but stunnel don't run: > /home/stunnelpop4.3/bin/stunnel > Reading configuration from file /home/stunnelsmtp4.3/etc/stunnel/stunnel.conf > /home/stunnelsmtp4.3/etc/stunnel/stunnel.conf: No such file or directory (2) > Cannot read configuration 马青山, The configure script caches some results (and maybe the prefix directory too) between the runs. The safe way to change configure options is to do a 'make distclean' before running ./configure the second time. Maybe, removing config.status would work too. HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From bender.thomas at web.de Wed May 19 14:30:14 2010 From: bender.thomas at web.de (KumpelJ) Date: Wed, 19 May 2010 05:30:14 -0700 (PDT) Subject: [stunnel-users] "choose a digital certificate" pop-up in IE Message-ID: <28607531.post@talk.nabble.com> Hello I have browsed the archives but have not found the answer to this question... I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer. When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up. How do we turn off the request for the client certificate in IE? Here are my details....thanks in advance. #vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/ pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1 client=no [https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes #usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp28607531p28607531.html Sent from the Stunnel - Users mailing list archive at Nabble.com. From lb at mpexnet.de Wed May 19 15:16:35 2010 From: lb at mpexnet.de (Lars Braeuer) Date: Wed, 19 May 2010 15:16:35 +0200 Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <28607531.post@talk.nabble.com> References: <28607531.post@talk.nabble.com> Message-ID: <4BF3E4B3.7060405@mpexnet.de> Hi Thomas, try the following settings in the global section of your config: sslVersion = all options = NO_SSLv2 The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled. Best regards, Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck Am 19.05.2010 14:30, schrieb KumpelJ: > > Hello > > I have browsed the archives but have not found the answer to this > question... > > I have stunnel set up to handle https connections. It sits on a Debian > server alongside HAProxy and works fine with every browser except for > Internet Explorer. > > When I connect with Internet Explorer, I get a blank "Please choose a > digital certificate" pop-up. > > How do we turn off the request for the client certificate in IE? > > Here are my details....thanks in advance. > > #vi /etc/stunnel/stunnel.conf > verify=0 > CAfile=/etc/ssl/certs/chain.pem > cert=/etc/ssl/certs/multidomain.pem > CApath=/etc/ssl/certs/ > > pid = /etc/stunnel/stunnel.pid > debug = 3 > output = /etc/stunnel/stunnel.log > > socket=l:TCP_NODELAY=1 > socket=r:TCP_NODELAY=1 > > client=no > > [https] > accept=192.168.11.32:443 > connect=localhost:444 > TIMEOUTclose=0 > xforwardedfor=yes > > #usr/local/bin/stunnel -version > stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 > Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 > > Global options > debug = daemon.notice > pid = /usr/local/var/run/stunnel/stunnel.pid > RNDbytes = 64 > RNDfile = /dev/urandom > RNDoverwrite = yes > > Service-level options > cert = /usr/local/etc/stunnel/stunnel.pem > ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH > session = 300 seconds > stack = 65536 bytes > sslVersion = SSLv3 for client, all for server > TIMEOUTbusy = 300 seconds > TIMEOUTclose = 60 seconds > TIMEOUTconnect = 10 seconds > TIMEOUTidle = 43200 seconds > verify = none > > From bender.thomas at web.de Wed May 19 15:56:14 2010 From: bender.thomas at web.de (KumpelJ) Date: Wed, 19 May 2010 06:56:14 -0700 (PDT) Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <4BF3E4B3.7060405@mpexnet.de> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> Message-ID: <28608649.post@talk.nabble.com> Hello Lars, thansk for your reply. Unfortunately this is not working..:( popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off. Lars Braeuer-2 wrote: > > Hi Thomas, > > try the following settings in the global section of your config: > > sslVersion = all > options = NO_SSLv2 > > The default config seems to have just SSLv3 enabled. Some Internet > Explorer versions only work if > TLSv1 is enabled, at least as long as SSLv2 is disabled. > > Best regards, > > Lars Bräuer > -- > MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany > MPeXnetworks / www.mpexnetworks.de > Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 > > Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 > Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck > > Am 19.05.2010 14:30, schrieb KumpelJ: >> >> Hello >> >> I have browsed the archives but have not found the answer to this >> question... >> >> I have stunnel set up to handle https connections. It sits on a Debian >> server alongside HAProxy and works fine with every browser except for >> Internet Explorer. >> >> When I connect with Internet Explorer, I get a blank "Please choose a >> digital certificate" pop-up. >> >> How do we turn off the request for the client certificate in IE? >> >> Here are my details....thanks in advance. >> >> #vi /etc/stunnel/stunnel.conf >> verify=0 >> CAfile=/etc/ssl/certs/chain.pem >> cert=/etc/ssl/certs/multidomain.pem >> CApath=/etc/ssl/certs/ >> >> pid = /etc/stunnel/stunnel.pid >> debug = 3 >> output = /etc/stunnel/stunnel.log >> >> socket=l:TCP_NODELAY=1 >> socket=r:TCP_NODELAY=1 >> >> client=no >> >> [https] >> accept=192.168.11.32:443 >> connect=localhost:444 >> TIMEOUTclose=0 >> xforwardedfor=yes >> >> #usr/local/bin/stunnel -version >> stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 >> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 >> >> Global options >> debug = daemon.notice >> pid = /usr/local/var/run/stunnel/stunnel.pid >> RNDbytes = 64 >> RNDfile = /dev/urandom >> RNDoverwrite = yes >> >> Service-level options >> cert = /usr/local/etc/stunnel/stunnel.pem >> ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH >> session = 300 seconds >> stack = 65536 bytes >> sslVersion = SSLv3 for client, all for server >> TIMEOUTbusy = 300 seconds >> TIMEOUTclose = 60 seconds >> TIMEOUTconnect = 10 seconds >> TIMEOUTidle = 43200 seconds >> verify = none >> >> > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp28607531p28608649.html Sent from the Stunnel - Users mailing list archive at Nabble.com. From lb at mpexnet.de Wed May 19 16:03:25 2010 From: lb at mpexnet.de (Lars Braeuer) Date: Wed, 19 May 2010 16:03:25 +0200 Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <28608649.post@talk.nabble.com> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> <28608649.post@talk.nabble.com> Message-ID: <4BF3EFAD.6080402@mpexnet.de> Hello Thomas, did you empty the cache of MSIE6 or did you restart the browser before trying again? Another stupid question: Did you restart stunnel properly? Check if the pid is really different after the restart in order to make sure stunnel is not hanging around just pretending it did a restart. Best regards, Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck Am 19.05.2010 15:56, schrieb KumpelJ: > > Hello Lars, > > thansk for your reply. > > Unfortunately this is not working..:( > > popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif > ..so the problem seems to be that the server asks the client/browser to > identify himself (but only with Internet Explorer 6?)...but I find no > configuration to turn this off. > > > > Lars Braeuer-2 wrote: >> >> Hi Thomas, >> >> try the following settings in the global section of your config: >> >> sslVersion = all >> options = NO_SSLv2 >> >> The default config seems to have just SSLv3 enabled. Some Internet >> Explorer versions only work if >> TLSv1 is enabled, at least as long as SSLv2 is disabled. >> >> Best regards, >> >> Lars Bräuer >> -- >> MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany >> MPeXnetworks / www.mpexnetworks.de >> Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 >> >> Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 >> Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck >> >> Am 19.05.2010 14:30, schrieb KumpelJ: >>> >>> Hello >>> >>> I have browsed the archives but have not found the answer to this >>> question... >>> >>> I have stunnel set up to handle https connections. It sits on a Debian >>> server alongside HAProxy and works fine with every browser except for >>> Internet Explorer. >>> >>> When I connect with Internet Explorer, I get a blank "Please choose a >>> digital certificate" pop-up. >>> >>> How do we turn off the request for the client certificate in IE? >>> >>> Here are my details....thanks in advance. >>> >>> #vi /etc/stunnel/stunnel.conf >>> verify=0 >>> CAfile=/etc/ssl/certs/chain.pem >>> cert=/etc/ssl/certs/multidomain.pem >>> CApath=/etc/ssl/certs/ >>> >>> pid = /etc/stunnel/stunnel.pid >>> debug = 3 >>> output = /etc/stunnel/stunnel.log >>> >>> socket=l:TCP_NODELAY=1 >>> socket=r:TCP_NODELAY=1 >>> >>> client=no >>> >>> [https] >>> accept=192.168.11.32:443 >>> connect=localhost:444 >>> TIMEOUTclose=0 >>> xforwardedfor=yes >>> >>> #usr/local/bin/stunnel -version >>> stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 >>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 >>> >>> Global options >>> debug = daemon.notice >>> pid = /usr/local/var/run/stunnel/stunnel.pid >>> RNDbytes = 64 >>> RNDfile = /dev/urandom >>> RNDoverwrite = yes >>> >>> Service-level options >>> cert = /usr/local/etc/stunnel/stunnel.pem >>> ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH >>> session = 300 seconds >>> stack = 65536 bytes >>> sslVersion = SSLv3 for client, all for server >>> TIMEOUTbusy = 300 seconds >>> TIMEOUTclose = 60 seconds >>> TIMEOUTconnect = 10 seconds >>> TIMEOUTidle = 43200 seconds >>> verify = none >>> >>> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users at mirt.net >> http://stunnel.mirt.net/mailman/listinfo/stunnel-users >> >> > From rene.plattner at uibk.ac.at Wed May 19 17:13:24 2010 From: rene.plattner at uibk.ac.at (Rene Plattner) Date: Wed, 19 May 2010 17:13:24 +0200 Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <4BF3E4B3.7060405@mpexnet.de> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> Message-ID: <4BF40014.3080407@uibk.ac.at> Hi, I have the same problem with the safari browser under windows! kind regards, Rene Plattner Am 19.05.2010 15:16, schrieb Lars Braeuer: > Hi Thomas, > > try the following settings in the global section of your config: > > sslVersion = all > options = NO_SSLv2 > > The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if > TLSv1 is enabled, at least as long as SSLv2 is disabled. > > Best regards, > > Lars Bräuer -- -------------------------------------------------------------- Dipl.-Ing. René Plattner Zentraler Informatikdienst (Central IT-Services) Universität Innsbruck Technikerstrasse 23 Tel: ++43512/507-2360 6020 Innsbruck Fax: ++43512/507-2944 Austria E-Mail: rene.plattner at uibk.ac.at Homepage: http://www.uibk.ac.at/zid -------------------------------------------------------------- D92E 1AE3 A8AA 9A57 8E5B 9204 F5D0 95DB 4030 742D http://homepage.uibk.ac.at/~c1021058/keys/0x4030742D.pub -------------------------------------------------------------- From bender.thomas at web.de Wed May 19 17:42:01 2010 From: bender.thomas at web.de (KumpelJ) Date: Wed, 19 May 2010 08:42:01 -0700 (PDT) Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <4BF3EFAD.6080402@mpexnet.de> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> <28608649.post@talk.nabble.com> <4BF3EFAD.6080402@mpexnet.de> Message-ID: <28610117.post@talk.nabble.com> of course i've considered these points but it does not work :/ Lars Braeuer-2 wrote: > > Hello Thomas, > > did you empty the cache of MSIE6 or did you restart the browser before > trying again? > > Another stupid question: Did you restart stunnel properly? Check if the > pid is really different > after the restart in order to make sure stunnel is not hanging around just > pretending it did a restart. > > Best regards, > > Lars Bräuer > -- > MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany > MPeXnetworks / www.mpexnetworks.de > Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 > > Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 > Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck > > Am 19.05.2010 15:56, schrieb KumpelJ: >> >> Hello Lars, >> >> thansk for your reply. >> >> Unfortunately this is not working..:( >> >> popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif >> ..so the problem seems to be that the server asks the client/browser to >> identify himself (but only with Internet Explorer 6?)...but I find no >> configuration to turn this off. >> >> >> >> Lars Braeuer-2 wrote: >>> >>> Hi Thomas, >>> >>> try the following settings in the global section of your config: >>> >>> sslVersion = all >>> options = NO_SSLv2 >>> >>> The default config seems to have just SSLv3 enabled. Some Internet >>> Explorer versions only work if >>> TLSv1 is enabled, at least as long as SSLv2 is disabled. >>> >>> Best regards, >>> >>> Lars Bräuer >>> -- >>> MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany >>> MPeXnetworks / www.mpexnetworks.de >>> Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 >>> >>> Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 >>> Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck >>> >>> Am 19.05.2010 14:30, schrieb KumpelJ: >>>> >>>> Hello >>>> >>>> I have browsed the archives but have not found the answer to this >>>> question... >>>> >>>> I have stunnel set up to handle https connections. It sits on a Debian >>>> server alongside HAProxy and works fine with every browser except for >>>> Internet Explorer. >>>> >>>> When I connect with Internet Explorer, I get a blank "Please choose a >>>> digital certificate" pop-up. >>>> >>>> How do we turn off the request for the client certificate in IE? >>>> >>>> Here are my details....thanks in advance. >>>> >>>> #vi /etc/stunnel/stunnel.conf >>>> verify=0 >>>> CAfile=/etc/ssl/certs/chain.pem >>>> cert=/etc/ssl/certs/multidomain.pem >>>> CApath=/etc/ssl/certs/ >>>> >>>> pid = /etc/stunnel/stunnel.pid >>>> debug = 3 >>>> output = /etc/stunnel/stunnel.log >>>> >>>> socket=l:TCP_NODELAY=1 >>>> socket=r:TCP_NODELAY=1 >>>> >>>> client=no >>>> >>>> [https] >>>> accept=192.168.11.32:443 >>>> connect=localhost:444 >>>> TIMEOUTclose=0 >>>> xforwardedfor=yes >>>> >>>> #usr/local/bin/stunnel -version >>>> stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct >>>> 2007 >>>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 >>>> >>>> Global options >>>> debug = daemon.notice >>>> pid = /usr/local/var/run/stunnel/stunnel.pid >>>> RNDbytes = 64 >>>> RNDfile = /dev/urandom >>>> RNDoverwrite = yes >>>> >>>> Service-level options >>>> cert = /usr/local/etc/stunnel/stunnel.pem >>>> ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH >>>> session = 300 seconds >>>> stack = 65536 bytes >>>> sslVersion = SSLv3 for client, all for server >>>> TIMEOUTbusy = 300 seconds >>>> TIMEOUTclose = 60 seconds >>>> TIMEOUTconnect = 10 seconds >>>> TIMEOUTidle = 43200 seconds >>>> verify = none >>>> >>>> >>> _______________________________________________ >>> stunnel-users mailing list >>> stunnel-users at mirt.net >>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users >>> >>> >> > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp28607531p28610117.html Sent from the Stunnel - Users mailing list archive at Nabble.com. From bender.thomas at web.de Thu May 20 16:13:20 2010 From: bender.thomas at web.de (KumpelJ) Date: Thu, 20 May 2010 07:13:20 -0700 (PDT) Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <28610117.post@talk.nabble.com> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> <28608649.post@talk.nabble.com> <4BF3EFAD.6080402@mpexnet.de> <28610117.post@talk.nabble.com> Message-ID: <28621762.post@talk.nabble.com> the log says: 2010.05.20 14:05:47 LOG7[24166:1086048592]: SSL state (accept): SSLv3 flush data 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 items in the session cache 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects (SSL_connect()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects that finished 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client renegotiations requested 2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects (SSL_accept()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that finished why "server connects"? shouldn't it be "client connects", because stunnel is used for https? -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp28607531p28621762.html Sent from the Stunnel - Users mailing list archive at Nabble.com. From Michal.Trojnara at mirt.net Sun May 23 15:44:38 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Sun, 23 May 2010 15:44:38 +0200 Subject: [stunnel-users] "choose a digital certificate" pop-up in IE In-Reply-To: <28621762.post@talk.nabble.com> References: <28607531.post@talk.nabble.com> <4BF3E4B3.7060405@mpexnet.de> <28608649.post@talk.nabble.com> <4BF3EFAD.6080402@mpexnet.de> <28610117.post@talk.nabble.com> <28621762.post@talk.nabble.com> Message-ID: <4CFB4FDE-3C45-4CCA-B65D-4BF15ECE9362@mirt.net> KumpelJ wrote: > 2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects > (SSL_accept()) > 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that > finished > > why "server connects"? shouldn't it be "client connects", because > stunnel > is used for https? These are "server connects", i.e. connects performed to stunnel operating as an SSL server, and *not* "servers connected", i.e. stunnel connections performed to a remote server. Best regards, Mike From strube at physik3.gwdg.de Tue May 25 17:19:14 2010 From: strube at physik3.gwdg.de (Hans Werner Strube) Date: Tue, 25 May 2010 17:19:14 +0200 (MEST) Subject: [stunnel-users] STRLEN in common.h may be too small Message-ID: <201005251519.o4PFJExQ023811@nolde.physik3.gwdg.de> In common.h of stunnel-4.x, the parameter STRLEN (used for many buffers) is set to 256. This is insufficient in some cases, e.g., the CAPABILITY response of an IMAP server or the pathname of a file may be too long, resulting in errors. If you encounter such cases (e.g., messages "Input line too long"), increase STRLEN, e.g., to 512. From strube at physik3.gwdg.de Tue May 25 17:21:31 2010 From: strube at physik3.gwdg.de (Hans Werner Strube) Date: Tue, 25 May 2010 17:21:31 +0200 (MEST) Subject: [stunnel-users] Transparent mode, alternative env.c Message-ID: <201005251521.o4PFLVtl023819@nolde.physik3.gwdg.de> The method for passing the remote address and port to an exec'ed program through getenv() calls in the preloaded libstunnel.so fails for programs that clean the environment initially. This can be circumvented placing getenv() in an _init() function and storing the results in static variables. Here is my alternative env.c (without the copyright and license), which I have been using for more than a year: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * /* getpeername() can't be declared in the following includes */ #define getpeername no_getpeername #include #include /* for AF_INET */ #include #include /* for inet_addr() */ #include /* for getenv() */ #ifdef __BEOS__ #include /* for AF_INET */ #include /* for AF_INET */ #else #include /* for AF_INET */ #endif #undef getpeername static uint32_t rem_host=0; static uint16_t rem_port=0; /* Requires shared-library linking by ld, not cc (except with gcc -nostdlib) */ void _init() { char *value; if((value=getenv("REMOTE_HOST")) && *value != '\0') rem_host = inet_addr(value); if((value=getenv("REMOTE_PORT")) && *value != '\0') rem_port = htons(atoi(value)); } int getpeername(int s, struct sockaddr_in *name, int *len) { char *value; name->sin_family = AF_INET; name->sin_addr.s_addr = rem_host; name->sin_port = rem_port; return 0; } /* End of env.c */ From M.Borst at hrz.tu-darmstadt.de Wed May 26 15:47:23 2010 From: M.Borst at hrz.tu-darmstadt.de (Markus Borst) Date: Wed, 26 May 2010 15:47:23 +0200 Subject: [stunnel-users] stunnel 4.33 stops (crashes?) after undetermined running time Message-ID: <4BFD266B.6090500@hrz.tu-darmstadt.de> Hi, I have a strange problem with current stunnel (4.33): It just crashes after some time. The time is variable, I suspect it stops after a number of connections. System: - Windows Server 2003 SP2 (also happens on Windows Server 2008R2) - stunnel runs as service - stunnel is configured to run as ssl server for imap and pop3 with our certificate (including key-chain) stunnel was running fine for years on the Windows Server 2003. After upgrade to stunnel 4.33, the stunnel service process first worked fine, the just stopped working after some time: - The windows service "stunnel" was stopped - the stunnel.log (standard debug level) showed not error or other entry at the time of the stop. - The windows eventlog shows: ====== Event 7034, Service Control Manager The stunnel service terminated unexpectedly. It has done this 1 time(s). ====== (I'm not 100% sure, whether this event log message corresponds to the stunnel crash I described or to another crash.) I have downgrade to version 4.32, the stunnel service now runs uninterrupted as before. Since the time of crash varies somewhat, seemingly with the current load of the server, I suspect that stunnel crashes after a certain amount of ssl connections, but I'm not sure. This has happened on two different servers (Windows Server 2003 SP2 and Windows Server 2008 R2). Is this a known problem? I'd love to do some further tests, but since this is a production system, I cannot test it in our normal environment. A program to generate random ssl connections would come handy to further analyze the problem. Greetings Markus Borst -- TU Darmstadt Hochschulrechenzentrum (HRZ) Markus Borst Adresse: Petersentrasse 30, 64287 Darmstadt, Germany Tel.: 06151/16-2056 Email: M.Borst at hrz.tu-darmstadt.de From M.Borst at hrz.tu-darmstadt.de Thu May 27 18:25:12 2010 From: M.Borst at hrz.tu-darmstadt.de (Markus Borst) Date: Thu, 27 May 2010 18:25:12 +0200 Subject: [stunnel-users] Default for TIMEOUTidle? Message-ID: <4BFE9CE8.3050009@hrz.tu-darmstadt.de> I want to modify TIMEOUTidle in our configuration. To be sure to set it to sensible values, I need to know the default value, but I can't find it in the docs. Greetings Markus Borst -- TU Darmstadt Hochschulrechenzentrum (HRZ) Markus Borst Adresse: Petersentrasse 30, 64287 Darmstadt, Germany Tel.: 06151/16-2056 Email: M.Borst at hrz.tu-darmstadt.de From tristan_schmelcher at alumni.uwaterloo.ca Mon May 31 23:50:29 2010 From: tristan_schmelcher at alumni.uwaterloo.ca (Tristan Schmelcher) Date: Mon, 31 May 2010 14:50:29 -0700 Subject: [stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs Message-ID: Hello, Recently I started using stunnel in an embedded Linux product and I had need to add several features that I think other users would benefit from. I have attached them as separate patches against 4.33. I hereby release them into the public domain. Here is a description of each: stunnel-4.33-handle-minimal-ssl-libs.patch: Add support for building against a libssl/libcrypo that has had various non-essential features removed via the "no-" Configure options for openssl. This requires disabling non-essential Stunnel features at compile-time if they have dependencies on disabled libssl/libcrypto features. For memory-constrained embedded systems, this is a big win. With this patch I was able to cut the memory footprint of stunnel+openssl by about a third simply by disabling openssl features that I didn't need. stunnel-4.33-separate-stderr-option.patch This splits the stderr logging effect of the "foreground" option into a separate option named "stderr", so that users have the freedom to enable foreground without stderr logging, or vice versa. For backwards compatibility though, specifying foreground = yes implies stderr = yes unless followed in the config by stderr = no. This is useful on embedded Linux systems that lack an implementation of fork() (due to the processor not having an MMU), because on such systems every daemon has to be launched in a foreground mode and pre-daemonized with the simpler vfork() function, e.g. using "&" from a shell. In this mode, logging to stderr does not make sense, because in reality the process is still a daemon so the logging clutters the terminal. stunnel-4.33-dns-commonname-verify-support.patch: I saved the best for last. ;) This adds a "verify_dns" option to check the CommonName in peer certificates against their DNS name when verifying, much as web browsers do. I have seen posts from users asking for this feature in the past, so I think it's value is self-evident. I'd also like to take this opportunity to say that I'm a long-time user of Stunnel on my personal Linux desktop machine and it is a really excellent piece of software. Thank you for making it free and open source. -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-4.33-handle-minimal-ssl-libs.patch Type: text/x-patch Size: 6031 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-4.33-separate-stderr-option.patch Type: text/x-patch Size: 4746 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-4.33-dns-commonname-verify-support.patch Type: text/x-patch Size: 6009 bytes Desc: not available URL: