[stunnel-users] Problem using stunnel on Windows 7

Uffe Vedenbrant sqm at mynta.org
Sat Nov 17 12:01:20 CET 2012 

A small tip..

Use netstat to see if stunnel actually listens to the port that you have
set up. You can also see if you have a working TCP connection between
the machines.. I.e. established a stunnel session..
You will then both see line with LISTEN flag as well as a line with a
ESTABLISHED flag.

On windows you also can use the flag "-B" to see which process ( in most
cases ) that is using a port.. This requires admin rights..
( right click CMD and select run ad admin )

Example

CMD> netstat -B -an

You will see a list of UDP/TCP listening port as well as established
sessions etc.. Look for the ports here..

C:\>netstat -B -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:8800           0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:17500          0.0.0.0:0              LISTENING
 [Dropbox.exe]




On 2012-11-17 11:13, Hal Hovland wrote:
> Hi Brian, thanks for taking a look. The client .conf uses 7999 and 8001. On
> the accept side I've tried 7999 and 192.168.1.158:7999 and 0.0.0.0:7999.
> 
>  
> 
> I should also say I tried all this with Ncat (same result) and that the
> machines have the latest .NET Framework installed, viz., 4.5 - could that be
> the problem?
> 
>  
> 
> Regards, Hal
> 
>  
> 
> From: Brian Wilkins [mailto:bwilkins at gmail.com] 
> Sent: 16 November 2012 23:25
> To: Hal Hovland
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] Problem using stunnel on Windows 7
> 
>  
> 
> I didn't see a port setting in the clients stunnel.conf
> 
> On Nov 16, 2012 6:18 PM, "Hal Hovland" <hhovland at btconnect.com> wrote:
> 
> I've spent days googling this and read everything relevant in the archives.
> 
>  
> 
> I'm developing a Windows 7 program that connects to a financial trading
> exchange that expects all communication to be SSL'd. Everything I read said
> that stunnel is the answer because of ease of installation and use. After a
> day of abortive attempts to link to the exchange, I decided to create a much
> simpler test environment involving two Windows 7 computers next to each
> other here.
> 
>  
> 
> One, let's call it Riven-II (192.168.1.9), is set up with a simple Listener
> program that listens on port 8000. From stunnel's viewpoint this will be a
> server. The second machine, Lightning (192.168.1.158), has a simple Sender
> program that sends a text message via port 7999 to Riven-II
> (192.168.1.9:8000) - this will be the Client. In the absence of stunnel, all
> messages sent from Lightning/Sender appears on the window of Listener. So
> far so good.
> 
>  
> 
> I've downloaded and installed the very latest version (4.54) of stunnel on
> both machines. On installation I entered the same responses to the
> certificate generating process.
> 
>  
> 
> On the Server machine, hard wired to a Broadband Router, I configured
> stunnel.conf as (removing comments for simplicity)
> 
>  
> 
> debug = 7
> 
> output = stunnel.log
> 
>  
> 
> socket = l:TCP_NODELAY=1
> 
> socket = r:TCP_NODELAY=1
> 
>  
> 
> cert = stunnel.pem
> 
> key = stunnel.pem
> 
>  
> 
> options = NO_SSLv2
> 
>  
> 
> taskbar=yes
> 
>  
> 
> [Listener]
> 
> connect=8000
> 
> accept=8001
> 
>  
> 
> On the Client machine, connected to the router via wi-fi, we have in
> stunnel.conf
> 
>  
> 
> debug = 7
> 
> output = stunnel.log
> 
>  
> 
> cert = stunnel.pem
> 
>  
> 
> socket = l:TCP_NODELAY=1
> 
> socket = r:TCP_NODELAY=1
> 
>  
> 
> fips=no
> 
>  
> 
> options = NO_SSLv2
> 
>  
> 
> delay=yes
> 
> taskbar=yes
> 
>  
> 
> client=yes
> 
>  
> 
> [sender]
> 
> accept  = 0.0.0.0:7999       (I've tried just 7999 and 192.168.1.158:7999,
> here. Makes no difference)
> 
> connect = 192.168.1.9:8001
> 
>  
> 
> I've tried many variations with the same result, but the above is where they
> have ended up.
> 
>  
> 
> My understanding of this is that stunnel both ends will be intercepting port
> 8000 on the Server and port 7999 on the Client and presenting/receiving SSL
> encoded messages across the wire on port 8001.
> 
>  
> 
> Starting stunnel in the Server  (not as a Windows service, although I did
> try that as well) the following log appears:
> 
>  
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: No limit
> detected for the number of clients
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: stunnel 4.54 on
> x86-pc-msvc-1500 platform
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: Compiled/running
> with OpenSSL 1.0.1c-fips 10 May 2012
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: Threading:WIN32
> SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: Reading
> configuration from file stunnel.conf
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: FIPS mode is
> enabled
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: Compression not
> enabled
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: Snagged 64
> random bytes from C:/.rnd
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: Wrote 1024 new
> random bytes to C:/.rnd
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: PRNG seeded
> successfully
> 
> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG6[3484:6184]: Initializing
> service [Listener]
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Certificate: stunnel.pem
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Certificate loaded
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Key file: stunnel.pem
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Private key loaded
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Could not load DH parameters from
> stunnel.pem
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Using hardcoded DH parameters
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: DH initialized with 2048-bit key
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: ECDH initialized with curve prime256v1
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: SSL options set: 0x01000004
> 
> 2012.11.16 22:34:08 LOG5[3484:6184]: Configuration successful
> 
> 2012.11.16 22:34:08 LOG7[3484:6184]: Service [Listener] (FD=272) bound to
> 0.0.0.0:8001
> 
>  
> 
> On the Client, the log shows:
> 
>  
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: No limit detected for the number of
> clients
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: stunnel 4.54 on x86-pc-msvc-1500
> platform
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: Compiled/running with OpenSSL
> 1.0.1c-fips 10 May 2012
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS
> Auth:none Sockets:SELECT+IPv6
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: Reading configuration from file
> stunnel.conf
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: FIPS mode is disabled
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Compression not enabled
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Snagged 64 random bytes from C:/.rnd
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Wrote 1024 new random bytes to C:/.rnd
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: PRNG seeded successfully
> 
> 2012.11.16 22:25:53 LOG6[4184:4948]: Initializing service [sender]
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Certificate: stunnel.pem
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Certificate loaded
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Key file: stunnel.pem
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Private key loaded
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: SSL options set: 0x01000004
> 
> 2012.11.16 22:25:53 LOG5[4184:4948]: Configuration successful
> 
> 2012.11.16 22:25:53 LOG7[4184:4948]: Service [sender] (FD=224) bound to
> 0.0.0.0:7999 
> 
>  
> 
> Running the Listener on the Server and Sender on the Client adds nothing to
> the log, and port sniffers on both machines show traffic between 7999 and
> 8000 (exactly the same as when stunnel is not running). No sign of the use
> of port 8001.
> 
>  
> 
> I'd appreciate any input on this. I'm sure I must be doing something stupid,
> but I've watched hours of YouTube videos, read many hundreds of web pages,
> and been through the documentation quite a few times, to no avail.
> 
>  
> 
> I have a Java based version, running in a JVM in the same Windows machines,
> that talks perfectly to the exchange using some inbuilt SSL capabilities of
> an included library, so that should probably eliminate any hardware/router
> issues?
> 
>  
> 
> Regards, Hal
> 
>  
> 
>  
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
>   _____  
> 
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2012.0.2221 / Virus Database: 2629/5400 - Release Date: 11/16/12
> 
> 
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>

More information about the stunnel-users mailing list