From Michal.Trojnara at stunnel.org Tue May 3 19:31:12 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Tue, 3 May 2016 19:31:12 +0200 Subject: [stunnel-users] Stunnel & Gmail security In-Reply-To: References: Message-ID: <5728E060.7090208@stunnel.org> On 28.04.2016 16:27, BOXI31 TEST wrote: > To make "Stunnel 5.31" work with Gmail, I have to go in security > settings of Gmail and "allow less secure apps to access my account". > > Is it mandatory ? As far as I understand: https://support.google.com/accounts/answer/6010255?hl=en this confusing error message is a Google's FUD to discourage using third party email clients that employ password authentication over TLS. I don't think it has anything to do with the negotiated TLS ciphersuite. It is hard to be sure, because the Google's error description contains no technical details. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From Michal.Trojnara at stunnel.org Tue May 3 20:43:39 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Tue, 3 May 2016 20:43:39 +0200 Subject: [stunnel-users] stunnel 5.32 released Message-ID: <5728F15B.8070406@stunnel.org> Dear Users, I have released version 5.32 of stunnel. The ChangeLog entry: Version 5.32, 2016.05.03, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2h. https://www.openssl.org/news/secadv_20160503.txt * New features - New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6. - Memory leak detection. - Improved compatibility with the current OpenSSL 1.1.0-dev tree. - Added/fixed Red Hat scripts (thx to Andrew Colin Kissa). * Bugfixes - Workaround for a WinCE sockets quirk (thx to Richard Kraemer). - Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 0ee64774d7a720f3ffd129b08557ee0882704c7f65b859c40e315a175b68a6fd stunnel-5.32.tar.gz 6e79f3e6f811f4efdbac65c2ce475db93aa4033e71e93a8bbc5c5a08036f932a stunnel-5.32-installer.exe bdb15e548c7985b01cadb21939d71f450aa044dcd955b97648821298ac1eeea1 stunnel-5.32-android.zip Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From dodfr at yahoo.com Wed May 4 17:27:54 2016 From: dodfr at yahoo.com (Dod) Date: Wed, 4 May 2016 17:27:54 +0200 Subject: [stunnel-users] how to pass servername openssl parameter Message-ID: <107262957.20160504172754@yahoo.com> Hello, Little question I use openssl s_client mode to call an https with private PKI so private CAFile CERT and also Key, but I also need to use the parameter "servername" but stunnel seems not support it or may be it has an other syntax ? regards. From francois.pires at dalenys.com Fri May 6 11:16:39 2016 From: francois.pires at dalenys.com (Francois Pires) Date: Fri, 6 May 2016 11:16:39 +0200 Subject: [stunnel-users] SSLv3 not working with version 5.06 Message-ID: <572C60F7.905@dalenys.com> Hi all, We need use of sslv3 but with debian Jessie package version 5.06 this is not working. I have add options -NO_SSLv3 still same. Can you check if my configuration is good and if you have any idea to have sslv3 working with this verison. # stunnel.conf syslog = no cert = /etc/ssl/certs/test.crt.pem key = /etc/ssl/private/test.key.pem CAfile = /etc/ssl/certs/test.ca-bundle # Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all options = -NO_SSLv3 ciphers = AES256-SHA #ciphers = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL # Some debugging stuff useful for troubleshooting debug = 7 output = /stunnel.log # Debian and Ubuntu chroot config chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid # Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 [test] accept = 11443 connect = 127.0.0.1:11444 # stunnel log with openssl test SSL_accept: 14076102: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol openssl s_client -connect 127.0.0.1:11443 -ssl3 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1462525363 Timeout : 7200 (sec) Verify return code: 0 (ok) -- Cordialement, François PIRES SysAdmin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From josealf at rocketmail.com Fri May 6 12:30:50 2016 From: josealf at rocketmail.com (Josealf.rm) Date: Fri, 6 May 2016 05:30:50 -0500 Subject: [stunnel-users] SSLv3 not working with version 5.06 In-Reply-To: <572C60F7.905@dalenys.com> References: <572C60F7.905@dalenys.com> Message-ID: <3F69C5BA-E9BA-4838-84AB-8B3782242E63@rocketmail.com> Maybe Debian removed support for SSLv3 in it's OpenSSL libraries. This protocol is now obsolete and should not be used. Is that is the case, you will need to compile your own OpenSSL with SSLv3 enabled. Anyway, you should ask in a Debian forum. Regards, Jose > El 6 may 2016, a las 4:16, Francois Pires escribió: > > Hi all, > > We need use of sslv3 but with debian Jessie package version 5.06 this is > not working. > > I have add options -NO_SSLv3 still same. > > Can you check if my configuration is good and if you have any idea to > have sslv3 working with this verison. > > > # stunnel.conf > > syslog = no > > cert = /etc/ssl/certs/test.crt.pem > key = /etc/ssl/private/test.key.pem > CAfile = /etc/ssl/certs/test.ca-bundle > > # Protocol version (all, SSLv2, SSLv3, TLSv1) > sslVersion = all > options = -NO_SSLv3 > ciphers = AES256-SHA > #ciphers = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL > > # Some debugging stuff useful for troubleshooting > debug = 7 > output = /stunnel.log > > # Debian and Ubuntu chroot config > chroot = /var/lib/stunnel4/ > setuid = stunnel4 > setgid = stunnel4 > pid = /stunnel4.pid > > # Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > socket = l:SO_KEEPALIVE=1 > socket = r:SO_KEEPALIVE=1 > > [test] > accept = 11443 > connect = 127.0.0.1:11444 > > > > # stunnel log with openssl test > SSL_accept: 14076102: error:14076102:SSL > routines:SSL23_GET_CLIENT_HELLO:unsupported protocol > > openssl s_client -connect 127.0.0.1:11443 -ssl3 > CONNECTED(00000003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv3 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1462525363 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > > -- > Cordialement, > > François PIRES > SysAdmin > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From guille.rodriguez at gmail.com Sun May 8 13:54:49 2016 From: guille.rodriguez at gmail.com (Guillermo Rodriguez Garcia) Date: Sun, 8 May 2016 13:54:49 +0200 Subject: [stunnel-users] SNI support in OpenSSL Message-ID: Hello all, The stunnel documentation says that SNI requires stunnel to be linked with OpenSSL >= 1.0.0. However, SNI is supported in OpenSSL since 0.9.8f (and actually enabled by default since 0.9.8k). For 0.9.8f and later, OPENSSL_NO_TLSEXT will be defined if TLS extension support (including SNI support) is not compiled into OpenSSL. Taking the above into account, the OpenSSL version check in stunnel (src/common.h) could be relaxed a bit. Instead of: #if OPENSSL_VERSION_NUMBER<0x10000000L #define OPENSSL_NO_TLSEXT #define OPENSSL_NO_PSK #endif /* OpenSSL older than 1.0.0 */ this could be: #if OPENSSL_VERSION_NUMBER<0x00908060L #define OPENSSL_NO_TLSEXT #endif /* OpenSSL older than 0.9.8f */ #if OPENSSL_VERSION_NUMBER<0x10000000L #define OPENSSL_NO_PSK #endif /* OpenSSL older than 1.0.0 */ This would enable SNI on systems using 0.9.8 (Mac OS X for example). Best regards, Guillermo Rodriguez Garcia guille.rodriguez at gmail.com From guille.rodriguez at gmail.com Mon May 9 11:16:09 2016 From: guille.rodriguez at gmail.com (Guillermo Rodriguez Garcia) Date: Mon, 9 May 2016 11:16:09 +0200 Subject: [stunnel-users] 'Integer constant too large' warnings in str.c Message-ID: Hello, Current stunnel (5.32) gives a bunch of warnings in str.c when the CANARY_XXX and MAGIC_XXX constants are used, for example: str.c:101: warning: integer constant is too large for 'long' type Shouldn't these constants be declared with the 'LL' suffix instead of 'L' ? #define CANARY_INITIALIZED 0x0000c0ded0000000LL #define CANARY_UNINTIALIZED 0x0000abadbabe0000LL #define MAGIC_ALLOCATED 0x0000a110c8ed0000LL #define MAGIC_DEALLOCATED 0x0000defec8ed0000LL Best regards, Guillermo Rodriguez Garcia guille.rodriguez at gmail.com From Michal.Trojnara at stunnel.org Tue May 10 12:24:02 2016 From: Michal.Trojnara at stunnel.org (Michal Trojnara) Date: Tue, 10 May 2016 12:24:02 +0200 Subject: [stunnel-users] 'Integer constant too large' warnings in str.c In-Reply-To: References: Message-ID: <5731B6C2.8030205@stunnel.org> On 09.05.2016 11:16, Guillermo Rodriguez Garcia wrote: > Current stunnel (5.32) gives a bunch of warnings in str.c when the > CANARY_XXX and MAGIC_XXX constants are used, for example: > > str.c:101: warning: integer constant is too large for 'long' type > > Shouldn't these constants be declared with the 'LL' suffix instead of 'L' ? > > #define CANARY_INITIALIZED 0x0000c0ded0000000LL > #define CANARY_UNINTIALIZED 0x0000abadbabe0000LL > #define MAGIC_ALLOCATED 0x0000a110c8ed0000LL > #define MAGIC_DEALLOCATED 0x0000defec8ed0000LL Indeed. Thank you. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From guille.rodriguez at gmail.com Tue May 10 16:52:49 2016 From: guille.rodriguez at gmail.com (Guillermo Rodriguez Garcia) Date: Tue, 10 May 2016 16:52:49 +0200 Subject: [stunnel-users] Temporary DH params in stunnel Message-ID: Hi all, The stunnel docs say that starting with stunnel 5.18, DH params are auto-generated every 24 hours and that this "may take several minutes". I see that for this purpose, stunnel uses OpenSSL's DH_generate_parameters[_ex] function. According to the OpenSSL API docs [1], these functions "may run for several hours before finding a suitable prime." [1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html Wouldn't it make sense to use "DSA-like" DH params for this purpose? These are much faster to generate and apparently equally safe. DSA-like DH params are generated using DSA_generate_parameters[ex]. It is the equivalent of passing the -dsaparam option to the openssl dhparam command. Some useful info: - http://security.stackexchange.com/a/95184/109144 - http://dovecot.org/pipermail/dovecot/2015-November/102447.html Best regards, Guillermo Rodriguez Garcia guille.rodriguez at gmail.com From mohammedkhan at tycoint.com Tue May 10 18:06:32 2016 From: mohammedkhan at tycoint.com (Khan, Mohammed) Date: Tue, 10 May 2016 16:06:32 +0000 Subject: [stunnel-users] Timeout when connecting to Message-ID: Hi, I have installed v5.32 Stunnel on my Windows server which is hosted on AWS. I am trying to connect from here using a Emailer app which uses POP3 to try to connect to this server Outlook.Office365.com on port 995, but I keep on getting this error logged in Stunnel logs: [cid:image002.png at 01D1AADE.4B08E1F0] Does anyone have any ideas as to why this connection is timing out please? Any help would be much appreciated thanks in advance! Rgds Mo Khan / Software Engineer / FootFall Tel: +44 121 712 1428 / Mobile: +44 776 692 7120 Yorke House, Arleston Way / Solihull, B90 4LH / United Kingdom mohammedkhan at tycoint.com / www.footfall.com [Description: Fieldworks Marketing] [Description: Fieldworks Marketing] [Description: http://www.footfall.com/wp-content/uploads/2015/09/LinkedIn.png] [Description: http://www.footfall.com/wp-content/uploads/2015/09/Twitter.png] [Description: http://www.footfall.com/wp-content/uploads/2015/09/YouTube.png] [Description: http://www.footfall.com/wp-content/uploads/2015/09/Facebook.png] [Description: http://www.footfall.com/wp-content/uploads/2015/09/Google-.png] ________________________________ This e-mail contains privileged and confidential information intended for the use of the addressees named above. If you are not the intended recipient of this e-mail, you are hereby notified that you must not disseminate, copy or take any action in respect of any information contained in it. If you have received this e-mail in error, please notify the sender immediately by e-mail and immediately destroy this e-mail and its attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 25550 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 5399 bytes Desc: image004.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 3469 bytes Desc: image006.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image008.png Type: image/png Size: 808 bytes Desc: image008.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image010.png Type: image/png Size: 666 bytes Desc: image010.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image012.png Type: image/png Size: 866 bytes Desc: image012.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image014.png Type: image/png Size: 664 bytes Desc: image014.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image022.png Type: image/png Size: 974 bytes Desc: image022.png URL: From bojack1437 at gmail.com Thu May 12 02:59:26 2016 From: bojack1437 at gmail.com (Brandon Jackson) Date: Wed, 11 May 2016 20:59:26 -0400 Subject: [stunnel-users] Multiple accept parameter, or Ipv4 and v6 in one statement. Message-ID: Hi, I'm looking to expand my usage of stunnel. One thing i'm wondering, is there a way to use multiple accepts for the same service. Like: [httpsmain] accept = 443 accept = :::443 connect = 10.0.1.1:9443 or even something like. [httpsmain] accept = 443,:::443 connect = 10.0.1.1:8443 The reason is I'm about to setup some service with sni with a few domains and certs, but if I have to have them on v4 and v6 it looks like i'll have to double everything up. Is there a better way? ---------------------------------- Brandon Jackson bojack1437 at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt.brugman at pdqinc.com Thu May 12 15:57:29 2016 From: matt.brugman at pdqinc.com (Brugman, Matt) Date: Thu, 12 May 2016 13:57:29 +0000 Subject: [stunnel-users] stunnel and MSIE Message-ID: I've compiled stunnel for Windows CE 5.0 and 6.0, and am running it on an ARM device. It is being used in client mode to secure communications to various external servers with not problems. It is also being used to secure Windows CE's webserver. All of the client mode connections are working flawlessly (thanks for the awesome work, by the way!). The webserver is working properly for all browsers except MSIE 11. Everything I've seen tells me that the problem is not really with stunnel or openssl, but with Internet Explorer. I've spent some time searching the mailing list archives and on Google, but haven't really found a solution to this, besides the obvious "well, don't use IE." I'd love to go with the answer, but some of our users are locked into IE, and let's must make it a given that the choice of browser can't be changed. The browser connects, negotiates a connection, and then exchanges keys and certificates. Using the debug console in IE I see that it sends the initial "GET /". Then the browser sees the response header, but no "body" data. Again, I realize this isn't a specific stunnel issue, but I'm hoping someone on the list has seen a similar issue and found a resolution. I've stripped stunnel.conf down to the very basics (some paths removed for clarity): ; Stunnel config for device debug = 7 output = stunnel.log options = -NO_SSLv3 log = overwrite ;********* SERVICES *********** [https-server] client = no accept = 443 connect = 127.0.0.1:9975 cert = stunnel.pem delay = yes TIMEOUTbusy = 5 TIMEOUTclose = 0 TIMEOUTidle = 30 Stunnel log output. I do see the "Peer suddenly disconnected" messages, but again; I'm not sure why. The last two lines of the log are the "transfer() loop executes not transferring any data": 3916.06.12 08:21:19 LOG7[ui]: Service [https-server] accepted (FD=9) from 192.168.55.77:12377 3916.06.12 08:21:19 LOG7[ui]: Creating a new thread 3916.06.12 08:21:19 LOG7[ui]: New thread created 3916.06.12 08:21:19 LOG7[0]: Service [https-server] started 3916.06.12 08:21:19 LOG5[0]: Service [https-server] accepted connection from 192.168.55.77:12377 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): before/accept initialization 3916.06.12 08:21:19 LOG7[0]: SNI: no virtual services defined 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 read client hello A 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 write server hello A 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 write certificate A 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 write key exchange A 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 write server done A 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 flush data 3916.06.12 08:21:19 LOG7[0]: SSL state (accept): SSLv3 read client certificate A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 read client key exchange A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 read certificate verify A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 read finished A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 write change cipher spec A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 write finished A 3916.06.12 08:21:20 LOG7[0]: SSL state (accept): SSLv3 flush data 3916.06.12 08:21:20 LOG7[0]: New session callback 3916.06.12 08:21:20 LOG7[0]: 1 server accept(s) requested 3916.06.12 08:21:20 LOG7[0]: 1 server accept(s) succeeded 3916.06.12 08:21:20 LOG7[0]: 0 server renegotiation(s) requested 3916.06.12 08:21:20 LOG7[0]: 0 session reuse(s) 3916.06.12 08:21:20 LOG7[0]: 0 internal session cache item(s) 3916.06.12 08:21:20 LOG7[0]: 0 internal session cache fill-up(s) 3916.06.12 08:21:20 LOG7[0]: 0 internal session cache miss(es) 3916.06.12 08:21:20 LOG7[0]: 0 external session cache hit(s) 3916.06.12 08:21:20 LOG7[0]: 0 expired session(s) retrieved 3916.06.12 08:21:20 LOG6[0]: SSL accepted: new session negotiated 3916.06.12 08:21:20 LOG6[0]: No peer certificate received 3916.06.12 08:21:20 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-SHA384 (256-bit encryption) 3916.06.12 08:21:20 LOG7[0]: Compression: null, expansion: null 3916.06.12 08:21:20 LOG6[0]: s_connect: connecting 127.0.0.1:9775 3916.06.12 08:21:20 LOG6[0]: s_connect: connected 127.0.0.1:9775 3916.06.12 08:21:20 LOG6[0]: persistence: 127.0.0.1:9775 cached 3916.06.12 08:21:20 LOG5[0]: Service [https-server] connected remote server from 127.0.0.1:49277 3916.06.12 08:21:20 LOG7[0]: Remote descriptor (FD=11) initialized 3916.06.12 08:21:20 LOG6[0]: SSL socket closed (SSL_read) 3916.06.12 08:21:20 LOG7[0]: Sent socket write shutdown 3916.06.12 08:21:20 LOG5[0]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 3916.06.12 08:21:20 LOG7[0]: Remote descriptor (FD=11) closed 3916.06.12 08:21:20 LOG7[0]: Local descriptor (FD=9) closed 3916.06.12 08:21:20 LOG7[0]: Service [https-server] finished (0 left) 3916.06.12 08:21:22 LOG7[ui]: Found 1 ready file descriptor(s) 3916.06.12 08:21:22 LOG7[ui]: FD=5 ifds=r-x ofds=--- 3916.06.12 08:21:22 LOG7[ui]: Service [https-server] accepted (FD=13) from 192.168.55.77:30351 3916.06.12 08:21:22 LOG7[ui]: Creating a new thread 3916.06.12 08:21:22 LOG7[ui]: New thread created 3916.06.12 08:21:22 LOG7[1]: Service [https-server] started 3916.06.12 08:21:22 LOG5[1]: Service [https-server] accepted connection from 192.168.55.77:30351 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): before/accept initialization 3916.06.12 08:21:22 LOG7[1]: SNI: no virtual services defined 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 read client hello A 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 write server hello A 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 write change cipher spec A 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 write finished A 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 flush data 3916.06.12 08:21:22 LOG7[1]: SSL state (accept): SSLv3 read finished A 3916.06.12 08:21:22 LOG7[1]: 2 server accept(s) requested 3916.06.12 08:21:22 LOG7[1]: 2 server accept(s) succeeded 3916.06.12 08:21:22 LOG7[1]: 0 server renegotiation(s) requested 3916.06.12 08:21:22 LOG7[1]: 1 session reuse(s) 3916.06.12 08:21:22 LOG7[1]: 1 internal session cache item(s) 3916.06.12 08:21:22 LOG7[1]: 0 internal session cache fill-up(s) 3916.06.12 08:21:22 LOG7[1]: 0 internal session cache miss(es) 3916.06.12 08:21:22 LOG7[1]: 0 external session cache hit(s) 3916.06.12 08:21:22 LOG7[1]: 0 expired session(s) retrieved 3916.06.12 08:21:22 LOG6[1]: SSL accepted: previous session reused 3916.06.12 08:21:22 LOG6[1]: s_connect: connecting 127.0.0.1:9775 3916.06.12 08:21:22 LOG6[1]: s_connect: connected 127.0.0.1:9775 3916.06.12 08:21:22 LOG6[1]: persistence: 127.0.0.1:9775 cached 3916.06.12 08:21:22 LOG5[1]: Service [https-server] connected remote server from 127.0.0.1:49278 3916.06.12 08:21:22 LOG7[1]: Remote descriptor (FD=15) initialized 3916.06.12 08:21:22 LOG6[1]: SSL socket closed (SSL_read) 3916.06.12 08:21:22 LOG7[1]: Sent socket write shutdown 3916.06.12 08:21:22 LOG5[1]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 3916.06.12 08:21:22 LOG7[1]: Remote descriptor (FD=15) closed 3916.06.12 08:21:22 LOG7[1]: Local descriptor (FD=13) closed 3916.06.12 08:21:22 LOG7[1]: Service [https-server] finished (0 left) 3916.06.12 08:21:22 LOG7[ui]: Found 1 ready file descriptor(s) 3916.06.12 08:21:22 LOG7[ui]: FD=5 ifds=r-x ofds=--- 3916.06.12 08:21:22 LOG7[ui]: Service [https-server] accepted (FD=17) from 192.168.55.77:30352 3916.06.12 08:21:22 LOG7[ui]: Creating a new thread 3916.06.12 08:21:22 LOG7[ui]: New thread created 3916.06.12 08:21:22 LOG7[2]: Service [https-server] started 3916.06.12 08:21:22 LOG5[2]: Service [https-server] accepted connection from 192.168.55.77:30352 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): before/accept initialization 3916.06.12 08:21:22 LOG7[2]: SNI: no virtual services defined 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 read client hello A 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 write server hello A 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 write change cipher spec A 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 write finished A 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 flush data 3916.06.12 08:21:22 LOG7[2]: SSL state (accept): SSLv3 read finished A 3916.06.12 08:21:22 LOG7[2]: 3 server accept(s) requested 3916.06.12 08:21:22 LOG7[2]: 3 server accept(s) succeeded 3916.06.12 08:21:22 LOG7[2]: 0 server renegotiation(s) requested 3916.06.12 08:21:22 LOG7[2]: 2 session reuse(s) 3916.06.12 08:21:22 LOG7[2]: 1 internal session cache item(s) 3916.06.12 08:21:22 LOG7[2]: 0 internal session cache fill-up(s) 3916.06.12 08:21:22 LOG7[2]: 0 internal session cache miss(es) 3916.06.12 08:21:22 LOG7[2]: 0 external session cache hit(s) 3916.06.12 08:21:22 LOG7[2]: 0 expired session(s) retrieved 3916.06.12 08:21:22 LOG6[2]: SSL accepted: previous session reused 3916.06.12 08:21:22 LOG6[2]: s_connect: connecting 127.0.0.1:9775 3916.06.12 08:21:22 LOG6[2]: s_connect: connected 127.0.0.1:9775 3916.06.12 08:21:22 LOG6[2]: persistence: 127.0.0.1:9775 cached 3916.06.12 08:21:22 LOG5[2]: Service [https-server] connected remote server from 127.0.0.1:49279 3916.06.12 08:21:22 LOG7[2]: Remote descriptor (FD=19) initialized 3916.06.12 08:21:22 LOG3[2]: SSL socket closed (SSL_read) with 10137 unsent byte(s) 3916.06.12 08:21:22 LOG5[2]: Connection reset: 239 byte(s) sent to SSL, 553 byte(s) sent to socket 3916.06.12 08:21:22 LOG7[2]: Remote descriptor (FD=19) closed 3916.06.12 08:21:22 LOG7[2]: Local descriptor (FD=17) closed 3916.06.12 08:21:22 LOG7[2]: Service [https-server] finished (0 left) 3916.06.12 08:21:23 LOG7[ui]: Found 1 ready file descriptor(s) 3916.06.12 08:21:23 LOG7[ui]: FD=5 ifds=r-x ofds=--- 3916.06.12 08:21:23 LOG7[ui]: Service [https-server] accepted (FD=21) from 192.168.55.77:30353 3916.06.12 08:21:23 LOG7[ui]: Creating a new thread 3916.06.12 08:21:23 LOG7[ui]: New thread created 3916.06.12 08:21:23 LOG7[3]: Service [https-server] started 3916.06.12 08:21:23 LOG5[3]: Service [https-server] accepted connection from 192.168.55.77:30353 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): before/accept initialization 3916.06.12 08:21:23 LOG7[3]: SNI: no virtual services defined 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 read client hello A 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 write server hello A 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 write change cipher spec A 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 write finished A 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 flush data 3916.06.12 08:21:23 LOG7[3]: SSL state (accept): SSLv3 read finished A 3916.06.12 08:21:23 LOG7[3]: 4 server accept(s) requested 3916.06.12 08:21:23 LOG7[3]: 4 server accept(s) succeeded 3916.06.12 08:21:23 LOG7[3]: 0 server renegotiation(s) requested 3916.06.12 08:21:23 LOG7[3]: 3 session reuse(s) 3916.06.12 08:21:23 LOG7[3]: 1 internal session cache item(s) 3916.06.12 08:21:23 LOG7[3]: 0 internal session cache fill-up(s) 3916.06.12 08:21:23 LOG7[3]: 0 internal session cache miss(es) 3916.06.12 08:21:23 LOG7[3]: 0 external session cache hit(s) 3916.06.12 08:21:23 LOG7[3]: 0 expired session(s) retrieved 3916.06.12 08:21:23 LOG6[3]: SSL accepted: previous session reused 3916.06.12 08:21:23 LOG6[3]: s_connect: connecting 127.0.0.1:9775 3916.06.12 08:21:23 LOG6[3]: s_connect: connected 127.0.0.1:9775 3916.06.12 08:21:23 LOG6[3]: persistence: 127.0.0.1:9775 cached 3916.06.12 08:21:23 LOG5[3]: Service [https-server] connected remote server from 127.0.0.1:49280 3916.06.12 08:21:23 LOG7[3]: Remote descriptor (FD=23) initialized 3916.06.12 08:21:23 LOG6[3]: Read socket closed (readsocket) 3916.06.12 08:21:23 LOG7[3]: Sending close_notify alert 3916.06.12 08:21:23 LOG7[3]: SSL alert (write): warning: close notify 3916.06.12 08:21:23 LOG6[3]: SSL_shutdown successfully sent close_notify alert 3916.06.12 08:21:23 LOG3[3]: transfer() loop executes not transferring any data 3916.06.12 08:21:23 LOG3[3]: please report the problem to Michal.Trojnara at mirt.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michal.Trojnara at stunnel.org Thu May 12 22:07:16 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Thu, 12 May 2016 22:07:16 +0200 Subject: [stunnel-users] Multiple accept parameter, or Ipv4 and v6 in one statement. In-Reply-To: References: Message-ID: <5734E274.8000900@stunnel.org> On 12.05.2016 02:59, Brandon Jackson wrote: > [httpsmain] > accept = 443 > accept = :::443 > connect = 10.0.1.1:9443 IPv6 also accepts IPv4 connections by default. Your solution is: [httpsmain] accept = :::443 connect = 10.0.1.1:9443 Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From Michal.Trojnara at stunnel.org Thu May 12 22:16:03 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Thu, 12 May 2016 22:16:03 +0200 Subject: [stunnel-users] stunnel and MSIE In-Reply-To: References: Message-ID: <5734E483.4030903@stunnel.org> On 12.05.2016 15:57, Brugman, Matt wrote: > I’ve compiled stunnel for Windows CE 5.0 and 6.0, and am running it on > an ARM device. Which version of stunnel have you compiled? Make sure to use stunnel 5.32, as it contains an important WCE fix. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From matt.brugman at pdqinc.com Thu May 12 22:20:29 2016 From: matt.brugman at pdqinc.com (Brugman, Matt) Date: Thu, 12 May 2016 20:20:29 +0000 Subject: [stunnel-users] stunnel and MSIE In-Reply-To: <5734E483.4030903@stunnel.org> References: <5734E483.4030903@stunnel.org> Message-ID: I am running 5.31. I apologize; I missed the release of 5.32. I'll build and let you know what I find. Thanks very much! Matt -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Michal Trojnara Sent: Thursday, May 12, 2016 15:16 To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] stunnel and MSIE On 12.05.2016 15:57, Brugman, Matt wrote: > I’ve compiled stunnel for Windows CE 5.0 and 6.0, and am running it on > an ARM device. Which version of stunnel have you compiled? Make sure to use stunnel 5.32, as it contains an important WCE fix. Best regards, Mike From matt.brugman at pdqinc.com Fri May 13 17:12:54 2016 From: matt.brugman at pdqinc.com (Brugman, Matt) Date: Fri, 13 May 2016 15:12:54 +0000 Subject: [stunnel-users] stunnel and MSIE In-Reply-To: <5734E483.4030903@stunnel.org> References: <5734E483.4030903@stunnel.org> Message-ID: This is a perfect example of "do not post until you've tried the latest version"... I apologize again, I missed the update. Stunnel is working correctly on my WCE device with all browsers now. Thanks again for the help and the awesome product! Matt -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Michal Trojnara Sent: Thursday, May 12, 2016 15:16 To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] stunnel and MSIE On 12.05.2016 15:57, Brugman, Matt wrote: > I’ve compiled stunnel for Windows CE 5.0 and 6.0, and am running it on > an ARM device. Which version of stunnel have you compiled? Make sure to use stunnel 5.32, as it contains an important WCE fix. Best regards, Mike From adrian.irimescu.iri at gmail.com Mon May 16 09:42:22 2016 From: adrian.irimescu.iri at gmail.com (Adrian Irimescu) Date: Mon, 16 May 2016 10:42:22 +0300 Subject: [stunnel-users] stunnel v5.32 (and older) strange session cache behavior on memory (de)allocation Message-ID: I am using stunnel v5.32 compiled on a RHEL 6.7 with openssl-1.0.1e-42.el6.x86_64. The stunnel.conf cache settings are (for testing cache behaviour): *sessionCacheSize = 3sessionCacheTimeout = 60* What I expect is that after sessioncache size is reached, the memory (RSS) allocated to stunnel process does not grow with new sessions which are not in cache. Instead of this the stunnel allocates about 28K for any new session which does not have a stored session in cache and does not free this anymore. For new connections, but with session stored in cache, the memory does not grow. This lead me to a problem in memory deallocation for expired session in internal session cache.( I know that openssl frees expired session cache entries at every 255 sessions). See example below: --> stunnel start (see RSS) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND stunnel 20655 0.0 0.0 117760 1440 ? Ss 15:49 0:00 /usr/local/bin/stunnel5 --> after 3 sessions with no cache hits stunnel 20655 0.0 0.0 117828 2976 ? Ss 15:49 0:00 /usr/local/bin/stunnel5 - stunnel log 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: New session callback 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 4 server accept(s) requested 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 4 server accept(s) succeeded 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 server renegotiation(s) requested 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 session reuse(s) 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 3 internal session cache item(s) 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 internal session cache fill-up(s) 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 internal session cache miss(es) 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 external session cache hit(s) 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: 0 expired session(s) retrieved 2016.05.11 15:50:57 LOG6[kngHAM6DLUpVRXEqHcUMIt]: SSL accepted: new session negotiated 2016.05.11 15:50:57 LOG7[kngHAM6DLUpVRXEqHcUMIt]: Remove session callback ----------------------------------------------------- --> after another 1 request with cache hit: as you can see no RSS memory was added stunnel 20655 0.0 0.0 117828 2976 ? Ss 15:49 0:00 /usr/local/bin/stunnel5 - stunnel log 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: SSL state (accept): SSLv3 read finished A 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 5 server accept(s) requested 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 5 server accept(s) succeeded 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 0 server renegotiation(s) requested 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 1 session reuse(s) 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 3 internal session cache item(s) 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 1 internal session cache fill-up(s) 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 0 internal session cache miss(es) 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 0 external session cache hit(s) 2016.05.11 15:51:57 LOG7[Slq6WdqS97Ox4G8eOKfGg0]: 0 expired session(s) retrieved 2016.05.11 15:51:57 LOG6[Slq6WdqS97Ox4G8eOKfGg0]: SSL accepted: previous session reused ---------------------------------------------------- --> after another 1 request with no cache hit (now we have the first cache fill-up) stunnel 20655 0.0 0.0 117828 3000 ? Ss 15:49 0:00 /usr/local/bin/stunnel5 - stunnel log 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: New session callback 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 6 server accept(s) requested 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 6 server accept(s) succeeded 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 0 server renegotiation(s) requested 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 1 session reuse(s) 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 3 internal session cache item(s) 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 1 internal session cache fill-up(s) 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 0 internal session cache miss(es) 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 0 external session cache hit(s) 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: 0 expired session(s) retrieved 2016.05.11 15:53:31 LOG6[P8n33mFxzHVAZEeRwnFccK]: SSL accepted: new session negotiated 2016.05.11 15:53:31 LOG7[P8n33mFxzHVAZEeRwnFccK]: Remove session callback ---------------------------------------------------- --> after another 300 new session with no cache hits and after waiting 1 minute for entries in session cache to expire (as said in documentation openssl must free expired entries every 255 sessions) stunnel 20655 0.0 0.2 117828 11632 ? Ss 15:49 0:03 /usr/local/bin/stunnel5 - stunnel log 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: New session callback 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 306 server accept(s) requested 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 306 server accept(s) succeeded 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 0 server renegotiation(s) requested 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 1 session reuse(s) 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 3 internal session cache item(s) 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 301 internal session cache fill-up(s) 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 0 internal session cache miss(es) 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 0 external session cache hit(s) 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: 0 expired session(s) retrieved 2016.05.11 16:13:26 LOG6[vWvoFT1DXuJ9x0eEfFnQBf]: SSL accepted: new session negotiated 2016.05.11 16:13:26 LOG7[vWvoFT1DXuJ9x0eEfFnQBf]: Remove session callback ---------------------------------------------------- What I can see is tat memory grows with ~28K for every new session after session cache was filled and never deallocates this memory. In my production env. this really creates problems because after 2 weeks stunnel fils all 32GB of server RAM. *Anyone has encountered a similar problem? * Of course the stunnel service restart clears the memory but I loose all cache entries and is not acceptable. After some code analysis between different versions of stunnel I can see that between v5.26 ans v5.27 the ctx callbacks functions was changed. In my tests with versions prior to 5.27 I can see that this memory problems does not appear. See logs below: ---- stunnel v5.26 -------- 2016.05.12 13:08:14 LOG5[ui]: stunnel 5.26 on x86_64-unknown-linux-gnu platform 2016.05.12 13:08:14 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 stunnel 27402 0.0 0.0 117604 1316 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 stunnel 27402 0.0 0.0 117672 2756 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 stunnel 27402 0.0 0.0 117672 2804 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 stunnel 27402 0.0 0.0 117672 2828 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 stunnel 27402 0.0 0.0 117672 2868 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 cache fill-up 2016.05.12 13:11:01 LOG7[FdNYw7uGlV9xNElZSPBfyh]: 0 session reuse(s) 2016.05.12 13:11:01 LOG7[FdNYw7uGlV9xNElZSPBfyh]: 3 internal session cache item(s) 2016.05.12 13:11:01 LOG7[FdNYw7uGlV9xNElZSPBfyh]: 1 internal session cache fill-up(s) stunnel 27402 0.0 0.0 117672 2868 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 stunnel 27402 0.0 0.0 117672 2868 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 after 100 fill-ups 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: SSL state (accept): SSLv3 flush data 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 107 server accept(s) requested 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 107 server accept(s) succeeded 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 0 server renegotiation(s) requested 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 1 session reuse(s) 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 3 internal session cache item(s) 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 102 internal session cache fill-up(s) 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 0 internal session cache miss(es) 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 0 external session cache hit(s) 2016.05.12 13:13:55 LOG7[TWO1OFFPYvsW4qdjyJ0IZK]: 0 expired session(s) retrieved 2016.05.12 13:13:55 LOG6[TWO1OFFPYvsW4qdjyJ0IZK]: SSL accepted: new session negotiated stunnel 27402 0.1 0.0 117672 2872 ? Ss 13:08 0:00 /usr/local/bin/stunnel5 after another 100 fill-ups 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: SSL state (accept): SSLv3 flush data 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 207 server accept(s) requested 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 207 server accept(s) succeeded 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 0 server renegotiation(s) requested 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 1 session reuse(s) 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 3 internal session cache item(s) 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 202 internal session cache fill-up(s) 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 0 internal session cache miss(es) 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 0 external session cache hit(s) 2016.05.12 13:19:03 LOG7[InwkBBOxJrfptxYx6wXTxU]: 0 expired session(s) retrieved 2016.05.12 13:19:03 LOG6[InwkBBOxJrfptxYx6wXTxU]: SSL accepted: new session negotiated stunnel 27402 0.0 0.0 117672 2872 ? Ss 13:08 0:01 /usr/local/bin/stunnel5 Code: --->>> callbacks in v5.26 L605 *NOEXPORT int sess_new_cb(SSL *ssl, SSL_SESSION *sess) { unsigned char *val, *val_tmp; ssize_t val_len; const unsigned char *session_id; unsigned int session_id_length; val_len=i2d_SSL_SESSION(sess, NULL); val_tmp=val=str_alloc((size_t)val_len); i2d_SSL_SESSION(sess, &val_tmp);#if OPENSSL_VERSION_NUMBER>=0x0090800fL session_id=SSL_SESSION_get_id(sess, &session_id_length);#else session_id=(const unsigned char *)sess->session_id; session_id_length=sess->session_id_length;#endif cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess), session_id, session_id_length, val, (size_t)val_len, NULL, NULL); str_free(val); return 1; /* leave the session in local cache for reuse */}NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl, unsigned char *key, int key_len, int *do_copy) { unsigned char *val, *val_tmp=NULL; ssize_t val_len=0; SSL_SESSION *sess; *do_copy = 0; /* allow the session to be freed autmatically */ cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_GET, 0, key, (size_t)key_len, NULL, 0, &val, (size_t *)&val_len); if(!val) return NULL; val_tmp=val; sess=d2i_SSL_SESSION(NULL,#if OPENSSL_VERSION_NUMBER>=0x0090800fL (const unsigned char **)#endif /* OpenSSL version >= 0.8.0 */ &val_tmp, val_len); str_free(val);* --->>> callbacks in v5.32 /**************************************** session callbacks */ *NOEXPORT int sess_new_cb(SSL *ssl, SSL_SESSION *sess) { CLI *c; s_log(LOG_DEBUG, "New session callback"); c=SSL_get_ex_data(ssl, index_cli); if(c->opt->option.sessiond) cache_new(ssl, sess); return 1; /* leave the session in local cache for reuse */}NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl,#if OPENSSL_VERSION_NUMBER>=0x10100000L const#endif unsigned char *key, int key_len, int *do_copy) { CLI *c; s_log(LOG_DEBUG, "Get session callback"); *do_copy=0; /* allow the session to be freed automatically */ c=SSL_get_ex_data(ssl, index_cli); if(c->opt->option.sessiond) return cache_get(ssl, key, key_len); return NULL; /* no session to resume */}NOEXPORT void sess_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess) { SERVICE_OPTIONS *opt; s_log(LOG_DEBUG, "Remove session callback"); opt=SSL_CTX_get_ex_data(ctx, index_opt); if(opt->option.sessiond) cache_remove(ctx, sess);}* In production env. I have downgraded today at stunnel v5.26 and memory seems to be OK (untill now). Regards, Adrian Irimescu -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Faizulaev at nextnine.com Mon May 16 18:25:04 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Mon, 16 May 2016 16:25:04 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue Message-ID: Hello, I've found Stunnel as a potential answer to securely moving traffic between two machines. But I'm having some difficulties configuring the software. I've installed it on to the client machine and configured the client to connect to 127.0.0.1:8449 while the Server to which the client needs to connect is 192.168.220.72:8447 In the stunnel.conf I've set the following: [custom] accept = 127.0.0.1:8449 connect = 192.168.220.72:8447 cert = 220.72.cer TIMEOUTclose = 0 Upon initializing Stunnel I get the following error: 2016.05.16 19:14:04 LOG3[main]: error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 2016.05.16 19:14:04 LOG3[main]: SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line 2016.05.16 19:14:04 LOG3[main]: Service [custom]: Failed to initialize SSL context 2016.05.16 19:14:04 LOG3[main]: Failed to reload the configuration file What can be the cause? Thanks in advance. Best Regards, David. [logo_tagline_Sig] David Faizulaev | PL/SQL Developer | T +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks P Please consider the environment before printing this e-mail -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 11900 bytes Desc: image001.png URL: From Michal.Trojnara at stunnel.org Mon May 16 21:45:03 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Mon, 16 May 2016 21:45:03 +0200 Subject: [stunnel-users] stunnel v5.32 (and older) strange session cache behavior on memory (de)allocation In-Reply-To: References: Message-ID: <573A233F.6040602@stunnel.org> On 16.05.2016 09:42, Adrian Irimescu wrote: > Instead of this the stunnel allocates about 28K for any new session > which does not have a stored session in cache and does not free this > anymore. Please try: https://www.stunnel.org/downloads/beta/stunnel-5.33b2.tar.gz In my tests this fixes the memory leak you reported. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From halcyon1234 at hotmail.com Mon May 16 22:23:21 2016 From: halcyon1234 at hotmail.com (Lorne Kates) Date: Mon, 16 May 2016 16:23:21 -0400 Subject: [stunnel-users] =?cp1256?q?Stunnel_to_an_Akamai_=28for_Authorize?= =?cp1256?b?Lm5ldCn+?= Message-ID: Trying to figure out why this is failing. This works well for UPS, but is failing for authorize.net, who recently switched to an "Akamai" endpoint to be annoying. On Windows Loopback installed [TLS_AUTH] client = yes accept = 10.1.1.2:8888 connect = test.authorize.net:443 TIMEOUTbusy = 10 Opening "https://test.authorize.net/gateway/transact.dll" is successful, gets the page (says "The follow errors have occured" because page expects a POST, that's ok) Opening "http://10.1.1.2:8888/gateway/transact.dll" gets a 400 error from the server with: Invalid URL The requested URL "[no URL]", is invalid. Reference #9.2fc094d1.1463421241.5752b4e2 -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlbrown at bordo.com.au Tue May 17 09:02:38 2016 From: jlbrown at bordo.com.au (James Brown) Date: Tue, 17 May 2016 17:02:38 +1000 Subject: [stunnel-users] TIMEOUTBusy exceeded Message-ID: <0FBF2AE0-8CE0-42D5-B15A-24F6D885875A@bordo.com.au> Running OpenSSL 1.0.2h, and stunnel 5.32 I often get: ssl_start: s_poll_wait: TIMEOUTbusy exceeded: sending reset 2016.05.17 16:51:46 LOG5[21]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.05.17 16:51:46 LOG7[21]: Local descriptor (FD=15) closed 2016.05.17 16:51:46 LOG7[21]: Service [ssmtp2] finished (3 left) 2016.05.17 16:51:46 LOG6[22]: ssl_start: s_poll_wait: TIMEOUTbusy exceeded: sending reset 2016.05.17 16:51:46 LOG5[22]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.05.17 16:51:46 LOG7[22]: Local descriptor (FD=16) closed 2016.05.17 16:51:46 LOG7[22]: Service [ssmtp2] finished (2 left) when a user is sending an email. The email actually makes it to our mail server and gets sent, but the sender’s mail app says that it could not be sent. Upgraded to 5.33b2, no change. It is not all the time - I suspect it is with emails with large attachments. Any suggestions? Mac OS X 10.7.5. Thanks, James. From lholzheid at bihl-wiedemann.de Tue May 17 10:01:01 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 10:01:01 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: Message-ID: <20160517080100.GA6739@shadow.bihl-wiedemann.de> On Mon, 2016-05-16 16:25:04 +0000, David Faizulaev wrote: > Hello, > > I've found Stunnel as a potential answer to securely moving traffic between two machines. > But I'm having some difficulties configuring the software. > > I've installed it on to the client machine and configured the client to connect to 127.0.0.1:8449 while the Server to which the client needs to connect is 192.168.220.72:8447 > In the stunnel.conf I've set the following: > > [custom] > accept = 127.0.0.1:8449 > connect = 192.168.220.72:8447 > cert = 220.72.cer > TIMEOUTclose = 0 > > Upon initializing Stunnel I get the following error: > > 2016.05.16 19:14:04 LOG3[main]: error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib > 2016.05.16 19:14:04 LOG3[main]: SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line David, Stunnel doesn't like your key file. Maybe it's not in PEM format, or it does not contain a private key. Try to open it with a text editor. There should be lines reading "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----" with some base64 coded stuff in between. (There also should be a certificate enclosed in "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", but for now, stunnel is missing the private key.) HTH, Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From lholzheid at bihl-wiedemann.de Tue May 17 13:02:34 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 13:02:34 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> Message-ID: <20160517110233.GB6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 08:29:17 +0000, David Faizulaev wrote: > Hello Ludolf, > > I've printed the content of certificate file and the lines: "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" exist. > In addition, I've compared the default certificate provided by Stunnel with the one I wish to use, they're structure is identical. Hello David, Please reply to the list, so others are able to comment too. I don't know the 'default certificate provided by Stunnel'. I expect it to be depending on the distribution. However, if there are "BEGIN/END CERTIFICATE" lines in your file, but no "BEGIN/END RSA PRIVATE KEY", then the file is in PEM format, but the key is missing. Maybe you have separate files for private key and certificate. If this is the case, you may either concatenate key and certificate to a single file or specify both files in the stunnel configuration: >> key = my-private-key.pem >> cert = my-certificate.pem Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From David.Faizulaev at nextnine.com Tue May 17 13:13:26 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 11:13:26 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517110233.GB6739@shadow.bihl-wiedemann.de> References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> Message-ID: I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM? Additionally, I've thought about configuring Stunnel in client mode. Here is the configuration: [custom] client = yes accept = 127.0.0.1:8449 connect = 192.168.220.72:444 verify = 2 CAfile = server.pem In this case, my application appears to successfully connect to Stunnel & send messages. But when it tries to access it in order to collect messages, it fails: (App in C++) Error: socketReceive data failed (Requested: 4 bytes, Cur chunk size: 4 bytes. Progress: Got: 0 bytes, Left: 4 bytes): System Err: An unknown error occurred while accessing an unnamed file. Thank you for your assistance. Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 2:03 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 08:29:17 +0000, David Faizulaev wrote: > Hello Ludolf, > > I've printed the content of certificate file and the lines: "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" exist. > In addition, I've compared the default certificate provided by Stunnel with the one I wish to use, they're structure is identical. Hello David, Please reply to the list, so others are able to comment too. I don't know the 'default certificate provided by Stunnel'. I expect it to be depending on the distribution. However, if there are "BEGIN/END CERTIFICATE" lines in your file, but no "BEGIN/END RSA PRIVATE KEY", then the file is in PEM format, but the key is missing. Maybe you have separate files for private key and certificate. If this is the case, you may either concatenate key and certificate to a single file or specify both files in the stunnel configuration: >> key = my-private-key.pem >> cert = my-certificate.pem Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From David.Faizulaev at nextnine.com Tue May 17 13:15:41 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 11:15:41 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> Message-ID: Sorry but I've was incorrect. The application cannot send or receive messages, I thought I was able to send messages, but I was wrong. Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of David Faizulaev Sent: Tuesday, May 17, 2016 2:13 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM? Additionally, I've thought about configuring Stunnel in client mode. Here is the configuration: [custom] client = yes accept = 127.0.0.1:8449 connect = 192.168.220.72:444 verify = 2 CAfile = server.pem In this case, my application appears to successfully connect to Stunnel & send messages. But when it tries to access it in order to collect messages, it fails: (App in C++) Error: socketReceive data failed (Requested: 4 bytes, Cur chunk size: 4 bytes. Progress: Got: 0 bytes, Left: 4 bytes): System Err: An unknown error occurred while accessing an unnamed file. Thank you for your assistance. Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 2:03 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 08:29:17 +0000, David Faizulaev wrote: > Hello Ludolf, > > I've printed the content of certificate file and the lines: "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" exist. > In addition, I've compared the default certificate provided by Stunnel with the one I wish to use, they're structure is identical. Hello David, Please reply to the list, so others are able to comment too. I don't know the 'default certificate provided by Stunnel'. I expect it to be depending on the distribution. However, if there are "BEGIN/END CERTIFICATE" lines in your file, but no "BEGIN/END RSA PRIVATE KEY", then the file is in PEM format, but the key is missing. Maybe you have separate files for private key and certificate. If this is the case, you may either concatenate key and certificate to a single file or specify both files in the stunnel configuration: >> key = my-private-key.pem >> cert = my-certificate.pem Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From lholzheid at bihl-wiedemann.de Tue May 17 13:38:13 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 13:38:13 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> Message-ID: <20160517113813.GC6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 11:13:26 +0000, David Faizulaev wrote: > I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM? I don't know. Some key/certificate repositories don't allow to export private keys. Maybe there is a PKCS11 plug-in for OpenSSL to access the keystore. If this is the case, you don't have to export your private key. But again, I don't know. > Additionally, I've thought about configuring Stunnel in client mode. > Here is the configuration: > [..] Running stunnel in client or server mode makes no difference w.r.t. certificate and key files. As long as stunnel is not able to access your private key, the client mode won't work either. HTH, Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From David.Faizulaev at nextnine.com Tue May 17 15:08:33 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 13:08:33 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517113813.GC6739@shadow.bihl-wiedemann.de> References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> Message-ID: Latest update: After further investigation, it became evident that Stunnel should run as client. Therefore, I've converted my existing certs file (from my application) into a PEM file. The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----. But I still get an error: 2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain 2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA 2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Here is the current configuration: [custom] client = yes accept = 127.0.0.1:8449 connect = 192.168.220.62:443 verify = 2 CAfile = myapp.pem Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 2:38 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 11:13:26 +0000, David Faizulaev wrote: > I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM? I don't know. Some key/certificate repositories don't allow to export private keys. Maybe there is a PKCS11 plug-in for OpenSSL to access the keystore. If this is the case, you don't have to export your private key. But again, I don't know. > Additionally, I've thought about configuring Stunnel in client mode. > Here is the configuration: > [..] Running stunnel in client or server mode makes no difference w.r.t. certificate and key files. As long as stunnel is not able to access your private key, the client mode won't work either. HTH, Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From lholzheid at bihl-wiedemann.de Tue May 17 15:21:34 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 15:21:34 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> Message-ID: <20160517132133.GD6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 13:08:33 +0000, David Faizulaev wrote: > Latest update: > After further investigation, it became evident that Stunnel should run as client. > Therefore, I've converted my existing certs file (from my application) into a PEM file. > The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----. > > But I still get an error: > > 2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain > 2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA > 2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed > > Here is the current configuration: > > [custom] > client = yes > accept = 127.0.0.1:8449 > connect = 192.168.220.62:443 > verify = 2 > CAfile = myapp.pem David, CAfile should point to a list of trusted certificates. The file(s) for your pair of certificate and key should be specified with cert=... (and key=..., if certificate and key are stored to separate files). Are the log messages generated at stunnel startup or at connection establishment? Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From David.Faizulaev at nextnine.com Tue May 17 15:24:38 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 13:24:38 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517132133.GD6739@shadow.bihl-wiedemann.de> References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> Message-ID: Logs messages are generated upon connection attempt. Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 4:22 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 13:08:33 +0000, David Faizulaev wrote: > Latest update: > After further investigation, it became evident that Stunnel should run as client. > Therefore, I've converted my existing certs file (from my application) into a PEM file. > The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----. > > But I still get an error: > > 2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self > signed certificate in certificate chain > 2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: > CN=NextnineCA > 2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate > verify failed > > Here is the current configuration: > > [custom] > client = yes > accept = 127.0.0.1:8449 > connect = 192.168.220.62:443 > verify = 2 > CAfile = myapp.pem David, CAfile should point to a list of trusted certificates. The file(s) for your pair of certificate and key should be specified with cert=... (and key=..., if certificate and key are stored to separate files). Are the log messages generated at stunnel startup or at connection establishment? Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From lholzheid at bihl-wiedemann.de Tue May 17 15:30:39 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 15:30:39 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> Message-ID: <20160517133039.GI6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 13:24:38 +0000, David Faizulaev wrote: > Logs messages are generated upon connection attempt. Then the server presents a certificate that can't be validated against the trusted certificates stored to the file you specified with CAfile=... Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From David.Faizulaev at nextnine.com Tue May 17 15:33:31 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 13:33:31 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517133039.GI6739@shadow.bihl-wiedemann.de> References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> Message-ID: Between each certificate block I have the following block: Bag Attributes friendlyName: trustcenterclass2caii 2.16.840.1.113894.746875.1.1: subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II possible cause? Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 4:31 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 13:24:38 +0000, David Faizulaev wrote: > Logs messages are generated upon connection attempt. Then the server presents a certificate that can't be validated against the trusted certificates stored to the file you specified with CAfile=... Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From lholzheid at bihl-wiedemann.de Tue May 17 15:44:55 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 15:44:55 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> Message-ID: <20160517134455.GJ6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 13:33:31 +0000, David Faizulaev wrote: > Between each certificate block I have the following block: > > Bag Attributes > friendlyName: trustcenterclass2caii > 2.16.840.1.113894.746875.1.1: > subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II > issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II > > possible cause? No, this should be ignored as a comment. But you instructed stunnel to check the peer's certificate against the trusted ones (verify = 2), and the certificate chain the peer presents ends with a certificate not found in the CA file. Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From David.Faizulaev at nextnine.com Tue May 17 15:50:04 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 13:50:04 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517134455.GJ6739@shadow.bihl-wiedemann.de> References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> <20160517134455.GJ6739@shadow.bihl-wiedemann.de> Message-ID: Hello, I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following: 2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 4:45 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 13:33:31 +0000, David Faizulaev wrote: > Between each certificate block I have the following block: > > Bag Attributes > friendlyName: trustcenterclass2caii > 2.16.840.1.113894.746875.1.1: > subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC > TrustCenter Class 2 CA II issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC > TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II > > possible cause? No, this should be ignored as a comment. But you instructed stunnel to check the peer's certificate against the trusted ones (verify = 2), and the certificate chain the peer presents ends with a certificate not found in the CA file. Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From David.Faizulaev at nextnine.com Tue May 17 16:01:49 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Tue, 17 May 2016 14:01:49 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue References: <20160517080100.GA6739@shadow.bihl-wiedemann.de> <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> <20160517134455.GJ6739@shadow.bihl-wiedemann.de> Message-ID: I've tried with setting the values to 3 & 4 and I get: 2016.05.17 16:52:51 LOG4[332]: CERT: Pre-verification error: self signed certificate in certificate chain 2016.05.17 16:52:51 LOG4[332]: Rejected by CERT at depth=1: CN=MyCA 2016.05.17 16:52:51 LOG3[332]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2016.05.17 16:52:51 LOG5[332]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 23328 allocations 2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 22022 allocations 2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:346: 18299 allocations 2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:315: 18299 allocations 2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:372: 17132 allocations Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: David Faizulaev Sent: Tuesday, May 17, 2016 4:48 PM To: stunnel-users at stunnel.org Subject: RE: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue Hello, I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following: 2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 4:45 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 13:33:31 +0000, David Faizulaev wrote: > Between each certificate block I have the following block: > > Bag Attributes > friendlyName: trustcenterclass2caii > 2.16.840.1.113894.746875.1.1: > subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC > TrustCenter Class 2 CA II issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC > TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II > > possible cause? No, this should be ignored as a comment. But you instructed stunnel to check the peer's certificate against the trusted ones (verify = 2), and the certificate chain the peer presents ends with a certificate not found in the CA file. Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From lholzheid at bihl-wiedemann.de Tue May 17 18:01:22 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 17 May 2016 18:01:22 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> <20160517134455.GJ6739@shadow.bihl-wiedemann.de> Message-ID: <20160517160122.GK6739@shadow.bihl-wiedemann.de> On Tue, 2016-05-17 13:50:04 +0000, David Faizulaev wrote: > Hello, > > I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following: > > 2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed > 2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket > 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations > 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations Strange. I never used verify = 0, but I had the understanding, stunnel should accept a connection even if the peer's certificate can't be verified. Anyhow, what happens if you add the self-signed certificate presented by the peer to the CA file? Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From bojack1437 at gmail.com Tue May 17 22:01:57 2016 From: bojack1437 at gmail.com (Brandon Jackson) Date: Tue, 17 May 2016 16:01:57 -0400 Subject: [stunnel-users] SSL Labs: Session resumption IDs assigned but not accepted Message-ID: Trying to find out why SSL Labs is giving this message Session resumption (caching): No (IDs assigned but not accepted) I have this in the config. sessionCacheSize = 1000 sessionCacheTimeout = 86400 ---------------------------------- Brandon Jackson bojack1437 at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From halcyon1234 at hotmail.com Tue May 17 22:03:28 2016 From: halcyon1234 at hotmail.com (Lorne Kates) Date: Tue, 17 May 2016 16:03:28 -0400 Subject: [stunnel-users] Requests to cloud server that requires host header Message-ID: (related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc? -------------- next part -------------- An HTML attachment was scrubbed... URL: From josealf at rocketmail.com Wed May 18 05:19:31 2016 From: josealf at rocketmail.com (Jose Alf.) Date: Wed, 18 May 2016 03:19:31 +0000 (UTC) Subject: [stunnel-users] Requests to cloud server that requires host header In-Reply-To: References: Message-ID: <903304443.4827711.1463541571581.JavaMail.yahoo@mail.yahoo.com> Lorne, > So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc? Sorry. You can't. AFAIK stunnel have no support for user defined Headers. However, If you're not using a conventional web browser, you can modify the requests and insert any needed headers. You can do that with a library like libcurl. regards,Jose From: Lorne Kates To: "stunnel-users at stunnel.org" Sent: Tuesday, May 17, 2016 3:03 PM Subject: [stunnel-users] Requests to cloud server that requires host header (related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint.  That endpoint has a static server name-- test.authorize.net.  (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value.  The server rejects the request because it can't route it back to test.authorize.net. I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work. To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode. This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc? _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Faizulaev at nextnine.com Wed May 18 09:24:52 2016 From: David.Faizulaev at nextnine.com (David Faizulaev) Date: Wed, 18 May 2016 07:24:52 +0000 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: <20160517160122.GK6739@shadow.bihl-wiedemann.de> References: <20160517110233.GB6739@shadow.bihl-wiedemann.de> <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> <20160517134455.GJ6739@shadow.bihl-wiedemann.de> <20160517160122.GK6739@shadow.bihl-wiedemann.de> Message-ID: Do you concatenate the self-signed certificate to the current CA? Best Regards, David. David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687 Centralized OT Security Management for Distributed SCADA/ICS Networks  Please consider the environment before printing this e-mail -----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid Sent: Tuesday, May 17, 2016 7:01 PM To: stunnel-users at stunnel.org Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue On Tue, 2016-05-17 13:50:04 +0000, David Faizulaev wrote: > Hello, > > I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following: > > 2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate > verify failed > 2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to > SSL, 0 byte(s) sent to socket > 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at > .\crypto\asn1\tasn_new.c:179: 11859 allocations > 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at > .\crypto\asn1\asn1_lib.c:408: 11241 allocations Strange. I never used verify = 0, but I had the understanding, stunnel should accept a connection even if the peer's certificate can't be verified. Anyhow, what happens if you add the self-signed certificate presented by the peer to the CA file? Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users From guille.rodriguez at gmail.com Wed May 18 10:51:01 2016 From: guille.rodriguez at gmail.com (Guillermo Rodriguez Garcia) Date: Wed, 18 May 2016 10:51:01 +0200 Subject: [stunnel-users] Requests to cloud server that requires host header In-Reply-To: References: Message-ID: Hello, 2016-05-17 22:03 GMT+02:00 Lorne Kates : > (related to Akamai message from before-- but I have better troubleshooting > information). > > I'm tying to route traffic through stunnel to a "cloud" based-endpoint. > That endpoint has a static server name-- test.authorize.net. (This is the > dev sandbox for auth.net). > > But if you do an nslookup on test.authorize.net, you'll get back a different > servername and IP, because it's so wonderfully "cloud". > > Stunnel apparently tries to connect to the nslookup value. The server > rejects the request because it can't route it back to test.authorize.net. > > I've tried adding "delay = yes" and "sni = test.authorize.net", but neither > work. > > To see this in action, a simple setup with any accept, then connect to > test.authorize.net:443 in client = yes mode. > > This is what a valid response looks like (13 -- give me the darn merchant ID > in a POST): https://test.authorize.net/gateway/transact.dll > > This is what you'll get if you try to use stunnel (400 invalid url) : > https://23.195.204.150/gateway/transact.dll > > So how can I get stunnel to send the proper Request Header (host: > test.authorize.net), make sure it's using http/1.1, etc? Stunnel won't do this for you (it will not inject any HTTP headers at all). You must tell your HTTP client software to do it. Example: 'nslookup test.authorize.net' says that the IP address is 104.83.163.210 Try the following (no stunnel involved here): curl -k https://104.83.163.210/gateway/transact.dll -> 400 invalid url error curl -k -H 'Host: test.authorize.net' https://104.83.163.210/gateway/transact.dll -> Works With stunnel it is the same. You must tell whatever HTTP client you are using to send the correct Host: header. In your case you can try: curl -k -H 'Host: test.authorize.net' https://23.195.204.150/gateway/transact.dll Best regards, Guillermo Rodriguez Garcia guille.rodriguez at gmail.com From lholzheid at bihl-wiedemann.de Wed May 18 12:56:34 2016 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 18 May 2016 12:56:34 +0200 Subject: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue In-Reply-To: References: <20160517113813.GC6739@shadow.bihl-wiedemann.de> <20160517132133.GD6739@shadow.bihl-wiedemann.de> <20160517133039.GI6739@shadow.bihl-wiedemann.de> <20160517134455.GJ6739@shadow.bihl-wiedemann.de> <20160517160122.GK6739@shadow.bihl-wiedemann.de> Message-ID: <20160518105634.GA23547@shadow.bihl-wiedemann.de> On Wed, 2016-05-18 07:24:52 +0000, David Faizulaev wrote: > Do you concatenate the self-signed certificate to the current CA? This self-signed certificate /is/ the current CA certificate, as it is the root of the peer's certificate chain and you trust it. Ludolf -- Ludolf Holzheid   Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From dab1818 at gmail.com Wed May 18 18:26:35 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Wed, 18 May 2016 20:26:35 +0400 Subject: [stunnel-users] PKCS12 support patch Message-ID: googling internet about using certificate and keys from PKCS12 file lead to convert it to PEM. it requires some additional utilities (openssl not default windows application) and manual steps to convert. this patch allow using PKCS12 directly from stunnel. example configuration: cert = /home/dab/.certs/my.p12 PKCS12-files detected by file extension (.p12 or .pfx, no case sensetive) and load specially. password prompted if needed, empty password also supported. code based on examples from: https://groups.google.com/forum/#!topic/mailing.openssl.users/iuBmSqwsIG4 http://openssl-users.openssl.narkive.com/J0bR3cMA/ssl-ctx-use-privatekey-file patch tested on stunnel working on linux (gentoo: from our overlay http://bbgentoo.ilb.ru/repos/bbgentoo/bbgentoo_overlay/branches/drafts/net-misc/stunnel/ ) and windows. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-5.32-load_pkcs12_file.patch Type: text/x-patch Size: 3467 bytes Desc: not available URL: From dab1818 at gmail.com Thu May 19 17:31:30 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Thu, 19 May 2016 19:31:30 +0400 Subject: [stunnel-users] Fwd: PKCS12 support patch In-Reply-To: References: Message-ID: I hereby release my patches to stunnel for support of PKCS12 files into the public domain. ---------- Forwarded message ---------- From: Dmitry Bakshaev Date: 2016-05-18 20:26 GMT+04:00 Subject: PKCS12 support patch To: stunnel-users at stunnel.org googling internet about using certificate and keys from PKCS12 file lead to convert it to PEM. it requires some additional utilities (openssl not default windows application) and manual steps to convert. this patch allow using PKCS12 directly from stunnel. example configuration: cert = /home/dab/.certs/my.p12 PKCS12-files detected by file extension (.p12 or .pfx, no case sensetive) and load specially. password prompted if needed, empty password also supported. code based on examples from: https://groups.google.com/forum/#!topic/mailing.openssl.users/iuBmSqwsIG4 http://openssl-users.openssl.narkive.com/J0bR3cMA/ssl-ctx-use-privatekey-file patch tested on stunnel working on linux (gentoo: from our overlay http://bbgentoo.ilb.ru/repos/bbgentoo/bbgentoo_overlay/branches/drafts/net-misc/stunnel/ ) and windows. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-5.32-load_pkcs12_file.patch Type: text/x-patch Size: 3467 bytes Desc: not available URL: From Randall.LeJeune at LA.GOV Thu May 19 23:14:06 2016 From: Randall.LeJeune at LA.GOV (Randall LeJeune) Date: Thu, 19 May 2016 21:14:06 +0000 Subject: [stunnel-users] stunnel on AIX 7 Message-ID: <195A829159FDE14C98D0E2325885737AA4E892@mailmb04> Does anyone here have any experience in installing and/or running stunnel on AIX? I have version 4.56 installed on my AIX v.7 box, but I checked when this was released and it was over three years ago. I found a version 5.17-2 binary available on Perzl.org but nothing more recent (this version is slightly over a year old). I did try a compile of the newest version but got some errors when I tried to run make (1254-004 error on collect2). Does anyone have any ideas on what would be the best way to proceed here? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at nerdbynature.de Fri May 20 00:19:22 2016 From: lists at nerdbynature.de (Christian Kujau) Date: Thu, 19 May 2016 15:19:22 -0700 (PDT) Subject: [stunnel-users] stunnel on AIX 7 In-Reply-To: <195A829159FDE14C98D0E2325885737AA4E892@mailmb04> References: <195A829159FDE14C98D0E2325885737AA4E892@mailmb04> Message-ID: On Thu, 19 May 2016, Randall LeJeune wrote: > (this version is slightly over a year old). I did try a compile of the > newest version but got some errors when I tried to run make (1254-004 > error on collect2). What did you do exactly and what's the error message? C. -- BOFH excuse #164: root rot From adrian.irimescu.iri at gmail.com Fri May 20 10:24:12 2016 From: adrian.irimescu.iri at gmail.com (Adrian Irimescu) Date: Fri, 20 May 2016 11:24:12 +0300 Subject: [stunnel-users] stunnel v5.32 (and older) strange session cache behavior on memory (de)allocation In-Reply-To: <573A233F.6040602@stunnel.org> References: <573A233F.6040602@stunnel.org> Message-ID: Hi, I've done some tests with stunnel v5.33b2 and I can confirm that this version fixes the memory leak I reported (and after the session cache is filled with entries, stunnel does not allocate more memory for next sessions). One more question: do you have any recommendation for session cache size? On my systems I have set this to 30000. I have 32 GB of RAM so the memory is not the problem. My concerns are about time spent to search for entries in cache if I grow session cache size over 100000 entries. Thank you for your response. Best Regards, Adrian Irimescu On Mon, May 16, 2016 at 10:45 PM, Michał Trojnara < Michal.Trojnara at stunnel.org> wrote: > On 16.05.2016 09:42, Adrian Irimescu wrote: > > Instead of this the stunnel allocates about 28K for any new session > > which does not have a stored session in cache and does not free this > > anymore. > > Please try: > https://www.stunnel.org/downloads/beta/stunnel-5.33b2.tar.gz > In my tests this fixes the memory leak you reported. > > Best regards, > Mike > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dab1818 at gmail.com Mon May 23 14:24:17 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Mon, 23 May 2016 16:24:17 +0400 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file Message-ID: the problem frequently occurs on the client side: admin need to configure stunnel for multiple users. every user has own key, certificate, own permissions on file system (for log-files, etc) this patch allow to write flexible config. some examples: cert = %USERPROFILE%\.config\my.pem (windows) cert = ${HOME}/.config/my.pem (other) output = %APPDATA%\stunnel.log (windows) output = ${HOME}/stunnel.log (other) CAfile = %ALLUSERSPROFILE%\ourCAbundle.crt (windows) CAfile = /etc/ssl/certs/ourCAbundle.crt (other, not using variables) "secure" :) random port example: ... [srv1] accept = 127.0.0.1:%SRV1_PORT% (windows) accept = 127.0.0.1:${SRV1_PORT} (other) ... start stunnel (batch-file or shell-script): set SRV1_PORT=%RANDOM% (windows) limitations: 1. don't support unicode on windows (localized usernames, files, etc) 2. only ${NAME} syntax supported on *nix (not $NAME). -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-5.32-env_expanded_config.patch Type: text/x-diff Size: 2582 bytes Desc: not available URL: From mark at loadbalancer.org Tue May 24 13:28:17 2016 From: mark at loadbalancer.org (Mark Brookes) Date: Tue, 24 May 2016 12:28:17 +0100 Subject: [stunnel-users] Potential performance degradation moving from Stunnel 5.06 to 5.32 Message-ID: There might be a throughput degradation in the more recent versions of stunnel. I have recently been testing the 5.32 version of stunnel and have noticed that the tps drop quite significantly when moving from 5.06 to 5.32. Im willing to admit it could be something to do with my config or testing. But if anyone could offer some suggestions it would be much appreciated. The config is setup as follows - Stunnel VIP -> Haproxy. (I have configured haproxy to return a simple page). I am using a self signed 1024 bit certificate and the cipher I am using is ECDHE-RSA-AES256-GCM-SHA384 (I also tested with aNull:eNULL:MD5:LOW:HIGH and noticed a similar drop in performance) My Stunnel config is - setuid = stunnel pid = /var/run/stunnel/stunnel.pid debug = local1.0 socket = a:IP_FREEBIND=yes socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [VIP_Name-1] cert = /root/server1024.pem ciphers = ECDHE-RSA-AES256-GCM-SHA384 accept = 192.168.80.131:443 connect = 127.0.0.1:80 connect = 127.0.0.2:80 delay = no options = CIPHER_SERVER_PREFERENCE options = DONT_INSERT_EMPTY_FRAGMENTS renegotiation = no TIMEOUTclose = 0 My HAProxy config is - global daemon stats socket /var/run/haproxy.stat mode 600 level admin pidfile /var/run/haproxy.pid maxconn 100000 tune.maxrewrite 1024 nbproc 3 defaults #mode http #balance roundrobin timeout connect 4000 timeout client 42000 timeout server 43000 peers loadbalancer_replication peer lbmaster localhost:7778 peer lbslave localhost:7778 listen VIP_Name bind 127.0.0.1:80 transparent #bind 192.168.80.121:80 transparent monitor-uri / mode http errorfile 200 /etc/haproxy/200.http listen VIP_Name_2 monitor-uri / mode http bind 127.0.0.2:80 transparent errorfile 200 /etc/haproxy/200.http All the versions of stunnel mentioned here have been built against Openssl1.0.1s I am using siege to generate the load and issuing the following command - siege https://192.168.80.131 -t1M -c 15 -b The test is stop stunnel service, replace stunnel binary with different version, restart service, run test. The results im seeing are as follows (All results are quoted in transactions per second as reported by siege). v5.06 - 2233 v5.07 - 2229 v5.25 - 2171 v5.30 - 2092 v5.32 - 302 In my results you can see roughly a 200 tps drop from version 5.06 to v5.30 then when we get to v5.32 it drops further. To reiterate the only thing I am changing in my configuration is the stunnel binary. Everything else is remaining the same. Does anyone have any ideas what could be happening? Thankyou Mark From Brian.Lin at mitrastar.com.tw Fri May 27 09:46:14 2016 From: Brian.Lin at mitrastar.com.tw (=?big5?B?QnJpYW4gTGluLapMrbOnZg==?=) Date: Fri, 27 May 2016 07:46:14 +0000 Subject: [stunnel-users] Compiling error when OPENSSL_NO_DH is defined and openssl version is < 1.1.0 Message-ID: Hi All, Just report an issue on v5.32. If OPENSSL_NO_DH is defined and openssl version is < 1.1.0, DH_set0_pqg() is not defined in src/common.h. But it will be compiled in src/ssl.c, due to no compile flag checking for OPENSSL_NO_DH. Here is the diff: +#ifndef OPENSSL_NO_DH #if OPENSSL_VERSION_NUMBER<0x10100000L /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 * to be linked against the older versions */ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { if(!p || !g) /* q is optional */ return 0; BN_free(dh->p); BN_free(dh->q); BN_free(dh->g); dh->p = p; dh->q = q; dh->g = g; if(q) dh->length = BN_num_bits(q); return 1; } #endif +#endif Cheers, Brian This email and any files transmitted with it may contain information of MitraStar Technology Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From rose-indorf at gmx.de Sat May 28 23:23:57 2016 From: rose-indorf at gmx.de (Sebastian Rose-Indorf) Date: Sat, 28 May 2016 23:23:57 +0200 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: References: Message-ID: <000901d1b927$466fcc10$d34f6430$@de> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Michal, I think it would be a good idea to integrate these Patch into the next version. Best regards Sebastian Von: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] Im Auftrag von Dmitry Bakshaev Gesendet: Montag, 23. Mai 2016 14:24 An: stunnel-users at stunnel.org Betreff: [stunnel-users] Public domain [PATCH] support environment variables in config file the problem frequently occurs on the client side: admin need to configure stunnel for multiple users. every user has own key, certificate, own permissions on file system (for log-files, etc) this patch allow to write flexible config. some examples: cert = %USERPROFILE%\.config\my.pem (windows) cert = ${HOME}/.config/my.pem (other) output = %APPDATA%\stunnel.log (windows) output = ${HOME}/stunnel.log (other) CAfile = %ALLUSERSPROFILE%\ourCAbundle.crt (windows) CAfile = /etc/ssl/certs/ourCAbundle.crt (other, not using variables) "secure" :) random port example: ... [srv1] accept = 127.0.0.1:%SRV1_PORT% (windows) accept = 127.0.0.1:${SRV1_PORT} (other) ... start stunnel (batch-file or shell-script): set SRV1_PORT=%RANDOM% (windows) limitations: 1. don't support unicode on windows (localized usernames, files, etc) 2. only ${NAME} syntax supported on *nix (not $NAME). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 - GPGrelay v0.962 iQPcBAEBAwAGBQJXSgyGAAoJEK6IFtCs9w5gx9Qd/3yXzhkK8Fhw8ZH8u9nNQyjp TMVoKy4/MQNIGBYBKYGN+HIMxomuy8MkydjsIFmCrMPNwZhmvVgMZPP86bJHTs9O +S1E28r86F/SVwlNquaIMahtL1W469jlP0e/1xLVTXVmULjaO1WqIi5oabjUKRCa jXmc3MMXle7urr+0PRcK2dketor10cGrSFEhrgLRE4o+PmT709HRWqvx3+/XyVtU UVGqi/tXcOrO5JsZn1IH/DJh5ku5vp48K1SqRwJM8nPsQS2S1fFOcf7Pv/wAOqgV 97GlEwihDDIdtN4RpOPAa6ESljd/6t80O0JISDgePHrSpo0BZpHoWOs3zQt7b6CR CVhTlqM1zVTj3Jxd0QfNGm3KukYymM//LL8qGVMIvXhp7ONXw9nnGe3bhS58vZao Unbw/jFgcyRmdwvIbb7RcyFEf+wNOcUQfeUis75UEcv/cFqix5i5c3q+ylxCLmA+ qm/9Z8afSyTAiikDUrWZJXvxWj05jNg6vHaUODkFL8gSaCENZLlce0vWvArR5ghF Yw3o9nvxH5f6OkITWqdTWWPt3udjVKcdRnuYkqShBB29Xh4AlM64DsS/1ZCt0iV5 sAt5VVev5AA4d2y1se+Ih35fOsTDlIGSUfmCcCC9Br/W+QU6AGAyEPg0oTFNrVl3 W6JBTFnqVR0nxmpMOsWykdYZRxrdhy8d0hHKKyenFH4IApSxWp3ZtrIRwduVf15Y FruMFUQMZL3y2hdS2/w+f88J+Il5b2yjsG+eyD0HH6rvh+3/2k9se96fmLjcikN9 bR6ovF+4ZesMzBVaH7tqJYqpLc734W9apC+f9HJB5E5F78ENXggRP8mxoLIl9Pv5 oxCGy+p1oFuXKxp+yxvPVyyjdiQdK24cAIGT/kfJiGn6b4xTXVR8yuMAn9y4XAJe zdO8f6LqmPcUYI9QfQC8sYk/ykyO/jS5YMFOytVSAm9tZx+N3ZvEsw2FGzyLFE3J jA01kPOyyzZs87W5ogI+O7d9hijstTSxFT8jC9rEuW3FlwOmZ9zQxE9KBUxKNYC0 nwNXuCXD6g4p5mzhJK8eD5N8cjKIRu1n2cHvtExmbHnsHs/tDqjBoyoJ8oPMogpE Pv7r6KO9258UmocO4/wZynE9NU7FKt0B/8XG9kL6j9n8ppnKbihcZAKgXfstjSIe 6P+lrBXL60WWYVcLh14mL5BaDHhAYhKw6Km0YMg0q/0vHDwjWjjRPsthmybYuTNF jv9QHKDpO9F8l3XLTsHfldIKniNpNfZYZMzFSuNrng== =YbJ+ -----END PGP SIGNATURE----- From kostikbel at ukr.net Tue May 31 00:42:59 2016 From: kostikbel at ukr.net (Konstantin Belousov) Date: Tue, 31 May 2016 01:42:59 +0300 Subject: [stunnel-users] IPv4 and IPv6 Message-ID: <20160530224259.GD38613@kib.kiev.ua> Hi. I have a following configuration for the outgoing connection [XXX-1] client = yes accept = 127.0.0.1:1564 connect = some-server:9999 local = some-other-address Sometimes, or rather, quite regular, the connection to localhost port 1564 results in immediate connection close and logging the following: May 30 23:06:58 tom stunnel: LOG5[4]: Service [XXX-1] accepted connection from 127.0.0.1:12848 May 30 23:06:58 tom stunnel: LOG3[4]: local_bind (ephemeral port): Invalid argument (22) I traced the syscalls and see the following: 28196 stunnel CALL socket(PF_INET6,SOCK_STREAM,IPPROTO_IP) 28196 stunnel RET socket 10/0xa 28196 stunnel CALL fcntl(0xa,F_GETFL,0) 28196 stunnel RET fcntl 2 28196 stunnel CALL fcntl(0xa,F_SETFL,0x6) 28196 stunnel RET fcntl 0 28196 stunnel CALL fcntl(0xa,F_SETFD,FD_CLOEXEC) 28196 stunnel RET fcntl 0 28196 stunnel CALL bind(0xa,0x802808a6c,0x10) 28196 stunnel STRU struct sockaddr { AF_INET, 176.36.249.139:0 } 28196 stunnel RET bind -1 errno 22 Invalid argument The socket was created with INET6 address family, but bind was done for INET AF. Indeed, both some-server and some-other-address have both A and AAAA records, corresponding addresses are configured and functional. OS is FreeBSD, I was ensured that this combination (INET6 socket and INET bind) is not correct. It probably works sometime when first resolved addresses for names happen to come from the same address family, but when resolvers return different order, the situation above occurs. Disabling ipv6 support makes the connection work reliably, which confirms my observations. I am using stunnel 5.31. Would be nice to have this fixed. Thanks. From Michal.Trojnara at stunnel.org Tue May 31 08:04:24 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Tue, 31 May 2016 08:04:24 +0200 Subject: [stunnel-users] IPv4 and IPv6 In-Reply-To: <20160530224259.GD38613@kib.kiev.ua> References: <20160530224259.GD38613@kib.kiev.ua> Message-ID: <574D2968.6050201@stunnel.org> On 31.05.2016 00:42, Konstantin Belousov wrote: > I have a following configuration for the outgoing connection > [XXX-1] > client = yes > accept = 127.0.0.1:1564 > connect = some-server:9999 > local = some-other-address [cut] > The socket was created with INET6 address family, but bind was done for > INET AF. This is pretty much expected if "some-server:9999" is an IPv6 address and "some-other-address" is an IPv4 address. The "local" option indeed cannot handle a mix of IPv4 and IPv6 "connect" addresses. What do you think might be a proper solution? Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From Michal.Trojnara at stunnel.org Tue May 31 08:05:55 2016 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Tue, 31 May 2016 08:05:55 +0200 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: References: Message-ID: <574D29C3.10001@stunnel.org> I'm pretty sure the use of ExpandEnvironmentStringsA() will break WCE builds. Please correct me if I'm wrong. Best regards, Mike On 23.05.2016 14:24, Dmitry Bakshaev wrote: > the problem frequently occurs on the client side: admin need to > configure stunnel for multiple users. > every user has own key, certificate, own permissions on file system (for > log-files, etc) > > this patch allow to write flexible config. > > some examples: > cert = %USERPROFILE%\.config\my.pem (windows) > cert = ${HOME}/.config/my.pem (other) > > output = %APPDATA%\stunnel.log (windows) > output = ${HOME}/stunnel.log (other) > > CAfile = %ALLUSERSPROFILE%\ourCAbundle.crt (windows) > CAfile = /etc/ssl/certs/ourCAbundle.crt (other, not using variables) > > "secure" :) random port example: > ... > [srv1] > accept = 127.0.0.1:%SRV1_PORT% (windows) > accept = 127.0.0.1:${SRV1_PORT} (other) > ... > start stunnel (batch-file or shell-script): > set SRV1_PORT=%RANDOM% (windows) > > limitations: > 1. don't support unicode on windows (localized usernames, files, etc) > 2. only ${NAME} syntax supported on *nix (not $NAME). > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From dab1818 at gmail.com Tue May 31 08:58:37 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Tue, 31 May 2016 10:58:37 +0400 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: <574D29C3.10001@stunnel.org> References: <574D29C3.10001@stunnel.org> Message-ID: yes, patch not applicable to WCE. WCE don't support environment variables, other projects try to emulate it: https://bugzilla.mozilla.org/show_bug.cgi?id=465874 (through command line) http://pocoproject.org/docs-1.5.1/99200-WinCEPlatformNotes.html#3 (hardcoded) attached new version of patch with disabled feature on WCE platform. 2016-05-31 10:05 GMT+04:00 Michał Trojnara : > I'm pretty sure the use of ExpandEnvironmentStringsA() will break WCE > builds. Please correct me if I'm wrong. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel-5.32-env_expanded_config.patch Type: text/x-diff Size: 2773 bytes Desc: not available URL: From delaage.pierre at free.fr Tue May 31 10:02:25 2016 From: delaage.pierre at free.fr (Pierre Delaage) Date: Tue, 31 May 2016 10:02:25 +0200 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: <574D29C3.10001@stunnel.org> References: <574D29C3.10001@stunnel.org> Message-ID: <574D4511.7040003@free.fr> Hi Michal, Did not have a look at the code yet, but should it be possible to replace envvars usage by some keys in the registry on windows platform and/or %userprofile%/config-file ? Anyway, my opinion on the patch is that there is no real interest for "generic/self-expanding" config file , and it is even dangerous : I would not trust stunnel if, at run time, its config could be modified by USER envvars... I would rather prefer "usual config file" BUT stored (and then read by sw) in USERPROFILE (on WCE : there is only ONE profile, so that we can easily create fake stubs for w32 functions), and then use the stunnel command line to load the proper config, or whatever admin system script invoking stunnel program. Moreover if one needs a specific admin mechanism to CREATE "personalized" config file based on a common template, this can be done easily by some system scripting either in linux or windows. Personnaly I am making a wide usage of sed (even with gnuwin32 : remember, sed is able to access system variables). This is NOT directly an stunnel issue, but a pure admin issue. NB: if stunnel is running as a service, there is no reason that ordinary users modify the config with "customized options" : so if one cert is needed, its name can be hardcoded in the config file. if the cert need to be changes, one can play with the cert file (by admin scripting if necessary). Yours sincerely, Pierre Le 31/05/2016 08:05, Michał Trojnara a écrit : > I'm pretty sure the use of ExpandEnvironmentStringsA() will break WCE > builds. Please correct me if I'm wrong. > > Best regards, > Mike > > On 23.05.2016 14:24, Dmitry Bakshaev wrote: >> the problem frequently occurs on the client side: admin need to >> configure stunnel for multiple users. >> every user has own key, certificate, own permissions on file system (for >> log-files, etc) >> >> this patch allow to write flexible config. >> >> some examples: >> cert = %USERPROFILE%\.config\my.pem (windows) >> cert = ${HOME}/.config/my.pem (other) >> >> output = %APPDATA%\stunnel.log (windows) >> output = ${HOME}/stunnel.log (other) >> >> CAfile = %ALLUSERSPROFILE%\ourCAbundle.crt (windows) >> CAfile = /etc/ssl/certs/ourCAbundle.crt (other, not using variables) >> >> "secure" :) random port example: >> ... >> [srv1] >> accept = 127.0.0.1:%SRV1_PORT% (windows) >> accept = 127.0.0.1:${SRV1_PORT} (other) >> ... >> start stunnel (batch-file or shell-script): >> set SRV1_PORT=%RANDOM% (windows) >> >> limitations: >> 1. don't support unicode on windows (localized usernames, files, etc) >> 2. only ${NAME} syntax supported on *nix (not $NAME). >> >> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users at stunnel.org >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From kostikbel at ukr.net Tue May 31 12:50:54 2016 From: kostikbel at ukr.net (Konstantin Belousov) Date: Tue, 31 May 2016 13:50:54 +0300 Subject: [stunnel-users] IPv4 and IPv6 In-Reply-To: <574D2968.6050201@stunnel.org> References: <20160530224259.GD38613@kib.kiev.ua> <574D2968.6050201@stunnel.org> Message-ID: <20160531105054.GE38613@kib.kiev.ua> On Tue, May 31, 2016 at 08:04:24AM +0200, Micha?? Trojnara wrote: > On 31.05.2016 00:42, Konstantin Belousov wrote: > > I have a following configuration for the outgoing connection > > [XXX-1] > > client = yes > > accept = 127.0.0.1:1564 > > connect = some-server:9999 > > local = some-other-address > [cut] > > The socket was created with INET6 address family, but bind was done for > > INET AF. > > This is pretty much expected if "some-server:9999" is an IPv6 address > and "some-other-address" is an IPv4 address. The "local" option indeed > cannot handle a mix of IPv4 and IPv6 "connect" addresses. Usually some-server is the list of addresses, one of them is IPv4, and another is IPv6. This is the only reasonable way to name dual-stack host. > > What do you think might be a proper solution? I would expect that the code which binds the socket for connect(2), matched the address types before binding. A good implementation needs to iterate over the results of getaddrinfo(3) for remote host to try to connect to each returned address. In the same manner, when one outgoing address is attempted to connect to, the getaddrinfo(3) list for the local address would be iterated over, and first matched compatible address selected for binding. It seems that it is enough to match addrinfo pairs by ai_family/ai_socktype/ai_protocol, but you might also need to e.g. pay some attention to filter out IPv4 mapped to IPv6 entries. I am not sure how much additional plumbing is required to have local getaddrinfo(3) result in the local_bind(). From dab1818 at gmail.com Tue May 31 14:24:35 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Tue, 31 May 2016 16:24:35 +0400 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: <574D4511.7040003@free.fr> References: <574D29C3.10001@stunnel.org> <574D4511.7040003@free.fr> Message-ID: 2016-05-31 12:02 GMT+04:00 Pierre Delaage : > Did not have a look at the code yet, but should it be possible to replace > envvars usage by some keys in the registry on windows platform and/or > %userprofile%/config-file ? > > Anyway, my opinion on the patch is that there is no real interest for > "generic/self-expanding" config file , and it is even dangerous : > I would not trust stunnel if, at run time, its config could be modified by > USER envvars... > which difference between %userprofile%/config-file and USER envvars? both are USER owned and USER controlled. certificate and keys also USER private data. and stunnel started by USER owned by USER. if stunnel started by SYSTEM/ADMIN he uses SYSTEM/ADMIN envvars (if needed), certs, keys, etc. global "generic/self-expanding" config file is ADMIN owned. USER has permissions to substitute some values, restricted by ADMIN. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dab1818 at gmail.com Tue May 31 14:30:17 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Tue, 31 May 2016 16:30:17 +0400 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: <574D4511.7040003@free.fr> References: <574D29C3.10001@stunnel.org> <574D4511.7040003@free.fr> Message-ID: 2016-05-31 12:02 GMT+04:00 Pierre Delaage : > Hi Michal, > Did not have a look at the code yet, but should it be possible to replace > envvars usage by some keys in the registry on windows platform and/or > %userprofile%/config-file ? > why not just start stunnel with config parameter on command line? stunnel %USERPROFILE%/stunnel-config-file (windows) stunnel ${HOME}/stunnel-config-file (*nix) -------------- next part -------------- An HTML attachment was scrubbed... URL: From delaage.pierre at free.fr Tue May 31 15:07:42 2016 From: delaage.pierre at free.fr (Pierre Delaage) Date: Tue, 31 May 2016 15:07:42 +0200 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: References: <574D29C3.10001@stunnel.org> <574D4511.7040003@free.fr> Message-ID: <574D8C9E.2070208@free.fr> Hi, The difference is that, on WCE, for stunnel code, it is straigthforward to access the "unique profile" stunnel.conf, WITHOUT in fact dealing with envvars, rather than 1/ decode %VARNAME% tokens in conf file and then ask env for replacement... well...ok..we can create stubs as well for getenv etc... but is is much more complicated. For W32 platforms, communicating with a server with env vars can open issues. BUT working in "local user sandbox", folders etc...is more secure than modifying system files by everyone through envvars. More generally, I agree that a per user conf can be useful ONLY IF each user is able, and "directed to" start HIS/HER STUNNEL by HAND, in a user space process. But to achieve this....stunnel is ALREADY ready to go by using the command line like this "stunnel myownconfig.conf", of course having "my" own copy of stunnel executable. So there is no real need to have an embeddef feature in stunnel for conf file customization per user. And, once again, as conf file are just "text files", it is quite easy to create a bunch of such from a template, by text editiong tools : sed on win32 is really powerful, or win32 perl engine, or whatever scripting language you prefer. Yours sincerely, Pierre Le 31/05/2016 14:24, Dmitry Bakshaev a écrit : > > > 2016-05-31 12:02 GMT+04:00 Pierre Delaage >: > > Did not have a look at the code yet, but should it be possible to > replace envvars usage by some keys in the registry on windows > platform and/or %userprofile%/config-file ? > > Anyway, my opinion on the patch is that there is no real interest > for "generic/self-expanding" config file , and it is even dangerous : > I would not trust stunnel if, at run time, its config could be > modified by USER envvars... > > > which difference between %userprofile%/config-file and USER envvars? > both are USER owned and USER controlled. > certificate and keys also USER private data. > and stunnel started by USER owned by USER. > if stunnel started by SYSTEM/ADMIN he uses SYSTEM/ADMIN envvars (if > needed), certs, keys, etc. > > global "generic/self-expanding" config file is ADMIN owned. > USER has permissions to substitute some values, restricted by ADMIN. -------------- next part -------------- An HTML attachment was scrubbed... URL: From delaage.pierre at free.fr Tue May 31 15:08:45 2016 From: delaage.pierre at free.fr (Pierre Delaage) Date: Tue, 31 May 2016 15:08:45 +0200 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: References: <574D29C3.10001@stunnel.org> <574D4511.7040003@free.fr> Message-ID: <574D8CDD.7080104@free.fr> yes ! sure ! simple and efficient. Le 31/05/2016 14:30, Dmitry Bakshaev a écrit : > > > 2016-05-31 12:02 GMT+04:00 Pierre Delaage >: > > Hi Michal, > Did not have a look at the code yet, but should it be possible to > replace envvars usage by some keys in the registry on windows > platform and/or %userprofile%/config-file ? > > > why not just start stunnel with config parameter on command line? > stunnel %USERPROFILE%/stunnel-config-file (windows) > stunnel ${HOME}/stunnel-config-file (*nix) > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dab1818 at gmail.com Tue May 31 18:59:09 2016 From: dab1818 at gmail.com (Dmitry Bakshaev) Date: Tue, 31 May 2016 20:59:09 +0400 Subject: [stunnel-users] Public domain [PATCH] support environment variables in config file In-Reply-To: <574D8C9E.2070208@free.fr> References: <574D29C3.10001@stunnel.org> <574D4511.7040003@free.fr> <574D8C9E.2070208@free.fr> Message-ID: 2016-05-31 17:07 GMT+04:00 Pierre Delaage : > Hi, > The difference is that, on WCE, for stunnel code, it is straigthforward to > access the "unique profile" stunnel.conf, WITHOUT in fact dealing with > envvars, > rather than 1/ decode %VARNAME% tokens in conf file and then ask env for > replacement... > well...ok..we can create stubs as well for getenv etc... but is is much > more complicated. > "environment expanded config" feature is designed for the platform that support it - on WCE is not avialable - config is static text file, and use static values in config files on other platform not prohibited : ADMIN chooses which parameters USER can expand to USER own values or none. > For W32 platforms, communicating with a server with env vars can open > issues. > example, please. every account that start stunnel has his own environment, cert, key, etc. > BUT working in "local user sandbox", folders etc...is more secure than > modifying system files by everyone through envvars. > files not modified globally, only for current USER by USER values in runtime, only for specified parameters More generally, I agree that a per user conf can be useful ONLY IF each > user is able, and "directed to" start HIS/HER STUNNEL by HAND, in a user > space process. > yes. one of our scenarios. > > But to achieve this....stunnel is ALREADY ready to go by using the command > line like this "stunnel myownconfig.conf", of course having "my" own copy > of stunnel executable. > > So there is no real need to have an embeddef feature in stunnel for conf > file customization per user. > > And, once again, as conf file are just "text files", it is quite easy to > create a bunch of such from a template, by text editiong tools : sed on > win32 is really powerful, or win32 perl engine, or whatever scripting > language you prefer > this feature makes it unnecessary to copy config to every user and edit files manually or using sed/perl. not need ADMIN intervention after adding new USER. adding/replace service/port not need regenerate all users config - one centralized config. this is the primary purpose - ADMIN make one config as template for all users. for example server scenario: we has multiple stunnel instanses on gentoo linux and i can configure on template: output = /var/log/stunnel/stunnel_${SVCNAME}.log each instance has its own log. (SVCNAME variable contains instance name from init.d startup scripts) -------------- next part -------------- An HTML attachment was scrubbed... URL: