[stunnel-users] Segfault with stunnel

Thu Dec 22 11:45:18 CET 2011

Hi Scott,

Thank you for your reply, however I am still consistently 'killing' stunnel
with a segfault.
It is very simple to reproduce and it is consistent. I am using stunnel
v.4.41 (and I am trying to secure an RDP connection -not an http one-)
With or without the client mode, I get the segfault. I tried both cases.

To 'kill' stunnel, all I do is run the following from any machine:
telnet stunnel_machine 1957

---> stunnel_machine [listens on 1957] ---> remote_machine [listens on 3389]

stunnel is configured to listen on port 1957 and forward into 3389
[rdps]
accept = 1957
connect = machine2:3389

In production, my deployment environment will be:
Java Applet (an rdp client, not http) ---> stunnel_machine [listens on
1957] ---> machine2 [listens on 3389]

The java applet is an RDP client (not http) which issues rdp calls that I
want encrypted (hence stunnel)

Please advise,
Thank you

Yassine

2011/12/21 Scott Damron <sdamron at gmail.com>

> Right...so, here is a sample config, I will add emphasis on the parts you
> need to make sure you have.
>
> ; Sample stunnel configuration file by Michal Trojnara 2002-2006
> ; Some options used here may not be adequate for your particular
> configuration
> ; Please make sure you understand them (especially the effect of chroot
> jail)
>
> ; Certificate/key is needed in server mode and optional in client mode
> cert = /newcert.pem
> key = /newkey.pem
>
> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> sslVersion = SSLv3, TLSv1
>
> ; Some security enhancements for UNIX systems - comment them out on Win32
> chroot = /var/lib/stunnel4/
> setuid = stunnel4
> setgid = stunnel4
> ; PID is created inside chroot jail
> pid = /stunnel4.pid
>
> ; Some performance tunings
> ;socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ;compression = rle
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ; CApath is located inside chroot jail
> ;CApath = /certs
> ; It's often easier to use CAfile
> ;CAfile = /etc/stunnel/certs.pem
> ; Don't forget to c_rehash CRLpath
> ; CRLpath is located inside chroot jail
> ;CRLpath = /crls
> ; Alternatively you can use CRLfile
> ;CRLfile = /etc/stunnel/crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> debug = 7
> output = /var/log/stunnel4/stunnel.log
>
> ; Use it for client mode
> client = yes
>
> ; Service-level configuration
>
> ;[pop3s]
> ;accept  = 995
> ;connect = 110
>
> ;[imaps]
> ;accept  = 993
> ;connect = 143
>
> ;[ssmtp]
> ;accept  = 465
> ;connect = 25
>
> [https]
> accept  = 10.x.x.x:443 <http://10.32.75.46:443>
> connect = 11.x.x.x:443 <http://10.32.75.46:443>
> ; here you need to have an IP address for each accept and connect, as well
> as a port.  If you are connecting to localhost, put 127.0.0.1.
> ;TIMEOUTclose = 0
>
> ; vim:ft=dosini
>
>
> On Wed, Dec 21, 2011 at 12:26 PM, yassine ayachi <ayachi.yassine at gmail.com>
> wrote:
> > Hi Scott,
> >
> > I am not quite sure to understand your answer. Let me add some more info
> to
> > make it clear onto how I get the segfault.:
> >
> > A java applet (from web browser) is invoking the stunnel machine on the
> port
> > 1957 stunnel then redirects the traffic into the remote_machine, so I
> only
> > have the server stunnel portion installed (in the stunnel machine ).
> >
> > when I run a telnet on any machine connected to the internet this way:
> > telnet stunnel_machine 1957
> > the stunnel on the stunnel machine dies...with the error posted
> previously.
> >
> > Greetings,
> > --
> > Yassine
> >
> > 2011/12/21 Scott Damron <sdamron at gmail.com>
> >>
> >> You need to have an IP address for the local connection and you need
> >> the client portion enabled as well.
> >>
> >> Scott
> >>
> >> On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi
> >> <ayachi.yassine at gmail.com> wrote:
> >> > Hi all,
> >> >
> >> > I'am trying to encrypt a connection between two hosts using stunnel.
> >> > ----- here is my config file ----
> >> > cert = /usr/local/etc/stunnel/stunnel.pem
> >> > chroot = /usr/local/var/lib/stunnel/
> >> > setuid = nobody
> >> > setgid = nogroup
> >> > pid = /stunnel.pid
> >> > socket = l:TCP_NODELAY=1
> >> > socket = r:TCP_NODELAY=1
> >> >
> >> > debug = debug
> >> > output = stunnel.log
> >> > ---
> >> > [rdps]
> >> > accept = 1957
> >> > connect = remote_machine:3389
> >> >
> >> > Avery think was working fine until I tried to telnet to the port 1957
> on
> >> > the
> >> > machine running stunnel, the process stunnel was killed alone leaving
> >> > this
> >> > in /var/log/messages :
> >> >
> >> > Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]:
> segfault
> >> > at 8
> >> > ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
> >> >
> >> > Does anybody have an idea about this problem,
> >> >
> >> > thanks in advance,
> >> >
> >> > Yassine
> >> >
> >> >
> >> > _______________________________________________
> >> > stunnel-users mailing list
> >> > stunnel-users at stunnel.org
> >> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> >> >
> >
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111222/b29e710f/attachment.html>