[stunnel-users] Problem using stunnel on Windows 7

Pierre DELAAGE delaage.pierre at free.fr
Sun Nov 18 17:21:38 CET 2012


Well, about doc, stunnel is not so bad, Mike is updating the doc regularly,
but stunnel requires some pre-requisites about networking, SSL, 
certificates and so on...

Presently, about doc, there is an open, passionated, discussion about 
the friendly project openssl...
You may have a look at it...

Anyway, in the documentation pages of the stunnel website, one maybe of 
interest for you
to have a good overview of stunnel and how to configure it quickly.

http://linuxgazette.net/107/odonovan.html

See you, good luck,
Pierre


Le 18/11/2012 12:25, Hal Hovland a écrit :
> Pierre,
>
> Many, many thanks.
>
> I was labouring under the misapprehension that stunnel did indeed to by what
> you called 'transparent proxying' and that a sender did not need modifying.
> In the end it was easy, but, as you said, I had to change my sender (and my
> thinking) to send to the port that stunnel was expecting local input on.
> That was all!
>
> A piece of ultimately useful software like stunnel deserves a first class
> 'User Guide' :)
>
> Glass of wine on me.
>
> Regards, Hal
>
> -----Original Message-----
> From: Pierre DELAAGE [mailto:delaage.pierre at free.fr]
> Sent: 17 November 2012 16:05
> To: Hal Hovland
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] Problem using stunnel on Windows 7
>
> Hmm, my post about ip adresses was to mention that in YOUR CLIENT
> APPLICATION (forget stunnel config, this was not my purpose), you have to
> specify :  [SENDER STUNNEL] MACHINE ADDRESS as "remote address" (of course
> it is a fake, because you need to put stunnel in the middle of your
> traditional communication scheme).
> INSTEAD of 192.168.1.9...
> well...that does mean your sender apps TrIES to connect to LOCAL stunnel on
> address 127.0.0.1
>
> This is the app that you have to modify also ! not only stunnel.
>
> Stunnel is not acting as transparent if you do not modify your apps !
> and even though, "transparent" proxying is something else in stunnel that
> does not fit your needs.
>
> AND in your SERVER APPLICATION (on machine 192.168.1.9), you have to LISTEN
> on calls coming from ....the local stunnel, on the server machine. (machine
> 127.0.0.1).
>
> and check your firewall...
>
> Pierre
>
>
> Le 17/11/2012 13:28, Hal Hovland a écrit :
>> Pierre, thanks for response. I did try 127.0.0.1 with all the local
>> ports during my testing. I will, though, re-examine my logic as per your
> comments.
>> Its more than possible too, that I've mixed up the definition of 'accept'
>> and 'connect' as used with a server and client - I'm assuming that on
>> the client, the 'accept' defines the port used by the underlying
>> program (here, the Sender), and on the server, the 'connect' defines
>> the port used by the underlying program (here, the Listener)
>>
>> Drawing a little picture - before the use of stunnel
>>
>> 192.168.1.9|                       |192.168.1.158
>>              |                       |
>> Listener   |        Network        |   Sender
>>          Port|8000               7999|Port
>>
>>
>> After the introduction of stunnel on both machines
>>
>> Listener   |        Network        |   Sender
>>       ^      |                       |     V
>> Port 8000  |                       |  Port 7999 (accept=)
>>      stunnel |                       | stunnel
>>          Port|8001  <         <  8001|Port
>>              |accept=        connect=|
>>
>> [Listener]                          client=yes
>>                                       [sender]
>> connect=8000                        accept  = 7999
>> accept=8001                         connect = 192.168.1.9:8001
>>
>> My biggest worry was that no matter what, hovering over either stunnel
>> icon both shows '0 session(s) active'. Do they only show as active
>> when encrypted communication occurs or when a program is started that
>> uses the relevant port?
>>
>> Regards, Hal
>>
>> -----Original Message-----
>> From: Pierre DELAAGE [mailto:delaage.pierre at free.fr]
>> Sent: 17 November 2012 11:31
>> To: stunnel-users at stunnel.org; hhovland at btconnect.com
>> Subject: Re: [stunnel-users] Problem using stunnel on Windows 7
>>
>> Hmm, are you sure you are respecting the simple following scheme where
>> the encrypted STUNNEL is acting between TWO UNECRYPTED channels ?
>>
>>
>> unencrypted client application ---- unencrypted channel ----> client
>> stunnel accepting on PORT-1, connnecting to REMOTE STUNNEL on PORT-2,
>>
>> ---ENCRYPTED CHANNEL -------> REMOTE STUNNEL listening on PORT-2,
>> connecting to a local UNENCRYPTED server on PORT-3 ---> unencrypted
>> LOCAL application listening on port 3...
>>
>> according to your conf files :
>> port-1 seems to be 7999,
>> port-2 ..8001,
>> port-3 : 8000
>>
>> To my mind the problem may come from the IP ADDRESSES you are using :
>>
>> your client unencrypted application should connect to CLIENT STUNNEL
>> IP (if on the same machine : 127.0.0.1).
>> AND NOT ANY MORE to the IP of your original unencrypted server.
>>
>> On the server side : connect to the IP of the NEW unencrypted
>> application location, should be...I think...127.0.0.1.
>>
>> Failing to adapt IP in APPLICATIONS it is NORMAL that the traffic does
>> not pass through stunnel.
>>
>>
>> Something else: check firewall on both sides...but I really think you
>> just have bad ip configured in your client/server original UNencrypted
>> applications...
>>
>> Regards
>> Pierre
>>
>>
>>
>>
>>
>>
>> Le 17/11/2012 12:01, Uffe Vedenbrant a écrit :
>>> A small tip..
>>>
>>> Use netstat to see if stunnel actually listens to the port that you
>>> have set up. You can also see if you have a working TCP connection
>>> between the machines.. I.e. established a stunnel session..
>>> You will then both see line with LISTEN flag as well as a line with a
>>> ESTABLISHED flag.
>>>
>>> On windows you also can use the flag "-B" to see which process ( in
>>> most cases ) that is using a port.. This requires admin rights..
>>> ( right click CMD and select run ad admin )
>>>
>>> Example
>>>
>>> CMD> netstat -B -an
>>>
>>> You will see a list of UDP/TCP listening port as well as established
>>> sessions etc.. Look for the ports here..
>>>
>>> C:\>netstat -B -an
>>>
>>> Active Connections
>>>
>>>      Proto  Local Address          Foreign Address        State
>>>      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
>>>      RpcSs
>>>     [svchost.exe]
>>>      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
>>>     Can not obtain ownership information
>>>      TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
>>>     Can not obtain ownership information
>>>      TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
>>>     Can not obtain ownership information
>>>      TCP    0.0.0.0:8800           0.0.0.0:0              LISTENING
>>>     Can not obtain ownership information
>>>      TCP    0.0.0.0:17500          0.0.0.0:0              LISTENING
>>>     [Dropbox.exe]
>>>
>>>
>>>
>>>
>>> On 2012-11-17 11:13, Hal Hovland wrote:
>>>> Hi Brian, thanks for taking a look. The client .conf uses 7999 and 8001.
>> On
>>>> the accept side I've tried 7999 and 192.168.1.158:7999 and 0.0.0.0:7999.
>>>>
>>>>     
>>>>
>>>> I should also say I tried all this with Ncat (same result) and that
>>>> the machines have the latest .NET Framework installed, viz., 4.5 -
>>>> could that
>> be
>>>> the problem?
>>>>
>>>>     
>>>>
>>>> Regards, Hal
>>>>
>>>>     
>>>>
>>>> From: Brian Wilkins [mailto:bwilkins at gmail.com]
>>>> Sent: 16 November 2012 23:25
>>>> To: Hal Hovland
>>>> Cc: stunnel-users at stunnel.org
>>>> Subject: Re: [stunnel-users] Problem using stunnel on Windows 7
>>>>
>>>>     
>>>>
>>>> I didn't see a port setting in the clients stunnel.conf
>>>>
>>>> On Nov 16, 2012 6:18 PM, "Hal Hovland" <hhovland at btconnect.com> wrote:
>>>>
>>>> I've spent days googling this and read everything relevant in the
>> archives.
>>>>     
>>>>
>>>> I'm developing a Windows 7 program that connects to a financial
>>>> trading exchange that expects all communication to be SSL'd.
>>>> Everything I read
>> said
>>>> that stunnel is the answer because of ease of installation and use.
>>>> After
>> a
>>>> day of abortive attempts to link to the exchange, I decided to
>>>> create a
>> much
>>>> simpler test environment involving two Windows 7 computers next to
>>>> each other here.
>>>>
>>>>     
>>>>
>>>> One, let's call it Riven-II (192.168.1.9), is set up with a simple
>> Listener
>>>> program that listens on port 8000. From stunnel's viewpoint this
>>>> will be
>> a
>>>> server. The second machine, Lightning (192.168.1.158), has a simple
>> Sender
>>>> program that sends a text message via port 7999 to Riven-II
>>>> (192.168.1.9:8000) - this will be the Client. In the absence of
>>>> stunnel,
>> all
>>>> messages sent from Lightning/Sender appears on the window of
>>>> Listener. So far so good.
>>>>
>>>>     
>>>>
>>>> I've downloaded and installed the very latest version (4.54) of
>>>> stunnel
>> on
>>>> both machines. On installation I entered the same responses to the
>>>> certificate generating process.
>>>>
>>>>     
>>>>
>>>> On the Server machine, hard wired to a Broadband Router, I
>>>> configured stunnel.conf as (removing comments for simplicity)
>>>>
>>>>     
>>>>
>>>> debug = 7
>>>>
>>>> output = stunnel.log
>>>>
>>>>     
>>>>
>>>> socket = l:TCP_NODELAY=1
>>>>
>>>> socket = r:TCP_NODELAY=1
>>>>
>>>>     
>>>>
>>>> cert = stunnel.pem
>>>>
>>>> key = stunnel.pem
>>>>
>>>>     
>>>>
>>>> options = NO_SSLv2
>>>>
>>>>     
>>>>
>>>> taskbar=yes
>>>>
>>>>     
>>>>
>>>> [Listener]
>>>>
>>>> connect=8000
>>>>
>>>> accept=8001
>>>>
>>>>     
>>>>
>>>> On the Client machine, connected to the router via wi-fi, we have in
>>>> stunnel.conf
>>>>
>>>>     
>>>>
>>>> debug = 7
>>>>
>>>> output = stunnel.log
>>>>
>>>>     
>>>>
>>>> cert = stunnel.pem
>>>>
>>>>     
>>>>
>>>> socket = l:TCP_NODELAY=1
>>>>
>>>> socket = r:TCP_NODELAY=1
>>>>
>>>>     
>>>>
>>>> fips=no
>>>>
>>>>     
>>>>
>>>> options = NO_SSLv2
>>>>
>>>>     
>>>>
>>>> delay=yes
>>>>
>>>> taskbar=yes
>>>>
>>>>     
>>>>
>>>> client=yes
>>>>
>>>>     
>>>>
>>>> [sender]
>>>>
>>>> accept  = 0.0.0.0:7999       (I've tried just 7999 and
>> 192.168.1.158:7999,
>>>> here. Makes no difference)
>>>>
>>>> connect = 192.168.1.9:8001
>>>>
>>>>     
>>>>
>>>> I've tried many variations with the same result, but the above is
>>>> where
>> they
>>>> have ended up.
>>>>
>>>>     
>>>>
>>>> My understanding of this is that stunnel both ends will be
>>>> intercepting
>> port
>>>> 8000 on the Server and port 7999 on the Client and
>>>> presenting/receiving
>> SSL
>>>> encoded messages across the wire on port 8001.
>>>>
>>>>     
>>>>
>>>> Starting stunnel in the Server  (not as a Windows service, although
>>>> I did try that as well) the following log appears:
>>>>
>>>>     
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: No limit
>>>> detected for the number of clients
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: stunnel
>>>> 4.54
>> on
>>>> x86-pc-msvc-1500 platform
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]:
>> Compiled/running
>>>> with OpenSSL 1.0.1c-fips 10 May 2012
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]:
>> Threading:WIN32
>>>> SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: Reading
>>>> configuration from file stunnel.conf
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG5[3484:6184]: FIPS
>>>> mode is enabled
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]:
>>>> Compression
>> not
>>>> enabled
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: Snagged
>>>> 64 random bytes from C:/.rnd
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: Wrote
>>>> 1024
>> new
>>>> random bytes to C:/.rnd
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG7[3484:6184]: PRNG
>>>> seeded successfully
>>>>
>>>> 2012.11.16 22 <tel:2012.11.16%2022> :34:08 LOG6[3484:6184]:
>>>> Initializing service [Listener]
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Certificate: stunnel.pem
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Certificate loaded
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Key file: stunnel.pem
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Private key loaded
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Could not load DH parameters
>>>> from stunnel.pem
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Using hardcoded DH parameters
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: DH initialized with 2048-bit
>>>> key
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: ECDH initialized with curve
>> prime256v1
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: SSL options set: 0x01000004
>>>>
>>>> 2012.11.16 22:34:08 LOG5[3484:6184]: Configuration successful
>>>>
>>>> 2012.11.16 22:34:08 LOG7[3484:6184]: Service [Listener] (FD=272)
>>>> bound to
>>>> 0.0.0.0:8001
>>>>
>>>>     
>>>>
>>>> On the Client, the log shows:
>>>>
>>>>     
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: No limit detected for the
>>>> number of clients
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: stunnel 4.54 on
>>>> x86-pc-msvc-1500 platform
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: Compiled/running with OpenSSL
>>>> 1.0.1c-fips 10 May 2012
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: Threading:WIN32
>> SSL:+ENGINE+OCSP+FIPS
>>>> Auth:none Sockets:SELECT+IPv6
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: Reading configuration from file
>>>> stunnel.conf
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: FIPS mode is disabled
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Compression not enabled
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Snagged 64 random bytes from
>>>> C:/.rnd
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Wrote 1024 new random bytes to
>> C:/.rnd
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: PRNG seeded successfully
>>>>
>>>> 2012.11.16 22:25:53 LOG6[4184:4948]: Initializing service [sender]
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Certificate: stunnel.pem
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Certificate loaded
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Key file: stunnel.pem
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Private key loaded
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: SSL options set: 0x01000004
>>>>
>>>> 2012.11.16 22:25:53 LOG5[4184:4948]: Configuration successful
>>>>
>>>> 2012.11.16 22:25:53 LOG7[4184:4948]: Service [sender] (FD=224) bound
>>>> to
>>>> 0.0.0.0:7999
>>>>
>>>>     
>>>>
>>>> Running the Listener on the Server and Sender on the Client adds
>>>> nothing
>> to
>>>> the log, and port sniffers on both machines show traffic between
>>>> 7999 and
>>>> 8000 (exactly the same as when stunnel is not running). No sign of
>>>> the
>> use
>>>> of port 8001.
>>>>
>>>>     
>>>>
>>>> I'd appreciate any input on this. I'm sure I must be doing something
>> stupid,
>>>> but I've watched hours of YouTube videos, read many hundreds of web
>> pages,
>>>> and been through the documentation quite a few times, to no avail.
>>>>
>>>>     
>>>>
>>>> I have a Java based version, running in a JVM in the same Windows
>> machines,
>>>> that talks perfectly to the exchange using some inbuilt SSL
>>>> capabilities
>> of
>>>> an included library, so that should probably eliminate any
>> hardware/router
>>>> issues?
>>>>
>>>>     
>>>>
>>>> Regards, Hal
>>>>
>>>>     
>>>>
>>>>     
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>      _____
>>>>
>>>> No virus found in this message.
>>>> Checked by AVG - www.avg.com
>>>> Version: 2012.0.2221 / Virus Database: 2629/5400 - Release Date:
>>>> 11/16/12
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>> -----
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2012.0.2221 / Virus Database: 2629/5400 - Release Date:
>> 11/16/12
>>
>>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2012.0.2221 / Virus Database: 2629/5400 - Release Date: 11/16/12
>
>





More information about the stunnel-users mailing list