stunnel-users July 2023

12 participants
14 discussions

older browsers, stunnel and privoxy
by kovacs janos 04 Mar '24

04 Mar '24

sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443 stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost 127.0.0.1:8118 is the privoxy address. this is what stunnel writes: LOG5[main]: Configuration successful LOG5[0]: Service [Tunnel_in] accepted connection from 127.0.0.1:3261 LOG5[0]: s_connect: connected 127.0.0.1:8118 LOG5[0]: Service [Tunnel_in] connected remote server from 127.0.0.1:3262 and the browser infinitely loads, and never loads anything or leaves the page. if i remove the last 3 lines, its the same just with this line added: LOG4[main]: Service [Tunnel_in] needs authentication to prevent MITM attacks but it doesnt give an error or anything. with a configuration like: [Tunnel_out] client = no accept = 127.0.0.1:443 connect = 127.0.0.1:8118 cert = stunnel.pem this is what it gives: LOG5[3]: Service [Tunnel_out] accepted connection from 127.0.0.1:3294 LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket and browser gives a server not found error immediately. im not even sure if i should use client or server configuration in a case like this, but none of them works anyway. all i would need is for my browser to get the pages decrypted, or at least in less than TLS1.1. like how on newipnow.com i can access sites with any encryption, since they are sent to the browser without encryption. the browser just gives an "unencrypted tunnel" warning, which is how i found stunnel, and which is exactly what i need, just locally.

8 41

TPM based mutual tls authentication
by Nyiri, Gabor (Nokia - HU/Budapest) 07 Nov '23

07 Nov '23

Hi, Can you help me how to configure stunnel client to use TPM for mutual TLS authentication? I want to connect with mTLS to a remote server then make this connection available for localhost without mTLS. Thanks for your help in advance! Here is my configuration so far without TPM: debug = debug output = /tmp/stunnel.log foreground = yes [mtls_client] client = yes accept = 127.0.0.1:12019 sni = server-with-mtls.example.com checkHost = server-with-mtls.example.com connect = 1.2.3.4:443 verifyChain = yes CApath = /etc/ssl/certs/ cert = client.crt key = client.key Thanks & br, Gábor Nyíri,

2 1

Fail to build stunnel 5.70 for windows using xmingw64
by roierachamim＠gmail.com 30 Aug '23

30 Aug '23

Hi, Trying to build stunnel the following warning showed up: network.c: In function 's_read': network.c:737:44: warning: unknown conversion type character 'l' in format [-Wformat=] s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)", ^ network.c:737:66: warning: unknown conversion type character 'l' in format [-Wformat=] s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)", ^ network.c:737:24: warning: too many arguments for format [-Wformat-extra-args] s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ And one more of the same kind. I wonder how it didn't happen in the official binaries. Are they being built using the instructions in INSTALL.W32 ? Using xmingw-64 ? Roie

2 1

Config stunnel for outgoing mails to Ionos
by a.franken＠management-kommunikation.de 22 Aug '23

22 Aug '23

In these days, our provider Ionos/1&1 starts to accept only encrypted access to its mail server and at least TLS 1.2. There are no problems with incoming mails. In order to be on the safe side with our Win SBS Server 2008 (no comments please!) with outgoing mails, I now have interposed stunnel as recommended many times on the web. This works in principle. Unfortunate exception: In some cases - expecially if the mail recipient has a Microsoft address like @hotmail.de, @live.de, @outlook.com -, sending aborts with error 503 5.5.2 ("Need mail command"). Unfortunately, I'm quite innocent with SMTP, SSL and certificates, but worked hard to create the following stunnel configuration file: socket = l:TCP_NODELAY=0 socket = r:TCP_NODELAY=0 client = yes output = C:\Program Files (x86)\stunnel\stunnel.log [smtpionos] accept = localhost:465 connect = smtp.ionos.de:465 verifyChain = yes verifyPeer = yes CAfile = C:\Program Files (x86)\stunnel\config\amakor2022.pem checkHost = remote.management-kommunikation.de protocolHost = smtp.ionos.de protocolAuthentication = login protocolUsername = OUR_USERNAME protocolPassword = OUR_PASSWORD sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2 delay = yes protocol = smtp amakor2022.pem is the "PositiveSSL" certificate that we acquired for our subdomain remote.management-kommunikation.de. "Our_Username" and "Our_Password" are of course our correct access data. After spending hours searching the web for a solution, does anyone have a tip what's wrong and what to do?

1 2

can not send
by wizardm＠gmx.de 21 Jul '23

21 Jul '23

hello, I have accounts with gmx, aol and 1&1 (ionos). with gmx and aol I can receive and send. but with 1&1 I can only receive. the stunnel log says "SSL_connect: ssl/record/ssl3_record.c:354: error:0A00010B:SSL routines::wrong version number". in the log of the mail program there is an "error - Unexpected connection termination. Connection lost." what can I do? here is my configuration. [gmx-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmx.net:995 verifyChain = yes CAfile = ca-certs.pem checkHost = pop.gmx.net OCSPaia = yes [gmx-smtp] client = yes accept = 127.0.0.1:25 connect = mail.gmx.net:465 verifyChain = yes CAfile = ca-certs.pem checkHost = mail.gmx.net OCSPaia = yes [aol-pop3] client = yes accept = 127.0.0.1:10110 ; protocol = pop3 connect = pop.aol.com:995 verifyChain = yes CAfile = ca-certs.pem checkHost = pop.aol.com OCSPaia = yes [aol-smtp] client = yes accept = 127.0.0.1:10025 ; protocol = smtp connect = smtp.aol.com:465 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.aol.com OCSPaia = yes [1und1-pop3] client = yes accept = 127.0.0.1:1110 connect = pop.ionos.de:995 verifyChain = yes CAfile = ca-certs.pem checkHost = pop.ionos.de OCSPaia = yes [1und1-smtp] client = yes accept = 127.0.0.1:1111 connect = smtp.ionos.de:587 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.ionos.de OCSPaia = yes thank you very much

1 0

“latest” alias
by David Richard (CajunD) 16 Jul '23

16 Jul '23

Hi Folks, I have found some older discussions about keeping archives and such, but wanted to ask if you could create an alias that always pointed to the latest version. We were hard-linking to a version in /downloads/ and when version 5.69 was removed a few days ago, some automation on our end broke and (as a result of circumstance) caused an outage while we were trying to fix another problem with a remote dependency. We have altered our script to point to the archive version and added checking to ensure any future problems are handled properly. That being said, we will always want the latest version of your software when we build our machine images. And while you do send an announcement, we have to take additional action on our end to get that new version. A “latest” link would allow us to get the latest version automatically when we perform security updates. Thanks for considering this request. David. --- David Richard cajund(a)gmail.com

4 3

securityLevel doesn't work with OpenSSL 3.0
by Yasuhiro Kimura 14 Jul '23

14 Jul '23

Hello, I'd like to use stunnel to acccess SMTP server that has following configuration parameters. Host: smtp.example.org Port number: smtps (465) Encryption method: SMTP over TLS At first I created following configuration file and run stunnel 5.70 with it on FreeBSD 13.2-RELEASE. ---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ---------------------------------------------------------------------- But unfortunately stunnel emits following messages and local-side connection.is closed when I connect to 12345 port of localhost. ---------------------------------------------------------------------- 2023.07.14 12:29:12 LOG5[0]: Service [12345] accepted connection from ::1:14632 2023.07.14 12:29:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:29:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.1:14633 2023.07.14 12:29:12 LOG5[0]: Certificate accepted at depth=0: C=JP, ST=Tokyo, L=Ohta-Ku, O=EXAMLE.INC, CN=smtp.examle.org 2023.07.14 12:29:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/t1_lib.c:1146: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type 2023.07.14 12:29:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ---------------------------------------------------------------------- So I added setting of securityLevel as following. ---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes securityLevel=1 syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ---------------------------------------------------------------------- And now I can successfully access to STMP server through stunnel. Next, I also tried it on FreeBSD 14-CURRENT and surprisingly stunnel 5.70 emits following messages even if 'securityLevel=1' is specified in configuration file. ---------------------------------------------------------------------- 2023.07.14 12:31:12 LOG5[0]: Service [12345] accepted connection from ::1:10838 2023.07.14 12:31:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:31:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.11:41449 2023.07.14 12:31:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/statem/extensions.c:894: error:0A000152:SSL routines::unsafe legacy renegotiation disabled 2023.07.14 12:31:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ---------------------------------------------------------------------- So I also tried on 2 other platforms. a. Cygwin's stunnel.exe (version 5.69) b. tstunnel.exe installed by useing stunnel-5.69-win64-installer.exe And result is that the former works fine and the latter emits same message as FreeBSD 14-CURRENT. According to these result it seems the failure is related to the version of OpenSSL. That is, while FreeBSD 13.2-RELEASE and Cygwin use OpenSSL 1.1.1, FreeBSD 14-CURRENT and stunnel-5.69-win64-installer.exe use OpenSSL 3.0. So does this mean securityLevel option doesn't work with OpenSSL 3.0? Regards. --- Yasuhiro Kimura

2 1

Stunnel is not accepting TLS1.1 anymore?
by Bohnig＠gmx.de 13 Jul '23

13 Jul '23

Hi there, i have a problem (maybe with understanding) with stunnel. I'm using the newest version 5.70 but had this also with 5.66 and 5.69. My goal was to access an Exchange server IIS (on port 443, which understands only TLS1.1 and below) with TLS1.2 and upper. I was able to achieve this with the following config --------------------------- debug = 7 output = stunnel.log [Exserver] accept = 441 connect = 442 cert = stunneldd.pem TIMEOUTclose = 0 [Exclient] client = yes accept = 442 connect = 443 --------------------------- stunneldd.pem i made with openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunneldd.pem -keyout stunneldd.pem This is working so far. My problem is, stunnel is no longer accepting TLS1.0 and TLS1.1. I need this for some clients which couldn't talk TLS1.2. But why? All infos i could find (and this was days, not hours) are showing that it should work. Even with the added line sllVerison = all or sslVersionMin = TLSv1 sslVersionMax = TLSv1.3 it ws not accepting TLS1 queries. My steps to confirm this: ------------------------- - install stunnel 5.70 - take the config shown above - make a cert with openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunneldd.pem -keyout stunneldd.pem - start stunnel - test it with openssl s_client -connect localhost:441 -tls1_1 -debug stunnel log: ------------ 2023.07.13 09:53:04 LOG7[25]: TLS alert (write): fatal: internal error 2023.07.13 09:53:04 LOG3[25]: SSL_accept: ssl/t1_lib.c:3342: error:0A000076:SSL routines::no suitable signature algorithm I'm thinking, that the bind OpenSSL doesn't support TLS1.1 anymore but the [Exclient] which is talking to Port 443 uses TLS1.1. Or has the cert anything to do with it. I think no, because the andshake failed and that is befor the cert is used? What I'm missing? I want stunnel to accept TLs1.0, TLS1.1. TLS1.2 and upwards on the same port. Would be nice if anybody could help me with this? Many thanks.

1 0

Default destination folder of stunnel-*-win64-installer.exe
by Yasuhiro Kimura 13 Jul '23

13 Jul '23

Hello, If you install stunnel on Windows with stunnel-*-win64-installer.exe, it installs everything under "C:\Program Files (x86)\stunnel" by default. But since it installs 64bit binaries, should default destination folder be "C:\Program Files\stunnel"? Regards.

1 0

`tstunnel -(help|options|version)` outputs garbase with 5.70
by Yasuhiro Kimura 13 Jul '23

13 Jul '23

Hello, With tstunnel.exe installed with stunnel-5.70-win64-installer.exe, `tstunnel -help', `tstunnel -options` and `tstunnel -version` output gabases. The issue doesn't happen with either stunnel 5.70 on Unix or tstunnel.exe installed with stunnel-5.69-win64-installer.exe. Regards. --- Yasuhiro Kimura

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users July 2023