- stunnel-users - stunnel.org

stunnel with FIPS and SIGHUP
by Eric Lambert 15 Jan '11

15 Jan '11

Hello, I am having difficulting when running stunnel in FIPS mode and using a SIGHUP to get stunnel to re-read it's configuration file (for instance if I've changed a port # or IP address for one of the connections). This causes stunnel to call the SSL routine FIPS_mode_set() a second time after receiving the SIGHUP, which in turn attempts to reinitialize SSL. Unfortunately, OpenSSL does not support calling FIPS_mode_set(1) more than once. The initialization of SSL becomes incomplete as a result of the 2nd call and subsequent attempts to use stunnel to establish encrypted connections fail. Does anyone have any suggestions on how I can make this work (besides killing and restarting stunnel)? If not, I have a proposed fix (and there are multiple ways that this could be addressed). Anyway, my suggestion is to add the following two lines to the ssl_configure() function (found in the file "ssl.c"), right before the current FIPS_mode_set() routine is called: FIPS_mode_set(0); RAND_set_rand_method(NULL); The function currently looks like: int ssl_configure(void) { /* configure global SSL settings */ #ifdef USE_FIPS if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); #endif /* USE_FIPS */ : : } With the suggested fix, it would look as follows: int ssl_configure(void) { /* configure global SSL settings */ #ifdef USE_FIPS FIPS_mode_set(0); RAND_set_rand_method(NULL); if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); #endif /* USE_FIPS */ : : } Does the above seem reasonable. Could this change, or some other modification which would support using SIGHUP with FIPS, be considered for a future stunnel update? Thanks for your help.

2 1

Multi Tunnel Support in STunnel
by Narendra Prasad Madanapalli 15 Jan '11

15 Jan '11

Hi, Current stunnel implementation is based on peer-to-peer communication and it cannot be used in the environment where a management server wants to talk to multi-site server (i.e. an instance of server running in different sites). Multi Tunnel support for Stunnel enables a Management Server to communicate with Multisite Server. But it requires extending Stunnel with a new protocol whereby Management Server & Client Stunnel Process communicates. 1. The new stunnel conf for multi tunnel (keeping backward compatibility) look like [singleTunnelServiceName] accept = aport connect = ip:cport [serviceName] multitunnel = yes accept = 1234 connect = ip1:5678,ip2:5678,ip3:5678,...ipn:5678 Anyone can please let me know the steps to configure the stunnel if the support is already in place or provide your thoughts on the new support? Thanks, Narendra.

2 1

Re: [stunnel-users] Problem with a signed certificate by CA andcurl/wget
by Gabriel Sosa 13 Jan '11

13 Jan '11

perfect! that made the trick!!! thank you for your time Saludos On Thu, Jan 13, 2011 at 3:00 PM, <josealf(a)rocketmail.com> wrote: > Maybe your curl client is trying to negotiate SSLv2... Did you try addding --sslv3 to the command line? Openssl fips disables sslv2.. > > > -----Original Message----- > From: Gabriel Sosa <sosagabriel(a)gmail.com> > Sender: stunnel-users-bounces(a)mirt.net > Date: Thu, 13 Jan 2011 01:39:15 > To: <stunnel-users(a)mirt.net> > Subject: [stunnel-users] Problem with a signed certificate by CA and > curl/wget > > hello, > > I bought an ssl certificate on thawte and installed to stunnel. > > When I go to the site with any browser the ssl is established without > any issue, however when I try to call an url using curl or wget I'm > not able to download the content > > here are the output of curl/wget > > [root@www ~]$ curl https://secure.example.com/test.php > curl: (35) Unknown SSL protocol error in connection to secure.example.com:443 > [root@www1 ~]$ wget https://secure.example.com/test.php > --23:27:15-- https://secure.example.com/test.php > Resolving secure.example.com... xxx.xxx.xxx.xxx > Connecting to secure.example.com|xxx.xxx.xxx.xxx|:443... connected. > Unable to establish SSL connection. > [root@www ~]$ > > > my stunnel config file looks like > > ;setuid=nobody > ;setgid=nobody > fips=no > > pid=/var/run/stunnel.pid > debug=3 > output=/var/log/stunnel.log > cert=/etc/ssl/certs/stunnel.pem > CAfile=/etc/ssl/certs/ssl123.crt > > socket=l:TCP_NODELAY=1 > socket=r:TCP_NODELAY=1 > > > [secure.example.com] > accept=xxx.xxx.xxx.xxx:443 > connect=zzz.zzz.zzz.zzz:8443 > TIMEOUTclose=0 > xforwardedfor=yes > > I'm using the version 4.34 + xforwardedfor patch > > the file ssl123.crt contains the root CA of thawte > > uname -a output > > Linux secure.example.com 2.6.18-164.6.1.el5 #1 SMP Tue Nov 3 16:12:36 > EST 2009 x86_64 x86_64 x86_64 GNU/Linux > > gcc -v output > > Using built-in specs. > Target: x86_64-redhat-linux > Configured with: ../configure --prefix=/usr --mandir=/usr/share/man > --infodir=/usr/share/info --enable-shared --enable-threads=posix > --enable-checking=release --with-system-zlib --enable-__cxa_atexit > --disable-libunwind-exceptions --enable-libgcj-multifile > --enable-languages=c,c++,objc,obj-c++,java,fortran,ada > --enable-java-awt=gtk --disable-dssi --enable-plugin > --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre > --with-cpu=generic --host=x86_64-redhat-linux > Thread model: posix > gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) > > openssl version > > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > > Does anyone have some clue about what could be causing the problem. > Any help will be really appreciated. > > Thank you > > -- > Gabriel Sosa > Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > -- Gabriel Sosa Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein

1 0

Re: [stunnel-users] Problem with a signed certificate by CA andcurl/wget
by Gabriel Sosa 13 Jan '11

13 Jan '11

Jose, thanks for your reply here is the output of curl --verbose [root@www ~]$ curl --verbose https://secure.example.com/test.php * About to connect() to secure.example.com port 443 * Trying xxx.xxx.xxx.xxx... connected * Connected to secure.example.com (xxx.xxx.xxx.xxx) port 443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): Unknown SSL protocol error in connection to secure.example.com:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to secure.example.com:443 if is there any other info you need please just let me know. Thank you On Thu, Jan 13, 2011 at 8:42 AM, <josealf(a)rocketmail.com> wrote: > Gabriel, > > Can you add the --verbose flag to your curl command and post the result? > > > Jose > -----Original Message----- > From: Gabriel Sosa <sosagabriel(a)gmail.com> > Sender: stunnel-users-bounces(a)mirt.net > Date: Thu, 13 Jan 2011 01:39:15 > To: <stunnel-users(a)mirt.net> > Subject: [stunnel-users] Problem with a signed certificate by CA and > curl/wget > > hello, > > I bought an ssl certificate on thawte and installed to stunnel. > > When I go to the site with any browser the ssl is established without > any issue, however when I try to call an url using curl or wget I'm > not able to download the content > > here are the output of curl/wget > > [root@www ~]$ curl https://secure.example.com/test.php > curl: (35) Unknown SSL protocol error in connection to secure.example.com:443 > [root@www1 ~]$ wget https://secure.example.com/test.php > --23:27:15-- https://secure.example.com/test.php > Resolving secure.example.com... xxx.xxx.xxx.xxx > Connecting to secure.example.com|xxx.xxx.xxx.xxx|:443... connected. > Unable to establish SSL connection. > [root@www ~]$ > > > my stunnel config file looks like > > ;setuid=nobody > ;setgid=nobody > fips=no > > pid=/var/run/stunnel.pid > debug=3 > output=/var/log/stunnel.log > cert=/etc/ssl/certs/stunnel.pem > CAfile=/etc/ssl/certs/ssl123.crt > > socket=l:TCP_NODELAY=1 > socket=r:TCP_NODELAY=1 > > > [secure.example.com] > accept=xxx.xxx.xxx.xxx:443 > connect=zzz.zzz.zzz.zzz:8443 > TIMEOUTclose=0 > xforwardedfor=yes > > I'm using the version 4.34 + xforwardedfor patch > > the file ssl123.crt contains the root CA of thawte > > uname -a output > > Linux secure.example.com 2.6.18-164.6.1.el5 #1 SMP Tue Nov 3 16:12:36 > EST 2009 x86_64 x86_64 x86_64 GNU/Linux > > gcc -v output > > Using built-in specs. > Target: x86_64-redhat-linux > Configured with: ../configure --prefix=/usr --mandir=/usr/share/man > --infodir=/usr/share/info --enable-shared --enable-threads=posix > --enable-checking=release --with-system-zlib --enable-__cxa_atexit > --disable-libunwind-exceptions --enable-libgcj-multifile > --enable-languages=c,c++,objc,obj-c++,java,fortran,ada > --enable-java-awt=gtk --disable-dssi --enable-plugin > --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre > --with-cpu=generic --host=x86_64-redhat-linux > Thread model: posix > gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) > > openssl version > > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > > Does anyone have some clue about what could be causing the problem. > Any help will be really appreciated. > > Thank you > > -- > Gabriel Sosa > Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > -- Gabriel Sosa Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein

1 0

Problem with a signed certificate by CA and curl/wget
by Gabriel Sosa 13 Jan '11

13 Jan '11

hello, I bought an ssl certificate on thawte and installed to stunnel. When I go to the site with any browser the ssl is established without any issue, however when I try to call an url using curl or wget I'm not able to download the content here are the output of curl/wget [root@www ~]$ curl https://secure.example.com/test.php curl: (35) Unknown SSL protocol error in connection to secure.example.com:443 [root@www1 ~]$ wget https://secure.example.com/test.php --23:27:15-- https://secure.example.com/test.php Resolving secure.example.com... xxx.xxx.xxx.xxx Connecting to secure.example.com|xxx.xxx.xxx.xxx|:443... connected. Unable to establish SSL connection. [root@www ~]$ my stunnel config file looks like ;setuid=nobody ;setgid=nobody fips=no pid=/var/run/stunnel.pid debug=3 output=/var/log/stunnel.log cert=/etc/ssl/certs/stunnel.pem CAfile=/etc/ssl/certs/ssl123.crt socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1 [secure.example.com] accept=xxx.xxx.xxx.xxx:443 connect=zzz.zzz.zzz.zzz:8443 TIMEOUTclose=0 xforwardedfor=yes I'm using the version 4.34 + xforwardedfor patch the file ssl123.crt contains the root CA of thawte uname -a output Linux secure.example.com 2.6.18-164.6.1.el5 #1 SMP Tue Nov 3 16:12:36 EST 2009 x86_64 x86_64 x86_64 GNU/Linux gcc -v output Using built-in specs. Target: x86_64-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=x86_64-redhat-linux Thread model: posix gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Does anyone have some clue about what could be causing the problem. Any help will be really appreciated. Thank you -- Gabriel Sosa Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein

1 0

Win32 FIPS Question
by pk＠cliffhanger.com 12 Jan '11

12 Jan '11

Hello, Greetings. I am new to STUNNEL and working on a proof of concept to compile the latest FIPS Compliant 1.2.2 OpenSSL with STUNNEL 4.34. in Windows 32 Bit environment. In the install.FIPS file it is mentioned that Win32 is not supported with FIPS. Is it still the case or it is fixed now? Have anybody done this? I greatly appreciate your time and help. Thank you. PK

1 0

Re: [stunnel-users] Question of stunnel/openssl for X86 processor -- Pierre's patch
by Pierre DELAAGE 11 Jan '11

11 Jan '11

Hi Jiehua, Please review the instructions on my webpage : in particular use my compilation scripts, and look inside them to know the syntax. It is quite simple : makece X86 for stunnel. For openssl, run the command "mywcebuild X86". It works. Pierre Le 10/01/2011 17:40, Li, Jiehua a écrit : > Dear Pierre and Dear Stunnel Users, > > We are trying to build stunnel for WinCE on X86 processor. After reviewing messages on the board, I found your article published in late November. I've downloaded packages from your personal website athttp://delaage.pierre.free.fr/ > > These packages include: > 1. Precompiled wcecompat library > 2. Source code foropenssl v100a for WCE <http://delaage.pierre.free.fr/contrib/openssl/wce/openssl100a_WCEpatched3.z…>. > 3. Source code forstunnel v434 for WCE <http://delaage.pierre.free.fr/contrib/stunnel/wce/stunnel434_WCEpatched2X86…>. > > I was hoping to the get the precompiled openssl library files, but it seems there are only library files for ARM processor under the folder of "out32dll_ARMV4" and there's no precompiled version for X86. So I tried to compile the openssl downloaded from your website for the X86 processor after customizing a few parameters (OSVERSION, PLATFORM, WCEROOT, SDKROOT, WCECOMPAT) as you suggested. But the compilation failed, I got error messages as below. I'm also including all options for cl.exe in the email as well. I wonder if you have seen similar issues before. Any suggestion is appreciated. Thanks for the help. > > Regards, > > Jiehua > > cl.exe /Fotmp32dll_x86\cryptlib.obj -Iinc32 -Itmp32dll_x86 /MC /O1 /Oi > /W3 /WX /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LE > AN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -D_WIN32 > _WCE=420 -DUNDER_CE=420 -DWCE_PLATFORM_STANDARDSDK_420 -Dx86 -D_ -IC:\STunnel\wc > ecompat12_patched2X86\patchedX86/include -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPE > NSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll_x86/l > ib -D_WINDLL -D_DLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c > Command line warning D4002 : ignoring unknown option '/MC' > cryptlib.c > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winnt.h(301 > 9) : error C2061: syntax error : identifier 'PCONTEXT' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winnt.h(302 > 0) : error C2059: syntax error : '}' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(1 > 481) : error C2061: syntax error : identifier 'LPCONTEXT' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(1 > 481) : error C2059: syntax error : ';' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2146: syntax error : missing ')' before identifier 'lpContext' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2081: 'LPCONTEXT' : name in formal parameter list illegal > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2061: syntax error : identifier 'lpContext' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2059: syntax error : ';' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 223) : error C2059: syntax error : ')' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 230) : error C2143: syntax error : missing ')' before '*' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 230) : error C2143: syntax error : missing '{' before '*' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 231) : error C2059: syntax error : ')' > NMAKE : fatal error U1077: 'cl.exe' : return code '0x2' > Stop. > > ---------------------------------------------------------------------------------------- > Dear Michal, Dear all, > I have continued to work on my WCE version of stunnel 4.34, after having > received some request for help to compile for other TARGET CPU than ARM, > typically WCE/X86. > > That led me to a few more compilation bug fixes and some improvments in > makefiles, proper usage of winsock2 library, automatisation and > management of "make/build" process > for multiple targets WCE (ARM|X86...) and Win32 (with MS VC and > Gnu-mingw32 !). > I added also, as a practical feature, the inclusion of > "version/copyright" properties in the exe files, properties that are > displayable in the Windows Explorer or by right-clicking on the exefile. > This is not only a "beautifying" feature: this allows automatic version > checking by external tools without having to run the stunnel program, > particularly useful when the targetcpu does not match the host cpu... > > I also worked to have "as close as possible" evc.mak, vc.mak, and > mingw.mak files. > A lot of work and test-fail-adapt cycles have been performed to have a > common code working with the various flavors of C-PREPROCESSORS ! > because there are subtle differences between MS EVC, MS VC, Borland BCC > and GNU-GCC preprocessors. > > THE ATTACHMENT has been sent in zip format, because it contains a few > scripts and other files that exceed the 100KB limit of the mailing list. > it contains the files : > version.h : contains the #define version numbers, major and minor > version.rc : version displayable by Windows Explorer property sheet > makew32.bat : an helper for build wih MS VC > > Michal: > patched2X86.txt : a FULL diff -cr between your last 4.34 official > version and my last patched > patched2X86_incr.txt : an INCREMENTAL diff -cr between my previous > patched version sent on 27/09/2010 and the present one. > > > For the impatient, my patched version of stunnel 4.34 is available here : > http://delaage.pierre.free.fr/contrib/stunnel/wce/stunnel434_WCEpatched2X86… > > IT COVERS both WCE and Win32 versions of stunnel. > > NEW FILES have been added to the sources: see attachments: > - version.h is NOW the CENTRAL point to define major and minor versions > of stunnel (NO MORE definition is makefile, which is logical : you > modify the version of the product, without necessarily modifying the > production process). > - version.rc is the resource file required by windows as the repository > of the stunnel.exe properties displayed in Windows Explorer. > Compiled with evc for wce or with VC for win32, this works perfectly. > But compiled and linked with gcc, those properties are unfortunately not > displayed by Windows Explorer, although embedded in the exe file. I have > established that it is a bug in "gnu-link" stage. > - makew32 : the equivalent of makece for Win32, which avoid repetitive > and error prone pollution of env vars when repetitively compiling for > w32. It is very useful in frequent recompilation at dev/test time. > > *** SOME PRACTICAL INFO : > - now to compile, or clean up things, for a particular WCE TARGET CPU : > just type things like : > makece ARMV4, eg for ARMV4 CPU > makece ARMV4 clean > makece X86, eg for ARMV4 CPU > makece X86clean > ===> this create ../bin/ARMV4/stunnel.exe and ../obj/ARMV4/all objs > files, or the like with X86 cpu and so on. > See list of all supported target cpu in evc.mak. ARMV4 and X86 go well; > more cpu may be checked by experts vs compilation flags... > This is very practical to compile for various targets without modifying, > deleting, renaming, anything and with no side effects between targets. > > - For Win32, yes for Windows PC, just type : > makew32 > makew32 clean > ===> this create ../bin/W32/stunnel.exe and ../obj/W32/all objs files. > This tool uses MS-VC 2008 express as compiler/linker. > > - For Win32, but with MINGW32 tools (and GNU-WIN32 coreutils !!!), just > type : > mingw32-make -f mingw.mak > mingw32-make -f mingw.mak clean > ===> this create ../bin/MGW32/stunnel.exe and ../obj/MGW32/objs files. > GOODIE: I have tricked the mingw.mak to work EITHER on a Windows > compilation HOST MACHINE, OR a LINUX/UN*X compilation HOST. > On windows mingw.mak properly checks and warns about potential missing > of gnu-win32 tools. > Note: the make.bat file is just a shortcut for mingw32-make -f mingw.mak. > > *** MODIFICATIONS of FILES : > > So, since my previous version of the patch, here are my adds : > > 1/ evc.mak : > 1.1/linking with a recompiled version of Essemer/wcecompat: > this library has been customized to compile in SEPARATE folders for > MULTIPLE targets. > So path to proper libs have been changed. > My customized version of wcecompat is available here : > http://delaage.pierre.free.fr/contrib/wcecompat/wcecompat12_patched2X86.zip > > IT HAS ALSO been adapted to have separate folders for distinct targets > pre-compiled versions. > Please note that this philosophy is shared with openssl. > > 1.2/ linking with winsock2 library instead of winsock1: at first to be > consistent with the C code, and second because winsock2 is more close to > socket standard than ws1. > > 1.3/ linking with COREDLL.lib and CORELIBC.lib ONLY: whatever /MC or /MT > or other flag you put for CLxxx command, the set of default libs > expected to be linked is WRONG. > This is a bug of CLxxx tools, inconsitent with MS doc. > SO we have to overwrite the default lib list by always the same ones. > You can verify that this is the right way to do it by searching for a > libc.lib in various evc/libs : you will NOT find any although clxxx /? > talks about it. > > 1.3/ change in VERSION management : now there is a version.h and > version.rc souce file for this. > One that wants to change version has just to edit version.h and then > version info will be propagated as usual in resource.h, AND also > in the exe itself to be displayable in Windows Explorer. > Now people will have a simple mean to check the version of stunnel. > > Michal: have you noticed that there was a vestige "version.h" file > mentioned in vc.mak ! > now it makes sense in evc.mak, vc.mak and mingw.mak, for wce or win32 > targets. > > 1.4/ link /machine : IX86 is improper with WCE, it is X86. > > 1.5/ Multiple WCE CPU targets supported by giving targetcpu on the make > command line like this : > makece ARMV4 all > targetcpu is now mandatory. > makece without options, as usual, will show the new syntax (very simple). > > 1.6/ improved clean target with some rmdirs and proper redirection of > error messages. > proper use of make flags -@. > > 1.7/ added explicit "inference rules" that are compatible MS nmake/ > Borland make, > to be sure of the proper options, and to manage multiple subdirs > management matching TARGETCPU. > Now stunnel.exe is build in stunnel/bin/TARGETCPU subdir > objs are build in stunnel/obj/TARGETCPU > > I really think it is practical and good policy : on my host machine I > have been able to test efficiently at the same time > three flavors of stunnel : win32, wce/arm, wce/x86 without > erasing/renaming/recompiling each time and wondering for what platform > was my stunnel.Exe built for. > > 1.8/ HOST flag put in $(DEFINES) for CC and RC to add more info to exe > info property shhet in Windows Explorer "this stunnel is for THIS type > of target" > > > 2/ makece.bat: > protection against pollution of environment when makece is repeatedly > run with the same targetcpu. > + Env is updated only when one is switching targetcpu. > This is not perfect, but a step in the good direction. > To understand what I mean, perform "set" to see all the env vars after > each makece call... > > PRACTICALLY : you can type makece ARMV4 and then makece X86 in the same > command line window, without polluting "too much" the environment, > only when changing target. No need, reasonably, to have multiple command > line windows opened. > > 3/ vc.mak: for win32 > "multiple target" support by putting w32 obj and exe files in obj/w32 > and bin/w32 subdirs, version.rc support, winsock2 lib integration. > > crypt32 was missing .lib SUFFIX ! > > improper use of winsock1 : it is better to take winsock2 lib, and it is > what the code requires (#includes...) ! > > version management through version.h /.rc instead of /DVERSION > > general logic now close to that of WCE evc.mak, as can be (evc and vc > are very close in their syntax, flags...). > HOST flag to add more info to exe info property sheet in Windows > Explorer "this stunnel is for THIS type of target" > > 4/ created a makew32.bat script > as a wrapper to setenv vars for MSVC 2008 Express, and nmake call. > This has to be improved in the future: presently it cannot be called > after a previous compilation for WCE : > pollution of PATH and INCLUDE env vars requires to reopen a shell via > cmd.exe. > One day I will check if there a simple way to clean env vars from some > path (not so simple). > > 5/ adapted mingw.mak to link with WINSOCK 2 (!!) and use of > version.rc/.h + general processing made similar to that of vc.mak. > I tested with mingw for windows and it works. Someone should test with > gcc under linux, this should work... > HOST flag to add more info to exe info property sheet in Windows > Explorer "this stunnel is for THIS type of target" > Some rewriting to have a mingw.mak close to vc.mak, to ease maintenance... > I checked gnu make syntax, and it is close to ms nmake and borland make, > except for ifdef directives and inference rules syntax, unfortunately. > I am somehow skilled in this boring exercise of comparing various make > tools and syntax. > > MINGW.MAK bugs: incorrect reference to "Makefile.w32", incorrect INC > path for openssl/win32 (this is NOT "outinc" but "inc32"! since a long > time). > > NOTE : to compile on windows I commented "-l zdll" lib in the mingw.mak. > Michal, may you restore it if it is useful (I do not see why anyway). > > Added a testenv pseudo-target to check for gnu-win32 proper installation. > Added some tricks to enable proper execution with the same makefile > either on a Windows HOST or a Linux HOST. > When I say host, I mean "production machine" , and NOT TARGET machine > which is always win32 with mingw.mak. > > 6/ make.bat: this script is ONLY meaningful with mingw.mak and MINGW32 > gnu environment. > Due to various improvments I MADE in mingw.mak, mingw.mak is now only > compatible with mingw32-make, > and not just "make.exe", which is Borland make on Windows... > > > TODO : I did not deal with stunnel making for linux, and/or rpm packaging. > But I guess that makefile.in etc...should be updated... > Anyway, on linux, NOT including version.rc is not a problem, as this > file is useless in that target environment. > But I think that having ../obj/UNX and ../bin/UNX folders should be a > good practice... > > 7/ common.h : > Eureka ! I finally understood and cleaned up the mess around the > redefinition of various Socket Error codes. > This comes from the fact that, previously, those codes were defined in > MS winsock1 header files, but disappeared in winsock2 header files (they > are commented) > Apparently, stunnel code was including winsock1 for w32 but winsock2 for > WCE, although winsock2 is in fact available on both platforms. > So I decided to move to winsock2 for WCE, and re-declaring (again) SOME > of those constants. > Some clean up of the makefile has been done also to REALLY link to ws2 > lib instead of ws1 (because there was also a confusion there!). > > 8/ ctx.c : htons is requesting "short". so a cast was required to avoid > warnings from the compiler. > > 9/ resolver.c : here we are: > many routines have been reimplemented when they are in fact available in > winsock2 both for w32 AND WCE. > Michal: I expect that you review this with particular attention. > In fact I have modified the logic of "masking" local_routines when > already defined in winsock2. > the previous code was HIDING winsock2 instead of the local_routines. > It seemed not logical. > It is important to note that the three routines "getaddrinfo, > freeaddrinfo, getnameinfo" are FOR INSTANT used only in resolver.c, > BUT the previous code was preventing them from being used by other modules. > Now, with my code, it is possible. > My code also avoid compilation warnings (because, as getaddrinfo REALLY > exist in win32, such a "#define getaddrinfo localgetaddrinfo" > inevitably raises a warning of the compiler for redef of an existing > symbol; and hence it reveals a problem of conflict..., while my solution > avoids all this pitfalls). > > Removed also the restriction "AND IPV6" on win32 conditional #IF: > winsock2 supports ipv6. > Michal: a review on these conditional #IF should be useful... > > I wanted to add that those routines are also parts of the POSIX standard > API, so they are available almost everywhere... > so I hardly understand their purpose today. > > 10/ version.h : > I have used some preprocessor tricks to have a VERSION string correctly > defined BOTH with MS evc preprocessor, MS vc preprocessor: > AND GNU preprocessor. > those preprocessors have some differences...particularly when called > from a rc compiler through a "pipe" like gnu windres. > In ms VC and EVC the rc preprocessing is NOT the same as that of the > compiler... > Now it works with every build system, and either in .c compilation or > .rc compilation. > > > USEFUL : openssl team is desperately ignoring any WCE patch, so if you > want an openssl 100a source tree compatible with WCE, > just download mine there : > http://delaage.pierre.free.fr/contrib/openssl/wce/openssl100a_WCEpatched3.z… > FYI, my patch to openssl is registered here : > http://rt.openssl.org/index.html?q=2350 (login guest/password guest). > > TODO : gui.c contains code to dynamically load ws2 getaddrinfo > why not rely only on static linking for that, as ws2 is available > everywhere since w95 and wce4.1 ? > we have to harmonize the code there with resolver.c and various makefiles > In resolver.c: code remains to load dynamically ws2 getaddrinfo etc..at > run-time only on win32, and not in CE while it is ALSO available! > I suggest to have "static" linking to ws2.lib both in w32 and wce . but > more code has to be modified to be definitely clean and clear. > When I say "static linking" I mean "Load-Time Dynamic Linking", ie link > with ws2.lib stub at build time, not "link with static lib"... > > I thank you for your good work and attention, > Yours sincerely, > > Pierre Delaage > > > Le 27/09/2010 00:40, Pierre DELAAGE a écrit : > > Dear All, > > Please find enclosed a patch in "diff -cr orig patched" format, > > applying to stunnel4.34 as found hereftp://stunnel.mirt.net/stunnel/. > > This patch mainly addresses compilation and unicode issues for Windows > > CE targets + ONE critical issue preventing stunnel to service anything > > (!). > > > > I use MS EVC 4sp2 compiler with WCE 420 SDK, on a vista host platform. > > Once debugged the code works fine on WM6 HTC smartphones. > > Should work on WM5. > > It needs a windows CE openssl lib (I recompiled MY patched version of > > openssl 1.0.0a successfully: I will have to log a patch to those > > gentlemen, hoping that they are open to integrate it, something not so > > obvious in the past). > > > > I will later post here a link to my patch for openssl 100a pointing to > > the openssl mailing list. THIS OPENSSL PATCH IS ESSENTIAL : with my > > older version of openssl 098pre_j for wce, stunnel does not work > > anymore (it crashes after first cnx). > > > > > > The present stunnel patch addresses the following issues : > > > > ************* > > I] COMPILATION FAILURES > > > > 1/ on common.h "EINVAL redefinition" : > > in fact the compile options WX (see evc.mak) does not tolerate any > > warning : > > The MS evc420 compiler ALWAYS issues a warning on this symbol > > redefinition. > > Michal and I are dealing with it since month... > > But, considering that NEITHER Exxx error codes are used in stunnel, > > I suggest that in fact ALL these redef should be suppressed. > > > > TODO: In the future a proper rewrite of code in log.c, where hardcoded > > values of WSA error codes are used instead of symbolic constant, will > > have to be done. > > > > > > 2/ client.c > > CreateProcess is a UNICODE function: code was ascii only. > > Code has been adapted to work in unicode. > > > > 3/ evc.mak > > path to new openssl lib has been redefined. > > proper location for the libs in openssl tree has been set in the > > make-install block (although this block is presently USELESS and needs > > a complete rewrite). > > > > 4/ gui.c > > All code using hmainmenu is OFF under winCE. > > So some new lines involving it were not compiling. > > > > 5/ options.c > > > > linger_val.l_linger and linger_val.l_onoff require ushort values. > > Strict type checking of the compiler required a proper cast to ushort > > of the r-values. > > > > > > stralloc uses "strdup": > > on Win32 and winCE strdup is _strdup (!). > > > > 6/ prototypes.h : > > _beginthread was defined as returning an int, an a long in sthread.c. > > After some checking in various documentations, long is the correct type, > > in particular because _beginthread can return the special error value > > "-1L". So that unsigned types are illogical. > > This simplifies the code in some locations, by saving some -now > > useless- casts. > > > > 7/ sthread.c > > > > create_client: suppressed some useless cast to (long) for beginthread. > > > > ************* > > II] OPERATIONAL ERRORS (at run-time) > > This is a reminder of previous notification to the mailing list : > > due to beginthread improper code and/or use, > > It is presently IMPOSSIBLE for stunnel 434 to be used in production on > > WCE: > > it is just unable to service any...service. > > Nothing happens if, for example, you use it to connect to an https > > server. No log either ! > > > > I corrected the code with both Michal patch to gui.c and mine to > > sthread.c: > > > > gui.c (Michal patch) : > > _beginthread was called with 0 as stacksize which, cumulated to an > > improper coding of sthread/beginthread, led to FAILURE of service > > thread creation. > > > > sthread.c: > > _beginthread : now supports "0" stacksize value, leading to default > > linker stack size (1MB by default unless specified differently on the > > linker command line, something we do not yet perform but could). > > > > ************* > > III] MINOR IMPROVMENT > > _beginthread: added a log on critical event of "failure" to create a > > service thread. because I think it is a critical event, isn't it? > > > > > > I hope you will find this patch useful. > > Thank you for your excellent work, > > Yours sincerely, > > > > Pierre Delaage > > > > Note : I use stunnel to establish a simple "vpn" between smartphones and > > a corporate linux server mainly for HTTPS/POPS/SMTPS support. > > Stunnel is very relevant in that matter, over solutions based on SSH > > (although we use also ssh), from a communication cost point of view : > > ssh establishes permanent socket between client and server, so that the > > communication is charged by the mobile network provider : and these > > charges are very expensive. > > On the contrary stunnel only establishes ssl sockets on demand so that > > financial charges are limited to strict necessary. > > Please note that stunnel brings "client based certificate > > authentication" to POP/SMTP mobile mail user agents which only > > BASICALLY supports SSL with server authentication, but NO client > > authentication, such as M$ Outlook forMobile (unless you pay for an > > exchange server and exchange client licence). > > Here again stunnel is very relevant. > > > > Note 2 : the strdup and unicode bug fixes should benefit also to the > > win32 (for PC) stunnel version for PC. > > > > > > > > > > > *["stunnel434patch20101117.zip" (application/x-zip-compressed)]* <http://marc.info/?l=stunnel-users&m=129002593426045&q=p3> > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > > *[prev in list <http://marc.info/?l=stunnel-users&m=129001288405228&w=2>] [next in list <http://marc.info/?l=stunnel-users&m=129010241218147&w=2>] [prev in thread <http://marc.info/?l=stunnel-users&m=128554087819713&w=2>] [**next in thread]* > > Configure <http://marc.info/?q=configure> | About > <http://marc.info/?q=about> | News <http://marc.info/?q=news> | >

2 1

Re: [stunnel-users] Question of stunnel/openssl for X86 processor -- Pierre's patch
by Pierre DELAAGE 11 Jan '11

11 Jan '11

Hi Jiehua, Please review the instructions on my webpage : in particular use my compilation scripts, and look inside them to know the syntax. It is quite simple : makece X86 for stunnel. For openssl, "mywcebuild X86". It works. Let me know if you have problems. Pierre Le 10/01/2011 17:40, Li, Jiehua a écrit : > Dear Pierre and Dear Stunnel Users, > > We are trying to build stunnel for WinCE on X86 processor. After reviewing messages on the board, I found your article published in late November. I've downloaded packages from your personal website athttp://delaage.pierre.free.fr/ > > These packages include: > 1. Precompiled wcecompat library > 2. Source code foropenssl v100a for WCE <http://delaage.pierre.free.fr/contrib/openssl/wce/openssl100a_WCEpatched3.z…>. > 3. Source code forstunnel v434 for WCE <http://delaage.pierre.free.fr/contrib/stunnel/wce/stunnel434_WCEpatched2X86…>. > > I was hoping to the get the precompiled openssl library files, but it seems there are only library files for ARM processor under the folder of "out32dll_ARMV4" and there's no precompiled version for X86. So I tried to compile the openssl downloaded from your website for the X86 processor after customizing a few parameters (OSVERSION, PLATFORM, WCEROOT, SDKROOT, WCECOMPAT) as you suggested. But the compilation failed, I got error messages as below. I'm also including all options for cl.exe in the email as well. I wonder if you have seen similar issues before. Any suggestion is appreciated. Thanks for the help. > > Regards, > > Jiehua > > cl.exe /Fotmp32dll_x86\cryptlib.obj -Iinc32 -Itmp32dll_x86 /MC /O1 /Oi > /W3 /WX /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LE > AN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -D_WIN32 > _WCE=420 -DUNDER_CE=420 -DWCE_PLATFORM_STANDARDSDK_420 -Dx86 -D_ -IC:\STunnel\wc > ecompat12_patched2X86\patchedX86/include -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPE > NSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll_x86/l > ib -D_WINDLL -D_DLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c > Command line warning D4002 : ignoring unknown option '/MC' > cryptlib.c > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winnt.h(301 > 9) : error C2061: syntax error : identifier 'PCONTEXT' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winnt.h(302 > 0) : error C2059: syntax error : '}' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(1 > 481) : error C2061: syntax error : identifier 'LPCONTEXT' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(1 > 481) : error C2059: syntax error : ';' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2146: syntax error : missing ')' before identifier 'lpContext' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2081: 'LPCONTEXT' : name in formal parameter list illegal > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2061: syntax error : identifier 'lpContext' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 222) : error C2059: syntax error : ';' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 223) : error C2059: syntax error : ')' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 230) : error C2143: syntax error : missing ')' before '*' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 230) : error C2143: syntax error : missing '{' before '*' > C:\Program Files\Windows CE Tools\WCE420\STANDARDSDK_420\include\x86\winbase.h(2 > 231) : error C2059: syntax error : ')' > NMAKE : fatal error U1077: 'cl.exe' : return code '0x2' > Stop. > >

1 0

RFC: purge use of keyword 'transparent'
by oscaruser＠programmer.net 08 Jan '11

08 Jan '11

Folks, After searching, installing various Linuces (in the 2.6 family), e.g. CentOS, Ubuntu, and so on, I have not been able to get transparent proxy working at all. As such since it the function does not work, and there is great debate as to whether it ever worked, I would like to propose that this keyword and reference to its function be discarded entirely. This will save many folks a great deal of time and effort attempting to try and get it to work, myself having spent over 80 hours (including my precious holiday time) trying to dig, scratch, research up old posts that say it works or someone has it working under such and such a configuration! The documentation itself has folks claiming that it works and does not, which is really a bad practice. Why did you perpetuate this option in the first place?! I hope you see the importance and reason with my request and act immediately. ... Unless someone really really does have it working. Thank you

3 7

How can I configure Intermediate Certificate
by Carlos García Villate 04 Jan '11

04 Jan '11

Hi. Two months ago, we installed our SSL certificate with stunnel succesfully. That certificate was issued by Verisign. We did not experience any issues. A few weeks ago, we had to renew that certficate and after doing that, we started to get 'Invalid certificate' errors form our web site users. It seems that the new certificate issued by Verisign, has changed its hierarchy, and browsers like FF that do not have one of the necessary intermediate certificate registered fail. This is the new hierarchy: - VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign Class 3 Secure Server CA - G3 - www.b-kin.com It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that most FF browsers do not have registered, and so the browsers reject the request with an 'Invalid certificate' message. To solve this issue, we are trying to incorporate the 'VeriSign Class 3 Secure Server CA - G3' certificate in the .pem file, where our www.b-kin.comcertificate is installed. We have tried to include the Verisign certificate first and then the other one; and the other way round, first our certificate and then the Verisign one, but without success. The Verisign certificate has been directly taken from the Verisign web site. The .pem file has following structure: Bag Attributes heading section ..... -----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY----- Bag Attributes heading section -----BEGIN CERTIFICATE----- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ ..... -----END CERTIFICATE----- Bag Attributes heading section -----BEGIN CERTIFICATE----- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ ..... -----END CERTIFICATE----- We are running stunnel on CentOS with the following configuration: stunnel 4.32 on i686-pc-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = FIPS session = 300 seconds stack = 65536 bytes sslVersion = TLSv1 TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none As we have seen in the documentation, it is possible to include a certificate hierarchy in a .pem file. What we do not know is the order nor the values to set int Bag Attributes heading section, for the Verisign certificate. Best regards, Carlos.

1 0