stunnel-users

1 participants
3311 discussions

to use certificate and key file in another machine
by Xiaoming Dong 29 Apr '08

29 Apr '08

Stunnel Version 4.2.1 Run in windows 2k3 When I configured stunnel to use cert from another windows machine (I already mapped the drive to this machine). Restarting stunnel got following error: 2008.04.29 10:01:32 LOG7[3568:1792]: Snagged 64 random bytes from C:/.rnd 2008.04.29 10:01:32 LOG7[3568:1792]: Wrote 1024 new random bytes to C:/.rnd 2008.04.29 10:01:32 LOG7[3568:1792]: RAND_status claims sufficient entropy for the PRNG 2008.04.29 10:01:32 LOG7[3568:1792]: PRNG seeded successfully 2008.04.29 10:01:32 LOG3[3568:1792]: V:\Program Files\client_cert\private\client_key.pem: No such process (3) 2008.04.29 10:01:32 LOG3[3568:1792]: Server is down Does anybody have any clue? Thanks, -Xiaoming ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Will fwknop work?
by richard.woodman＠cox.net 29 Apr '08

29 Apr '08

If I understand the question correctly, isn't this what "port knocking" or single packet authorization (e.g. fwknop) is supposed to do? I have used fwknop and SSH in our lab, but only with Linux and iptables. However, I think fwknop is supposed to interface with more than just iptables on the local box (meaning you would not have to use a Linux box to replace your current firewall). I think you can use fwknop to monitor syslog and parse for specific events and then open the port. In other words, your current firewall reports to your syslog server and fwknop parses the log file for the security event associated with the reception of a SPA packet on your outside interface. Fwknop then sends your firewall (through a script?) whatever command is required to open the port you want and redirect it to the appropriate inside machine (or you could simply enable / disable a preconfigured rule). I am not a scripting guru so I may be WAY off base here and if I am, I apologize for leading you astray. Anyway, you might want to check out the following: http://cipherdyne.org/fwknop/ --> FireWall KNock Operator home page http://fwknop.darwinports.com/ --> OS X fwknop client There is also a Windows UI version that is supposed to create SPA packets without using fwknop / PERL or running under Cygwin but I have not used that. Richard On 4/29/08 7:50 PM, "jz(a)ellingtongeologic.com" <jz(a)ellingtongeologic.com> wrote: > > Good Morning Mike: > > I had a question and sent to the list (it might have not gone thru) The > question was that: is it possible for stunnel to go to the router, for > example, 10.10.1.1, to scan for a port of interest and see whether there is a > request thru that port? so the nat router would not have to forward the port > to the stunnel of my local machine, e.g. 10.10.1.188, on which stunnel is > listening for port 8888 and will relay it to 5631 of the local program. > > Thanks

1 0

how to enable TLS?
by Zhang Weiwu 26 Apr '08

26 Apr '08

Dear all I just configured stunnel for pop+ssl which works fine. What I want is actually smtp+tls. Is there a way to do so? I tried to configure thunderbird to access the port stunnel is listening to, with TLS. Then I got "Connectioin to xxx.xxx.xxx timed out". Best regards -- Real Softservice Huateng Tower, Unit 1788 Jia 302 3rd area of Jinsong, Chao Yang Tel: +86 (10) 8773 0650 ext 603 Mobile: 135 9950 2413 http://www.realss.com

1 0

Query regarding stunnel performance
by Arati.Kumar＠ubs.com 25 Apr '08

25 Apr '08

Hi, Does anyone know if there are any known issue with stunnel 4.05 and oracle 10g (especially in retrieving blobs) ? . Our application uses stunnel to communicate with oracle database. We are currently experiencing massive performance degradation after upgrading oracle from 9i to 10g (almost 6 times slower from what it was in 9i). Our application stores some data in blobs this seems to be the root cause of slower performance. Pls can someone let me know if there are any known issues with stunnel and 10g blob retrieving ? Also If an upgrade is recommended, which is the stable version we must be switching to? Thanks, Ararti Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS Limited is a company registered in England & Wales under company number 2035362, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS AG (London Branch) is registered as a branch of a foreign company under number BR004507, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS Clearing and Execution Services Limited is a company registered in England & Wales under company number 03123037, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.

1 0

Linux FIPS compile libary question
by Joe Kemp 23 Apr '08

23 Apr '08

I am compiling stunnel on Centos 5 that has a regular Openssl 0.9.8b rpm installed. I have put my FIPS openssl in /usr/local/sslfips112. Configure with: ./configure --with-ssl=/usr/local/sslfips112 --enable-fips --disable-libwrap Make's linker line: /bin/sh ../libtool --tag=CC --mode=link FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include -lldap -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o -lz -ldl -lutil -lnsl -lpthread -L/usr/local/sslfips112/lib -lssl -lcrypto FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o -lldap -lz -ldl -lutil -lnsl -lpthread -L/usr/local/sslfips112/lib -lssl -lcrypto This builds a stunnel that seems to run fine. During startup it says "stunnel is in FIPS mode." But if I run "ldd stunnel" it shows it needs /lib/libssl.so.6. While stunnel is running lsof shows it has that library open also. Why does my FIPS stunnel build still use the 0.9.8b shared library? Shouldn't all of the ssl dependencies been handled by the static FIPS openssl library during linking? The same issue exists for libcrypt.

4 6

stunnel wildcard question
by neve_capricorn＠gmx.de 17 Apr '08

17 Apr '08

hi, iam pulling my hair out with an wildcard ssl certificate / stunnel configuration. i use stunnel 4.2.2 and latest openSSL release. i have a signed wildcard certificate from comodo. when i add the .crt, .key and .ca-bundle file into an apache configuration, everything work fine in firefox and ie. when i try to use stunnel with the same certificates i got problems in firefox when i disable ; Authentication stuff ; verify =1 and when i set verify=1 i got problems in IE .7 (a dialog box pops and ask for identification the certificates). can someone maybe help me out,please? a demo is here: https://ssl1.medialib.de (works fine in firefox) https://ssl1.medialib.de (problem in IE7) thank you very much & best gary

1 0

Verify=3 cache expiration
by Edouard Dessioux 16 Apr '08

16 Apr '08

Hi everyone, I'm using stunnel v4.16 on a Windows 2003 Server, and I'm working with stunnel in verify=3 mode. I wanted to know if the stunnel needs to be restarted after a certificates has been removed ? If not, how long is the cache expiration delay before being taken into account ? Regards, Edouard DESSIOUX Directeur de Projets Tibco Mobile 3, rue Danton - 92240 Malakoff Tél : +33 (0)1 55 58 04 59 - Fax : +33 (0)1 55 58 03 89 - Mob. +33 (0)6 34 02 61 54 E-mail : edessioux(a)tibco.fr - www.tibcomobile.fr Faites un geste pour la planète, n'imprimez ce message que si nécessaire.

1 0

SCM repo?
by Alberto Giménez 12 Apr '08

12 Apr '08

Hello, Is there any public SCM (SVN, GIT, whatever) repository? I haven't seen anything on the website and I'd like to try to implement a new feature. Thanks in advance. -- Alberto Giménez

2 1

Stunnel 4.22 compiling issues on Solaris 10
by cod3fr3ak 09 Apr '08

09 Apr '08

I have sucessfully compiled Stunnel 4.22 on Solaris 10, but still recieve the sam errors during the configure. Initially I tried using Openssl-0.9.8f from Sun Freeware. Then I built and compiled Openssl-0.9.8g, but I still recieved the following errors on the build: configure: **************************************** SSL checking for SSL directory... /usr/local/ssl checking for obsolete RSAref library... no checking /usr/local/ssl/include/openssl/engine.h usability... yes checking /usr/local/ssl/include/openssl/engine.h presence... no configure: WARNING: /usr/local/ssl/include/openssl/engine.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: /usr/local/ssl/include/openssl/engine.h: proceeding with the compiler's result checking for /usr/local/ssl/include/openssl/engine.h... yes <ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-0.9.8f-sol10-sparc-…>

1 0

Using stunnel + haproxy for SSL support
by Alberto Giménez 04 Apr '08

04 Apr '08

Hi, I'm having trouble using stunnel and haproxy to load balance https and http traffic. To be honest, I really don't know wether it is stunnel or haproxy related so I am going to contact both lists :) I have set up a haproxy load balancer as http proxy for two backend Apache2 webservers. It works fine. I also have stunnel on the same LB to add SSL suport (with xforwardedfor patch installed). It works fine (mostly). The issue is related to Apache trailing slash thingie. If I query https://haproxy.domain.loc/hatest/ it works perfectly, but if I omit the trailing slash: https://haproxy.domain.loc/hatest then following things happen: - Browser makes SSL connection with stunnel on port 443. - stunnel deciphers and forwards the request on the haproxy attached to LB's port 80. - haproxy (now using plain http) forwards to one of the backends. - Apache2 located on the backend replies with "301 moved permanently" to force the browser to add the trailing slash. As Apache was queried by *haproxy in plain http*, the 301 includes http:// on the Location header. HTTPS is over from now! - The client browser then rewrites the address to http://haproxy.domain.loc/hatest/ and SSL is lost forever. I've been googling and searching the lists but nothing found, just this old message: http://mirt.net/pipermail/stunnel-users/2007-January/001437.html Has anyone found a workaround for that issue? Thanks in advance. -- Alberto Giménez

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users