stunnel-users

1 participants
3311 discussions

STUNNEL Licensing
by Menon, Sreejith Mohan 06 Nov '07

06 Nov '07

Dear Users, Is there any special licensing required to use STUNNEL ? In case, it is not required from STUNNEL , is there anything to be done on the OPENSSL side ? Thanks and best regards, Sreejith Mohan Menon

1 0

Re: [stunnel-users] almost working
by Tom Allison 05 Nov '07

05 Nov '07

Luke Deller wrote: > Hi Tom, > >> OK, this has been nothing but a bust. > > I've just read this thread, and it looks to me that you have stunnel configured incorrectly for use with inetd. > > Did you see this documentation? > http://www.stunnel.org/faq/stunnel.html#inetd_mode > >> the error keeps saying that port 993 is already in use. > > This is because you have configured stunnel to bind to port 993 using an "accept" option in the configuration file. When using stunnel with inetd, stunnel should not bind to any port; it is inetd which binds to a port. When a client connects to inetd, then inetd will launch stunnel with stunnel's stdin and stdout streams hooked up to the connected socket. > Made some progress. Got past the SSL version. Fixed my firewall to permit IMAPS sessions. confirmed my firewall settings by changing to IMAP and running directly against the imap server. Changed firewall settings from imap to imaps. Keep timing out. Same problem for Mac Mail application (which isn't great) and Debian's Icedove. This is as far as I can get. 2007.11.05 05:43:56 LOG7[27692:47518144360528]: Connection from 65.29.101.30:49841 permitted by libwrap 2007.11.05 05:43:56 LOG5[27692:47518144360528]: inetd connected from 65.29.101.30:49841 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): before/accept initialization 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): SSLv3 read client hello A 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): SSLv3 write server hello A 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): SSLv3 write certificate A 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): SSLv3 write server done A 2007.11.05 05:43:56 LOG7[27692:47518144360528]: SSL state (accept): SSLv3 flush data

1 0

Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall
by Frank Garber 30 Oct '07

30 Oct '07

I tried using the port you suggested and got the same result. I'm able to verify my firewall is letting the traffic through and that my ISP is not blocking the port by using www.canyouseeme.org . Again, all my settings work when I'm not going through the corporate firewall. Can you send me your whole config file for both your client and server sides? I'm wondering if it has to do with my certificate settings. Thanks, Frank ----- Original Message ---- From: Carter Browne <xxxx> To: garberfc <xxxx> Sent: Monday, October 22, 2007 8:07:11 AM Subject: Re: [stunnel-users] Using stunnel for RDP / Proxy / Firewall I do this all the time. The way I do it is to connect locally to RDP on a non-stardard port. In the RDP dialog box, I have 127.0.0.10:12121, then in stunnel on the local side is: [xxx-rdp] accept = 127.0.0.10:12121 connect = server:12122 client = yes on the remote side is [rdp-incoming] accept = 12122 connect = 3389 client = no. Normally RDP listens for any connection to port 3389, so I found it was easiest to get to to work by moving off that port. Note that you have to open port 12122 in the firewall on the remote side. On the other hand, you can close 3389 on the remote side which takes away an obvious port for hackers. Carter garberfc wrote: > Hi All > > I'm a relative newbie to Stunnel, and am trying to set up a tunnel so I can > Remote Desktop from work to my PC/server at home. > > I'm using versions 4.20 of the Windows binaries. > > I've tested the configuration and it works from home using a laptop that is > going through my firewall > when I enter my domain home (so my firewall is set up correctly). I tried a > variety of common ports and got the same response every time. I had to use > the 127.0.0.2 on the client because Remote Desktop didn't want me connecting > to myself... > > When I try if from work I get a dialog box: > The client could not establish a connection to the remote computer. > The most likely causes for this error are: > 1) Remote connections might not be enabled at the remote computer. > 2)The maximum number of connections was exceeded at the remote computer. > 3) A network error occurred while establishing the connection. > > My config is as follows: > > #Client > ;cert = stunnel.pem > ;key = stunnel.pem > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = stunnel.log > > ; Use it for client mode > client = yes > > ; Service-level configuration > [https-RDT] > accept = 127.0.0.2:3389 > connect = xx.xx.xx.xx:1494 > > > #Server > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = stunnel.log > > ; Use it for client mode > client = no > > ; Service-level configuration > [https-RDT] > accept = 1494 > connect = localhost:3389 > > > Is there something I need to do to traverse this proxy? Any help would be > greatly appreciated! > >

3 4

Re: [stunnel-users] almost working
by Tom Allison 30 Oct '07

30 Oct '07

On Oct 29, 2007, at 9:39 PM, Luke Deller wrote: > > Hi Tom, > >> OK, this has been nothing but a bust. > > I've just read this thread, and it looks to me that you have > stunnel configured incorrectly for use with inetd. > > Did you see this documentation? > http://www.stunnel.org/faq/stunnel.html#inetd_mode > >> the error keeps saying that port 993 is already in use. > > This is because you have configured stunnel to bind to port 993 > using an "accept" option in the configuration file. When using > stunnel with inetd, stunnel should not bind to any port; it is > inetd which binds to a port. When a client connects to inetd, then > inetd will launch stunnel with stunnel's stdin and stdout streams > hooked up to the connected socket. Amazing how much progess can be made in a minute. Thank you very much. I did miss that line in the docs. I've moved on to a slightly different error, but it's probably going to be easier for me to sort this one out. I have to go to out, so I'll read up on it and try it when I get back. I'm going to guess I have a ssl version/imap version issue to sort out. I'm trying to connect from a macbook to this server. Thank You!!! 2007.10.30 07:07:59 LOG5[22402:47915096707152]: stunnel 4.18 on x86_64-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006 2007.10.30 07:07:59 LOG5[22402:47915096707152]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2007.10.30 07:07:59 LOG7[22402:47915096707152]: inetd started 2007.10.30 07:07:59 LOG7[22402:47915096707152]: FD 0 in non-blocking mode 2007.10.30 07:07:59 LOG7[22402:47915096707152]: FD 1 in non-blocking mode 2007.10.30 07:07:59 LOG7[22402:47915096707152]: TCP_NODELAY option set on local socket 2007.10.30 07:07:59 LOG7[22402:47915096707152]: FD 4 in non-blocking mode 2007.10.30 07:07:59 LOG7[22402:47915096707152]: FD 5 in non-blocking mode 2007.10.30 07:07:59 LOG7[22402:47915096707152]: Connection from 65.29.101.30:53036 permitted by libwrap 2007.10.30 07:07:59 LOG5[22402:47915096707152]: inetd connected from 65.29.101.30:53036 2007.10.30 07:07:59 LOG7[22402:47915096707152]: SSL state (accept): before/accept initialization 2007.10.30 07:07:59 LOG3[22402:47915096707152]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2007.10.30 07:07:59 LOG5[22402:47915096707152]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.10.30 07:07:59 LOG7[22402:47915096707152]: inetd finished (0 left)

1 0

almost working
by Tom Allison 30 Oct '07

30 Oct '07

I'm trying to tunnel imap but I'm not getting past this: 2007.10.08 05:56:28 LOG5[5355:47656983060560]: stunnel 4.18 on x86_64-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006 2007.10.08 05:56:28 LOG5[5355:47656983060560]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2007.10.08 05:56:28 LOG6[5355:47656983060560]: file ulimit = 1024 (can be changed with 'ulimit -n') 2007.10.08 05:56:28 LOG6[5355:47656983060560]: poll() used - no FD_SETSIZE limit for file descriptors 2007.10.08 05:56:28 LOG5[5355:47656983060560]: 500 clients allowed 2007.10.08 05:56:28 LOG7[5355:47656983060560]: FD 4 in non-blocking mode 2007.10.08 05:56:28 LOG7[5355:47656983060560]: FD 5 in non-blocking mode 2007.10.08 05:56:28 LOG7[5355:47656983060560]: FD 6 in non-blocking mode 2007.10.08 05:56:28 LOG7[5355:47656983060560]: SO_REUSEADDR option set on accept socket 2007.10.08 05:56:28 LOG3[5355:47656983060560]: Error binding imaps to 0.0.0.0:993 2007.10.08 05:56:28 LOG3[5355:47656983060560]: bind: Address already in use (98) I can't find where to begin. I set SO_REUSEADDR and it didn't do anything different. How do I test this stuff sanely?

4 8

stunnel 4.21 released
by Michal Trojnara 27 Oct '07

27 Oct '07

Dear Users, The new version is available for download on: ftp://stunnel.mirt.net/stunnel/ Version 4.21, 2007.10.27, urgency: LOW/EXPERIMENTAL: * New features sponsored by Open-Source Software Institute - Initial FIPS 140-2 support (see INSTALL.FIPS for details). Win32 platform is not currently supported. * New features - Experimental fast support for non-MT-safe libwrap is provided with pre-spawned processes. - Stunnel binary moved from /usr/local/sbin to /usr/local/bin in order to meet FHS and LSB requirements. Please delete the /usr/local/sbin/stunnel when upgrading. - Added code to disallow compiling stunnel with pthreads when OpenSSL is compiled without threads support. - Win32 DLLs for OpenSSL 0.9.8g. - Minor manual update. - TODO file updated. * Bugfixes - Dynamic locking callbacks added (needed by some engines to work). - AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments. - On some systems libwrap requires yp_get_default_domain from libnsl, additional checking was added. - Sending a list of trusted CAs for the client to choose the right certificate restored. - Some compatibility issues with NTLM authentication fixed. - Taskbar icon (unless there is a config file parsing error) and "Save As" disabled in the service mode for local Win32 security (it's much like Yeti -- some people claim they have seen it). sha1 hash for stunnel-4.21.tar.gz file: 7785c45167d902aa728b839adee02a8cc056d86a Best regards, Mike

1 0

Re: [stunnel-users] stunnel-users Digest, Vol 39, Issue 16
by Frank Garber 24 Oct '07

24 Oct '07

I tested with my firewall with both PCs at home. I can make it work with the port open and when I close the port it fails. it's only when I try to connect from behind the corporate firewall that it fails. I've tried several other port numbers and always get the same results. Can you send me your entire client and server config files so I can see the settings? Thanks, Frank ----- Original Message ---- From: "stunnel-users-request(a)mirt.net" <stunnel-users-request(a)mirt.net> To: stunnel-users(a)mirt.net Sent: Tuesday, October 23, 2007 6:00:06 AM Subject: stunnel-users Digest, Vol 39, Issue 16 Send stunnel-users mailing list submissions to stunnel-users(a)mirt.net To subscribe or unsubscribe via the World Wide Web, visit http://stunnel.mirt.net/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request(a)mirt.net You can reach the person managing the list at stunnel-users-owner(a)mirt.net When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..." Today's Topics: 1. [RE] Using stunnel for RDP / Proxy / Firewall (Algol Tradent) Hello, I think your problem might be related to your configuration firewall/router. Have you enabled port-forwarding for the connection? >From your configuration files I can see you are using port 1494. Check that you are forwarding that port. Also make sure you configure any firewall software running on the machine you want to connect to, in order to allow connections. Best Regards __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ stunnel-users mailing list stunnel-users(a)mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

1 0

[RE] Using stunnel for RDP / Proxy / Firewall
by Algol Tradent 22 Oct '07

22 Oct '07

Hello, I think your problem might be related to your configuration firewall/router. Have you enabled port-forwarding for the connection? >From your configuration files I can see you are using port 1494. Check that you are forwarding that port. Also make sure you configure any firewall software running on the machine you want to connect to, in order to allow connections. Best Regards __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

1 0

Using stunnel for RDP / Proxy / Firewall
by garberfc 20 Oct '07

20 Oct '07

Hi All I'm a relative newbie to Stunnel, and am trying to set up a tunnel so I can Remote Desktop from work to my PC/server at home. I'm using versions 4.20 of the Windows binaries. I've tested the configuration and it works from home using a laptop that is going through my firewall when I enter my domain home (so my firewall is set up correctly). I tried a variety of common ports and got the same response every time. I had to use the 127.0.0.2 on the client because Remote Desktop didn't want me connecting to myself... When I try if from work I get a dialog box: The client could not establish a connection to the remote computer. The most likely causes for this error are: 1) Remote connections might not be enabled at the remote computer. 2)The maximum number of connections was exceeded at the remote computer. 3) A network error occurred while establishing the connection. My config is as follows: #Client ;cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [https-RDT] accept = 127.0.0.2:3389 connect = xx.xx.xx.xx:1494 #Server ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = no ; Service-level configuration [https-RDT] accept = 1494 connect = localhost:3389 Is there something I need to do to traverse this proxy? Any help would be greatly appreciated! -- View this message in context: http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.ht… Sent from the Stunnel - Users mailing list archive at Nabble.com.

1 0

scaling stunnel
by Ben Hartshorne 19 Oct '07

19 Oct '07

Hi, I am trying to set up syslog + stunnel in a large environment. I am curious about the experience of members of this mailing list regarding how stunnel + syslog-ng scale. I set up a test environment using stunnel 3.26 (because that's what is in my debian installation)[*]. I configured stunnel to run as a daemon (starting on boot), and syslog passes off messages and receives messages from localhost:514. In the stunnel log, it tells me that there is a limit of 500 clients, and it seems that with stunnel 3.x, it must be recompiled to increase this limit. I found some posts on this list that say that while stunnel 3.x uses select(), stunnel 4.x uses poll(), which is much more efficient. So I figure that if I will have to roll my own package, I may as well upgrade to 4.x at the same time. Agree? If so, which version? It's my understanding that this configuration will create a persistent connection between the client and server, holding it open until such time as syslog needs to send a message across it. How many clients have you experienced being able to connect to the log aggregator? My logs are rather sparse, so I expect I will hit a limit based on processor / filehandle / memory usage before I start overloading the local disk. Eventually, I realize that I will have to build a tree structure with intermediate nodes aggregating logs and passing them on to the central host, but I would like to know where people have hit that limit. I would love to have ~5000 clients connected to each aggregating server. Is this within the realm of experience? Does anybody have tuning suggestions for such high numbers of connections? I saw one person mention on the mailing list that compiling without libwrap allowed him to pass ~2500 connections (though he didn't give a new ceiling). Thanks, -ben [*] I was actually impressed at how easy this was. Aside from having to write my own /etc/init.d/ scripts to start the client and server, I could bring down either end of the stunnel connection, and things would just pick up where they left off when the tunnel was reconnected. Add monit into the picture and you've got a nice resilient secure logging system. Slick! -- Ben Hartshorne email: ben(a)hartshorne.net http://ben.hartshorne.net

2 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users