From robert.bator at bring.nu Thu Jun 1 14:12:53 2006 From: robert.bator at bring.nu (Robert Bator) Date: Thu, 1 Jun 2006 14:12:53 +0200 Subject: [stunnel-users] unsecure configuration Message-ID: Hi , I am trying to set up stunnel to accept unsecure calls on port 1001 from inside and secure calls on port 1000 from internet. All calls are forwarded to machin B The configuration like this: secure --> 1000 machine A unsecure --> 1002 machine B unsecure --> 1001 machine A unsecure --> 1002 machine B Is this setup possible i stunnel? PS. I use "stone repeater" and this rules are easy to setup. Best Regards, Robert Bator From snagasun at visa.com Wed Jun 7 00:41:08 2006 From: snagasun at visa.com (Nagasundaram, Sekhar) Date: Tue, 6 Jun 2006 15:41:08 -0700 Subject: [stunnel-users] Processing during CRL expiry and refresh Message-ID: All: I have 2 questions: 1. Is there a way to have Stunnel continue processing and accepting connections after the CRL expiry? Currently it gives a "revoking all certificates" error and stops accepting connections. 2. Is there a configurable parameter through which we can have the CRL list refresh itself such that 1 above does not happen? Much Thanks in advance.. Sekhar From Christoph.Pleger at uni-dortmund.de Wed Jun 7 14:38:02 2006 From: Christoph.Pleger at uni-dortmund.de (Christoph Pleger) Date: Wed, 7 Jun 2006 14:38:02 +0200 Subject: [stunnel-users] syslog-ng over stunnel does not work for me Message-ID: <20060607143802.50515791.Christoph.Pleger@uni-dortmund.de> Hello, I set up a server and a client machine to test the combination of stunnel and syslog-ng. I followed the instructions in the example at http://www.stunnel.org/examples/syslog-ng.html, but the log messages are not sent correcly. The log on the server says: ****: syslog started ****: syslog connected from ###.###.###.###:51646 ****: SSL state (accept): before/accept initialization ****: SSL_accept: 140B544E: error: 140B544E: SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed ****: syslog finished (-1 left) The log on the client says: ****: syslog started ****: syslog connected from 127.0.0.1:3524 ****: FD 8 in non-blocking mode ****: syslog connecting ###.###.###.###:514 ****: connect_wait: waiting 10 seconds ****: connect_wait: connected ****: Remote FD=8 initialized ****: SSL state (connect): before/accept initialization ****: SSL state (connect): SSLv3 write client hello A ****: SSL_connect: Peer suddenly disconnected ****: syslog finished (0 left) Please help. Regards Christoph From Erez.Nadav at verint.com Wed Jun 7 17:00:04 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Wed, 7 Jun 2006 18:00:04 +0300 Subject: [stunnel-users] stunnel error Message-ID: <13DD73899260DF4F81FA8ED9BA953F1770B5FA@tlvmail3.IL.Corp.Verintsystems.com> Hi, I use stunnel 4.14 and face this error when performing buffer writes from client to remote side SSL_write: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call Does anybody know how can I overcome this ??? Thanks Erez __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erez.Nadav at verint.com Wed Jun 7 17:51:43 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Wed, 7 Jun 2006 18:51:43 +0300 Subject: [stunnel-users] stunnel error Message-ID: <13DD73899260DF4F81FA8ED9BA953F1770B607@tlvmail3.IL.Corp.Verintsystems.com> Hi, It seems that the problem occur when the client write large buffers (30-40Kbytes) on each write. Any idea how to solve it Thanks Erez ________________________________ From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Nadav, Erez Sent: Wednesday, June 07, 2006 6:00 PM To: stunnel-users at mirt.net Subject: [stunnel-users] stunnel error Hi, I use stunnel 4.14 and face this error when performing buffer writes from client to remote side SSL_write: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call Does anybody know how can I overcome this ??? Thanks Erez ________________________________________________________________________ __________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From Trent.W.Townsend at erdc.usace.army.mil Wed Jun 7 20:32:33 2006 From: Trent.W.Townsend at erdc.usace.army.mil (Trent Townsend) Date: Wed, 7 Jun 2006 13:32:33 -0500 Subject: [stunnel-users] decryption failed or bad record mac Message-ID: <846E38A2-E800-4B08-AC88-849153088FA8@erdc.usace.army.mil> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've emailed about this once already, but am just giving a *little* more info. It seems similar problems with SSL proliferate the web. The problem is below (message from the client and server posted). I thought it may be a bug reported with SSL and zlib (which a fix isn't due out until the next version of OpenSSL). However, I can successfully start up a openssl s_server and talk to it with a s_client, so I think that eliminates OpenSSL. Has anyone seen this before (I'm sure this is the case) and figured it out? Client: SSL_connect: 140943FC: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac Server: SSL_accept: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I'm using stunnel 4.11 (tried 4.15 also) and Openssl 0.9.8a. Thanks. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRIcbw40HAxBKv2yIEQI5XQCg2ylvhIBlZ57euv9/wu8fM5vI40cAoKKk L2bMgFZDc23T6ED6CGJJn8oy =+PA6 -----END PGP SIGNATURE----- From srilalitha.m at hcl.in Thu Jun 8 09:06:33 2006 From: srilalitha.m at hcl.in (Srilalitha Muralidhara(HCL Capital Market Services)) Date: Thu, 8 Jun 2006 12:36:33 +0530 Subject: [stunnel-users] Connection Reset by Peer Message-ID: <7D9386E4B8FE7F41B26D65E1F91278F102076150@DSL-EXCHBE.DSL.HCLTECH.COM> Hi, My stunnel server is unable to send data correctly to my application running the same machine. This happens when the client is run from windows platform. When client is run from UNIX everything works fine. The Stunnel Server log file says: 2006.06.05 11:54:54 LOG7[23141:8]: rssvr connecting 127.0.0.1:28091 2006.06.05 11:54:54 LOG7[23141:8]: Remote FD=1 initialized 2006.06.05 11:54:54 LOG7[23141:8]: TCP_NODELAY option set on remote socket 2006.06.05 11:54:54 LOG3[23141:8]: SSL_read: Connection reset by peer (131) 2006.06.05 11:54:54 LOG5[23141:8]: Connection reset: 0 bytes sent to SSL, 13 bytes sent to socket 2006.06.05 11:54:54 LOG5[23141:8]: linger (local): Invalid argument (22) 2006.06.05 11:54:54 LOG7[23141:8]: rssvr finished (0 left) ------------------------------------------------------------------------ -------------------------------------------------------------------- Does anybody know the cause of the problem? And hopefully the solution? Thanks Sri Disclaimer: *********** The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Christoph.Pleger at uni-dortmund.de Thu Jun 8 14:45:42 2006 From: Christoph.Pleger at uni-dortmund.de (Christoph Pleger) Date: Thu, 8 Jun 2006 14:45:42 +0200 Subject: [stunnel-users] syslog-ng over stunnel does not work for me In-Reply-To: <20060607143802.50515791.Christoph.Pleger@uni-dortmund.de> References: <20060607143802.50515791.Christoph.Pleger@uni-dortmund.de> Message-ID: <20060608144542.39db2cb7.Christoph.Pleger@uni-dortmund.de> Hello, > I set up a server and a client machine to test the combination of > stunnel and syslog-ng. I followed the instructions in the example at > http://www.stunnel.org/examples/syslog-ng.html, but the log messages > are not sent correcly. > > The log on the server says: > > ****: syslog started > ****: syslog connected from ###.###.###.###:51646 > ****: SSL state (accept): before/accept initialization > ****: SSL_accept: 140B544E: error: 140B544E: SSL > routines:SSL_GET_NEW_SESSION:ssl session id callback failed > ****: syslog finished (-1 left) > > The log on the client says: > > ****: syslog started > ****: syslog connected from 127.0.0.1:3524 > ****: FD 8 in non-blocking mode > ****: syslog connecting ###.###.###.###:514 > ****: connect_wait: waiting 10 seconds > ****: connect_wait: connected > ****: Remote FD=8 initialized > ****: SSL state (connect): before/accept initialization > ****: SSL state (connect): SSLv3 write client hello A > ****: SSL_connect: Peer suddenly disconnected > ****: syslog finished (0 left) > > Please help. I found the reason for my problem: stunnel tries to read some random bytes from /dev/urandom, but that device did not exist because I am running stunnel in a virtual server (www.linux-vserver.org) and my virtual server only had a very limited number of device nodes in /dev. Regards Christoph From snagasun at visa.com Sat Jun 10 01:15:05 2006 From: snagasun at visa.com (Nagasundaram, Sekhar) Date: Fri, 9 Jun 2006 16:15:05 -0700 Subject: [stunnel-users] Reposting...RE: stunnel-users Digest, Vol 23, Issue 2 Message-ID: Any one... Is there a way to have Stunnel not stop accepting new connections after CRL expiry? See my questions below.. Any help is appreciated... Much thanks Sekhar ---------------------------------------------------------------------- Message: 1 Date: Tue, 6 Jun 2006 15:41:08 -0700 From: "Nagasundaram, Sekhar" Subject: [stunnel-users] Processing during CRL expiry and refresh To: Message-ID: Content-Type: text/plain; charset="US-ASCII" All: I have 2 questions: 1. Is there a way to have Stunnel continue processing and accepting connections after the CRL expiry? Currently it gives a "revoking all certificates" error and stops accepting new connections. 2. Is there a configurable parameter through which we can have the CRL list refresh itself such that 1 above does not happen? Much Thanks in advance.. Sekhar ------------------------------ _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users End of stunnel-users Digest, Vol 23, Issue 2 ******************************************** From stilnesv at hotmail.com Sun Jun 11 21:39:12 2006 From: stilnesv at hotmail.com (http s) Date: Sun, 11 Jun 2006 12:39:12 -0700 Subject: [stunnel-users] Comparing with BarracudaDrive and Proxytunnel Message-ID: I am curious if anyone has made a comparison of Stunnel with the BarracudaDrive HTTPS tunnel and/or Proxytunnel? http://barracudaserver.com/examples/BarracudaDrive/HttpsTunnel/index.html http://proxytunnel.sourceforge.net I did not find much information on tunneling VPN? _________________________________________________________________ Don�t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From srilalitha.m at hcl.in Mon Jun 12 12:01:30 2006 From: srilalitha.m at hcl.in (Srilalitha Muralidhara(HCL Capital Market Services)) Date: Mon, 12 Jun 2006 15:31:30 +0530 Subject: [stunnel-users] socket closed after SSL_write Message-ID: <7D9386E4B8FE7F41B26D65E1F91278F1020DB73D@DSL-EXCHBE.DSL.HCLTECH.COM> Hi, I work on a client-server application that needs to be supported on both UNIX and windows platforms. Currently, we keep one socket open for all communication from client to server (during which many read-write operations take place) For user authentication and security purposes, we are planning to implement SSL-Stunnel. I have developed a small ssl client (based on sclient.c example) which connects to the Stunnel Server. Upon the first SSL_write, SSL is closing the underlying socket. Hence the contents written by subsequent SSL_write operations are not visible in the server log. I saw lot of posts on the same problem. But couldn't find the solution. Any help is greatly appreciated. Please note that: 1. Due platform independency issues, I use RWSocket (a Roguewave library class) instead of the BSD socket in conjunction with SSL. A potion of stunnel server log 2006.06.12 10:47:43 LOG7[19699:28]: FD 1 in non-blocking mode 2006.06.12 10:47:43 LOG7[19699:28]: rssvr connecting 127.0.0.1:28091 2006.06.12 10:47:43 LOG7[19699:28]: Remote FD=1 initialized 2006.06.12 10:47:43 LOG7[19699:28]: TCP_NODELAY option set on remote socket 2006.06.12 10:47:45 LOG7[19699:28]: Socket closed on read 2006.06.12 10:47:45 LOG7[19699:28]: SSL write shutdown 2006.06.12 10:47:45 LOG7[19699:28]: SSL alert (write): warning: close notify 2006.06.12 10:47:45 LOG7[19699:28]: SSL_shutdown retrying 2006.06.12 10:47:45 LOG7[19699:28]: SSL doesn't need to read or write 2006.06.12 10:47:50 LOG3[19699:28]: SSL_read: Connection reset by peer (131) 2006.06.12 10:47:50 LOG5[19699:28]: Connection reset: 0 bytes sent to SSL, 26 bytes sent to socket 2006.06.12 10:47:50 LOG7[19699:28]: linger (remote): Invalid argument (22) 2006.06.12 10:47:50 LOG7[19699:28]: linger (local): Invalid argument (22) 2006.06.12 10:47:50 LOG7[19699:28]: rssvr finished (0 left) Thanks Sri Srilalitha Muralidhara This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Disclaimer: *********** The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgillingham+stunnel at gmail.com Mon Jun 12 16:04:56 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Mon, 12 Jun 2006 09:04:56 -0500 Subject: [stunnel-users] Modifying STunnel to use OpenSSL FIPS Message-ID: <5d6d2b290606120704g5b4c25e1gefbb92ae3f96f53e@mail.gmail.com> As part of an internal project at work, I'm investigating a Windows tunneling solution using STunnel. As a requirement of my work, I am to modify STunnel to use OpenSSL's FIPS APIs. And, with only a couple of speedbumps, I was able to achieve this. However I'd like to make my code a little more robust--to provide some notification to the user if OpenSSL's FIPS mode is active or not. To this point I've not been able to figure out a way to do this. In my copy of the STunnel source, I've modified the routine ssl_init() in ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33 of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf). Below is a copy of my current copy of ssl_init(): void ssl_init(void) { /* to keep CLI structure for verify callback */ #if defined(OPENSSL_FIPS) && defined(USE_FIPS) if (!FIPS_mode_set(1)) { s_log(LOG_CRIT, "Could not set FIPS mdoe!"); } else { s_log(LOG_INFO, "In FIPS mode."); } #endif /* rest of ssl_init() from original source */ } As I've found out, the s_log calls do nothing because the STunnel window has not been displayed yet. Ideally, in the case where the FIPS_mode_set() call fails, I'd like to invoke an error handler to cause the STunnel service to fail to start. But trying to make a call to something like sslerror() caused a program crash. Any ideas on how to make these changes? From Michal.Trojnara at mobi-com.net Mon Jun 12 19:32:46 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Mon, 12 Jun 2006 19:32:46 +0200 Subject: [stunnel-users] Modifying STunnel to use OpenSSL FIPS In-Reply-To: <5d6d2b290606120704g5b4c25e1gefbb92ae3f96f53e@mail.gmail.com> References: <5d6d2b290606120704g5b4c25e1gefbb92ae3f96f53e@mail.gmail.com> Message-ID: <200606121932.49548.Michal.Trojnara@mobi-com.net> On Monday 12 June 2006 16:04, David Gillingham wrote: > As I've found out, the s_log calls do nothing because the STunnel > window has not been displayed yet. Ideally, in the case where the > FIPS_mode_set() call fails, I'd like to invoke an error handler to > cause the STunnel service to fail to start. But trying to make a call > to something like sslerror() caused a program crash. Any ideas on how > to make these changes? Great. I've just found a solution for this problem and I'm going to implement it in the next release. The log will be buffered in memory and than displayed later. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From Michal.Trojnara at mobi-com.net Mon Jun 12 19:37:39 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Mon, 12 Jun 2006 19:37:39 +0200 Subject: [stunnel-users] socket closed after SSL_write In-Reply-To: <7D9386E4B8FE7F41B26D65E1F91278F1020DB73D@DSL-EXCHBE.DSL.HCLTECH.COM> References: <7D9386E4B8FE7F41B26D65E1F91278F1020DB73D@DSL-EXCHBE.DSL.HCLTECH.COM> Message-ID: <200606121937.42200.Michal.Trojnara@mobi-com.net> On Monday 12 June 2006 12:01, Srilalitha Muralidhara wrote: > 2006.06.12 10:47:45 LOG7[19699:28]: SSL alert (write): warning: close > notify Clean SSL shutdown alert was received. > 2006.06.12 10:47:50 LOG3[19699:28]: SSL_read: Connection reset by peer > (131) ... and then TCP RST! Strange. It looks like your application has set SO_LINGER option on its socket, so it sends TCP RST instead of TCP FIN packet. Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From snagasun at visa.com Mon Jun 12 22:17:24 2006 From: snagasun at visa.com (Nagasundaram, Sekhar) Date: Mon, 12 Jun 2006 13:17:24 -0700 Subject: [stunnel-users] CRLPath not working Message-ID: All: We download crls everyday from a CRL server using LDAP and a cronjob. These CRLs are stored in the CRLpath directory along with its hash. It appears that the stunnel is not refreshing its cache, and it still shows "Found CRL is expired - revoking all certificates until you get updated CRL" when we try to connect to it even though there is a New and valid CRL in the CRLPath folder. Is there a special option In Stunnel configuration for it to recognize/cache/add the new hash file All help is appreciated. Thanks Sekhar From Michal.Trojnara at mobi-com.net Mon Jun 12 23:18:09 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Mon, 12 Jun 2006 23:18:09 +0200 Subject: [stunnel-users] Comparing with BarracudaDrive and Proxytunnel In-Reply-To: References: Message-ID: <7ce6015fd0cabd2864cda23472f4ea3e@mobi-com.net> On 2006-06-11, at 21:39, http s wrote: > I am curious if anyone has made a comparison of Stunnel with the > BarracudaDrive HTTPS tunnel and/or Proxytunnel? > > http://barracudaserver.com/examples/BarracudaDrive/HttpsTunnel/ > index.html 1. BarracudaDrive is *not* a free software (even though its home page claims so). See http://www.gnu.org/philosophy/free-sw.html for details. 2. It only works on Windows, Linux, QNX and Mac OS X. Compare it to the list on http://stunnel.mirt.net/. 3. BarracudaDrive is designed to be used for file transfer, while stunnel is a universal tool for encrypting TCP streams. As the result stunnel is much more flexible, but it won't perform any file transfer by itself. > http://proxytunnel.sourceforge.net 1. It's not really an encryption tool, but rather an extension for OpenSSH client. It has some optional basic SSL code (as for version 1.6.0), but it's currently broken. The code incorrectly assumes that SSL_read() only needs to read from a file descriptor and SSL_write() only needs to wrote to a file descriptor. 2. Proxytunnel supports NTLM authentication that is not currently supported by stunnel. 3. It looks like an interesting addition to stunnel on a Unix platform. The client configuration should be something like: [Proxytunnel] client = yes accept = 12345 exec = /path/to/proxytunnel execargs = proxytunnel -p proxy:8080 -u user -s pass -d mybox.athome.nl:443 4. Optional use of stunnel is recommended in README file of Proxytunnel 1.6.0. 8-) Best regards, Mike From Michal.Trojnara at mobi-com.net Tue Jun 13 00:21:40 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Tue, 13 Jun 2006 00:21:40 +0200 Subject: [stunnel-users] CRLPath not working In-Reply-To: References: Message-ID: <50a4d47b5c62ecc497a3546e78957771@mobi-com.net> On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote: > We download crls everyday from a CRL server using LDAP and a cronjob. > These CRLs are stored in the CRLpath directory along with its hash. > It appears that the stunnel is not refreshing its cache, and it > still shows "Found CRL is expired - revoking all certificates until > you get updated CRL" when we try to connect to it even though there is > a > New and valid CRL in the CRLPath folder. Is there a special option > In Stunnel configuration for it to recognize/cache/add the new hash > file Just to make sure: the problem disappears after restarting stunnel, right? The simple workaround could be disabling all SSL caches: ./configure --with-threads=fork make clean make make install Can you send your stunnel.conf and debug log? TIA, Mike From snagasun at visa.com Tue Jun 13 02:14:48 2006 From: snagasun at visa.com (Nagasundaram, Sekhar) Date: Mon, 12 Jun 2006 17:14:48 -0700 Subject: [stunnel-users] CRLPath not working Message-ID: Mike: Here are the configuration and the log files as you requested.... ---------------------------------------------BEGIN CONFIG --------------------------------- # switch-simulator stunnel configuration file # Copyright by Michal Trojnara 2002 # Certs and keys cert = /etc/certs/demoedge2-cert.pem key = /etc/keys/demoedge2-key.pem # PID is created inside chroot jail pid = /var/opt/stunnel/stunnel_server.pid # Authentication stuff verify = 2 options = NO_SSLv2 # don't forget about c_rehash CApath # it is located inside chroot jail: CApath = /etc/CApath # CRL path or file (inside chroot jail): CRLpath = /etc/crl # Some debugging stuff debug = local4.5 output = /var/opt/log/pras_test_server.log # Use it for client mode #client = no # Service-level configuration [APF] accept = 10.172.86.128:51101 connect = 127.0.0.1:50111 ----------------------------------------------END CONFIG ---------------------------------- --------------------------------------------- BEGIN LOG FILE ------------------------------- 2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT 2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all certificates until you get updated CRL 2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225 2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2, /C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info Delivery Root CA 2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, , lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT 2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all certificates until you get updated CRL 2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371 2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, 2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=US/O=VISA CRL ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10 08:00:02 2006 GMT 2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all certificates until you get updated CRL 2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket ------------------------------------------- END LOG FILE -------------------------------------- On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote: > We download crls everyday from a CRL server using LDAP and a cronjob. > These CRLs are stored in the CRLpath directory along with its hash. > It appears that the stunnel is not refreshing its cache, and it > still shows "Found CRL is expired - revoking all certificates until > you get updated CRL" when we try to connect to it even though there is > a > New and valid CRL in the CRLPath folder. Is there a special option > In Stunnel configuration for it to recognize/cache/add the new hash > file Just to make sure: the problem disappears after restarting stunnel, right? The simple workaround could be disabling all SSL caches: ./configure --with-threads=fork make clean make make install Can you send your stunnel.conf and debug log? TIA, Mike Sekhar Nagasundaram <> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Nagasundaram, Sekhar.vcf Type: text/x-vcard Size: 444 bytes Desc: Nagasundaram, Sekhar.vcf URL: From srilalitha.m at hcl.in Tue Jun 13 10:46:14 2006 From: srilalitha.m at hcl.in (Srilalitha Muralidhara(HCL Capital Market Services)) Date: Tue, 13 Jun 2006 14:16:14 +0530 Subject: [stunnel-users] socket closed after SSL_write Message-ID: <7D9386E4B8FE7F41B26D65E1F91278F1020DBB58@DSL-EXCHBE.DSL.HCLTECH.COM> Thanks Michal. How do I disable the socket from sending TCP RST and instead make it send TCP FIN? It might be a very basic question. Sorry about that. Thanks Sri Srilalitha Muralidhara Rates IT Report Server HCL Capital Market Services ( 91.80.4190.6689 + 33/1,The Senate, Ulsoor Road, Bangalore. India. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara Sent: Monday, June 12, 2006 11:08 PM To: stunnel-users at mirt.net Subject: Re: [stunnel-users] socket closed after SSL_write On Monday 12 June 2006 12:01, Srilalitha Muralidhara wrote: > 2006.06.12 10:47:45 LOG7[19699:28]: SSL alert (write): warning: close > notify Clean SSL shutdown alert was received. > 2006.06.12 10:47:50 LOG3[19699:28]: SSL_read: Connection reset by peer > (131) ... and then TCP RST! Strange. It looks like your application has set SO_LINGER option on its socket, so it sends TCP RST instead of TCP FIN packet. Best regards, Mike Disclaimer: *********** The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use. From Michal.Trojnara at mobi-com.net Tue Jun 13 15:11:10 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Tue, 13 Jun 2006 15:11:10 +0200 Subject: [stunnel-users] socket closed after SSL_write In-Reply-To: <7D9386E4B8FE7F41B26D65E1F91278F1020DBB58@DSL-EXCHBE.DSL.HCLTECH.COM> References: <7D9386E4B8FE7F41B26D65E1F91278F1020DBB58@DSL-EXCHBE.DSL.HCLTECH.COM> Message-ID: <448EB96E.6040606@mobi-com.net> Srilalitha Muralidhara(HCL Capital Market Services) wrote: > Thanks Michal. How do I disable the socket from sending TCP RST and > instead make it send TCP FIN? > > It might be a very basic question. Sorry about that. http://www.developerweb.net/forum/showthread.php?t=2982 Best regards, Mike From dgillingham+stunnel at gmail.com Tue Jun 13 21:25:23 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Tue, 13 Jun 2006 14:25:23 -0500 Subject: [stunnel-users] Modifying STunnel to use OpenSSL FIPS In-Reply-To: <200606121932.49548.Michal.Trojnara@mobi-com.net> References: <5d6d2b290606120704g5b4c25e1gefbb92ae3f96f53e@mail.gmail.com> <200606121932.49548.Michal.Trojnara@mobi-com.net> Message-ID: <5d6d2b290606131225q5b9011eby4d9fa381fc23054e@mail.gmail.com> Thanks for the quick response, Michal. There's another item in my original message that I'd like you to address. I want the consequences of the FIPS_mode_set() call failing to be a little more severe than just an error message being logged. I'd like it to trigger the "Stunnel is down due to an error...Click OK to the see the error log window." message box and not accept connections. I noticed that some of the other routines in ssl.c use sslerror(), but calling that caused a program crash. So given my original code, I'd like it to eventually look something like this: #if defined(OPENSSL_FIPS) && defined(USE_FIPS) if (!FIPS_mode_set(1)) { /* OpenSSL could not be set to use FIPS mode */ /* Since we only want to use FIPS mode, throw error message and do not let stunnel accept network connections */ throw_error("Could not change to FIPS mode!"); } else { s_log(LOG_INFO, "In FIPS mode."); } #endif /* rest of ssl_init() from original source */ } Which function should I call to achieve this? From Michal.Trojnara at mobi-com.net Tue Jun 13 23:37:36 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Tue, 13 Jun 2006 23:37:36 +0200 Subject: [stunnel-users] Modifying STunnel to use OpenSSL FIPS In-Reply-To: <5d6d2b290606131225q5b9011eby4d9fa381fc23054e@mail.gmail.com> References: <5d6d2b290606120704g5b4c25e1gefbb92ae3f96f53e@mail.gmail.com> <200606121932.49548.Michal.Trojnara@mobi-com.net> <5d6d2b290606131225q5b9011eby4d9fa381fc23054e@mail.gmail.com> Message-ID: <200606132337.39193.Michal.Trojnara@mobi-com.net> On Tuesday 13 June 2006 21:25, David Gillingham wrote: > I'd like it to > trigger the "Stunnel is down due to an error...Click OK to the see the > error log window." message box and not accept connections. exit() currently does it for you on Win32. In common.h you'll find: #define exit(c) exit_stunnel(c) Not really good style. I'm going to redesign this code one day. > I noticed that some of the other routines in ssl.c use sslerror(), > but calling that caused a program crash. Maybe that's because you're trying to use error strings before loading them with SSL_load_error_strings(). 8-) Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From Michal.Trojnara at mobi-com.net Tue Jun 13 23:44:50 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Tue, 13 Jun 2006 23:44:50 +0200 Subject: [stunnel-users] CRLPath not working In-Reply-To: References: Message-ID: <200606132344.53413.Michal.Trojnara@mobi-com.net> On Tuesday 13 June 2006 02:14, Nagasundaram, Sekhar wrote: > Here are the configuration and the log files as you requested.... Thank you. Please try the following change: --- ctx.old 2006-06-13 23:33:29.000000000 +0200 +++ ctx.c 2006-06-13 23:35:33.000000000 +0200 @@ -460,6 +460,7 @@ s_log(LOG_DEBUG, "Loaded CRLs from %s", section->crl_file); } if(section->crl_dir) { + section->revocation_store->cache=0; lookup=X509_STORE_add_lookup(section->revocation_store, X509_LOOKUP_hash_dir()); if(!lookup) { BTW: Did my workaround work? Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From shatadal_ghosh at hotmail.com Wed Jun 14 13:22:02 2006 From: shatadal_ghosh at hotmail.com (Shatadal Ghosh) Date: Wed, 14 Jun 2006 06:22:02 -0500 Subject: [stunnel-users] Stunnel Crash: Gmail SMTP over TLS Message-ID: Hi, I am using stunnel 4.15 on Windows XP SP1 with Mozilla Thunderbird as the e-mail client. I do not have openSSL installed locally. I do have the libssl32.dll and libeay32.dll in the same directory as stunnel.exe (C:\Program Files\stunnel). I am running stunnel as a service. Stunnel crashes when I use it to send e-mail (SMTP via TLS) via gmail. According to the e-mail client configuration page on the gmail website http://mail.google.com/support/bin/answer.py?answer=13287&topic=1555 I tried to use SMTP over TLS to connect to smtp.gmail.com:587 My gmail-smtps block in stunnel.conf was ; SMTP service, listens on localhost:250 [gmail-smtps] protocol=smtp accept=localhost:250 connect=smtp.gmail.com:587 On trying to send an e-mail message via the above configuration stunnel crashed. The log file is as follows 2006.06.14 03:17:15 LOG5[3956:3512]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005 2006.06.14 03:17:15 LOG5[3956:3512]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2006.06.14 03:17:15 LOG5[3956:3600]: No limit detected for the number of clients 2006.06.14 03:17:15 LOG7[3956:3600]: FD 172 in non-blocking mode 2006.06.14 03:17:15 LOG7[3956:3600]: SO_REUSEADDR option set on accept socket 2006.06.14 03:17:15 LOG7[3956:3600]: gmail-pop3s bound to 127.0.0.1:1100 2006.06.14 03:17:15 LOG7[3956:3600]: FD 180 in non-blocking mode 2006.06.14 03:17:15 LOG7[3956:3600]: SO_REUSEADDR option set on accept socket 2006.06.14 03:17:15 LOG7[3956:3600]: gmail-smtps bound to 127.0.0.1:250 ....# info about other mail connections 2006.06.14 03:17:26 LOG7[3956:3600]: gmail-smtps accepted FD=236 from 127.0.0.1:3665 2006.06.14 03:17:26 LOG7[3956:3600]: Creating a new thread 2006.06.14 03:17:26 LOG7[3956:3600]: New thread created 2006.06.14 03:17:26 LOG7[3956:2812]: gmail-smtps started 2006.06.14 03:17:26 LOG7[3956:2812]: FD 236 in non-blocking mode 2006.06.14 03:17:26 LOG7[3956:2812]: TCP_NODELAY option set on local socket 2006.06.14 03:17:26 LOG5[3956:2812]: gmail-smtps connected from 127.0.0.1:3665 2006.06.14 03:17:26 LOG7[3956:2812]: FD 268 in non-blocking mode 2006.06.14 03:17:26 LOG7[3956:2812]: gmail-smtps connecting 64.233.167.111:587 2006.06.14 03:17:26 LOG7[3956:2812]: connect_wait: waiting 10 seconds 2006.06.14 03:17:26 LOG7[3956:2812]: connect_wait: connected 2006.06.14 03:17:26 LOG7[3956:2812]: Remote FD=268 initialized 2006.06.14 03:17:26 LOG7[3956:2812]: TCP_NODELAY option set on remote socket 2006.06.14 03:17:26 LOG5[3956:2812]: Negotiations for smtp (client side) started 2006.06.14 03:17:26 LOG7[3956:2812]: <- 220 mx.gmail.com ESMTP w66sm450524pyw 2006.06.14 03:17:26 LOG7[3956:2812]: -> 220 mx.gmail.com ESMTP w66sm450524pyw What mistake am I making? Fortunately it seems that gmail supports SMTP over SSL too (smtp.gmail.com:465) and I am using that. However I am also facing this problem with another account which unfortunately allows SMTP only over TLS. Thanks, Shatadal. --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0624-1, 06/13/2006 Tested on: 6/14/2006 6:22:04 AM avast! - copyright (c) 2000-2006 ALWIL Software. http://www.avast.com _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee� Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From Claus.Lund at state.vt.us Wed Jun 14 21:20:52 2006 From: Claus.Lund at state.vt.us (Lund, Claus) Date: Wed, 14 Jun 2006 15:20:52 -0400 Subject: [stunnel-users] Is there a limit to the number of services you can have defined on a client? Message-ID: <122EBE532F30DA41A22238B50AA7C6ED160E62@be06-vsms.vsms.state.vt.us> We have a bunch of middle-tier servers for an application and we're using stunnel to encrypt the traffic between the windows clients and those middle-tier servers. The clients have stunnel.conf files with a large number of services defined and it seems like we're hitting some limit in stunnel. I ran some quick tests and it looks like it's impossible to have more than 64 services defined? If I have a config file with about 100 services defined then everything works fine up until I try to connect to service number 65. When I try to connect to that service then the client just hangs forever (and there's no output in the log file on the client). We are using version 4.14 but I tested this on 4.15 as well and I am getting the same result there. Here's a piece of the config file I am using for testing: "client = yes ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log [blah] accept = 13806 connect = tax187a:13806 [blah1] accept = 13807 connect = tax187a:13806" Then followed by blah2 - blah100. Things work fine when connect to "blah63" and lower. Anything higher than that cause the stunnel client to just hang. Thank you in advance, Claus ____________________________________________ Claus Lund Systems Developer NEW EMAIL ADDRESS: Claus.Lund at state.vt.us Department of Taxes Information Systems 133 State Street Montpelier, Vermont 05633-1401 (802) 828-3735 From Michal.Trojnara at mobi-com.net Wed Jun 14 22:10:39 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Wed, 14 Jun 2006 22:10:39 +0200 Subject: [stunnel-users] Is there a limit to the number of services you can have defined on a client? In-Reply-To: <122EBE532F30DA41A22238B50AA7C6ED160E62@be06-vsms.vsms.state.vt.us> References: <122EBE532F30DA41A22238B50AA7C6ED160E62@be06-vsms.vsms.state.vt.us> Message-ID: On 2006-06-14, at 21:20, Lund, Claus wrote: > I ran > some quick tests and it looks like it's impossible to have more than 64 > services defined? Here is your answer: http://stunnel.mirt.net/pipermail/stunnel-users/2006-April/001099.html Best regards, Mike From Claus.Lund at state.vt.us Wed Jun 14 22:18:33 2006 From: Claus.Lund at state.vt.us (Lund, Claus) Date: Wed, 14 Jun 2006 16:18:33 -0400 Subject: [stunnel-users] Is there a limit to the number of services youcan have defined on a client? Message-ID: <122EBE532F30DA41A22238B50AA7C6ED160E65@be06-vsms.vsms.state.vt.us> Thanks Mike. Any chance the default could be increased? Really, what's 4MB of RAM between friends (for the example in your answer)? :-) And maybe implement an error/warning message when the limit is exceeded? -Claus -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara Sent: Wednesday, June 14, 2006 4:11 PM To: Subject: Re: [stunnel-users] Is there a limit to the number of services youcan have defined on a client? On 2006-06-14, at 21:20, Lund, Claus wrote: > I ran > some quick tests and it looks like it's impossible to have more than > 64 services defined? Here is your answer: http://stunnel.mirt.net/pipermail/stunnel-users/2006-April/001099.html Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From Michal.Trojnara at mobi-com.net Wed Jun 14 22:22:34 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Wed, 14 Jun 2006 22:22:34 +0200 Subject: [stunnel-users] Is there a limit to the number of services youcan have defined on a client? In-Reply-To: <122EBE532F30DA41A22238B50AA7C6ED160E65@be06-vsms.vsms.state.vt.us> References: <122EBE532F30DA41A22238B50AA7C6ED160E65@be06-vsms.vsms.state.vt.us> Message-ID: <296926f0f04d9a94dd3dd2a4c7ab149f@mobi-com.net> On 2006-06-14, at 22:18, Lund, Claus wrote: > Any chance the default could be increased? Really, what's 4MB of RAM > between friends (for the example in your answer)? :-) Okay. What value do you recommend? > And maybe implement an error/warning message when the limit is > exceeded? Good idea. I'll do it. Best regards, Mike From Claus.Lund at state.vt.us Wed Jun 14 22:25:07 2006 From: Claus.Lund at state.vt.us (Lund, Claus) Date: Wed, 14 Jun 2006 16:25:07 -0400 Subject: [stunnel-users] Is there a limit to the number of services youcanhave defined on a client? Message-ID: <122EBE532F30DA41A22238B50AA7C6ED160E67@be06-vsms.vsms.state.vt.us> Well, we need about 100+ in our current environment. So how about increasing it to maybe 256? -Claus -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara Sent: Wednesday, June 14, 2006 4:23 PM To: Subject: Re: [stunnel-users] Is there a limit to the number of services youcanhave defined on a client? On 2006-06-14, at 22:18, Lund, Claus wrote: > Any chance the default could be increased? Really, what's 4MB of RAM > between friends (for the example in your answer)? :-) Okay. What value do you recommend? > And maybe implement an error/warning message when the limit is > exceeded? Good idea. I'll do it. Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From snagasun at visa.com Thu Jun 15 18:47:32 2006 From: snagasun at visa.com (Nagasundaram, Sekhar) Date: Thu, 15 Jun 2006 09:47:32 -0700 Subject: [stunnel-users] Re: CRLPath not working (Michal Trojnara) Message-ID: Michael: We will give this also a shot. The workaround worked however. Much thanks Sekhar ---------------- Message: 4 Date: Tue, 13 Jun 2006 23:44:50 +0200 From: Michal Trojnara Subject: Re: [stunnel-users] CRLPath not working To: stunnel-users at mirt.net Message-ID: <200606132344.53413.Michal.Trojnara at mobi-com.net> Content-Type: text/plain; charset="utf-8" On Tuesday 13 June 2006 02:14, Nagasundaram, Sekhar wrote: > Here are the configuration and the log files as you requested.... Thank you. Please try the following change: --- ctx.old 2006-06-13 23:33:29.000000000 +0200 +++ ctx.c 2006-06-13 23:35:33.000000000 +0200 @@ -460,6 +460,7 @@ s_log(LOG_DEBUG, "Loaded CRLs from %s", section->crl_file); } if(section->crl_dir) { + section->revocation_store->cache=0; lookup=X509_STORE_add_lookup(section->revocation_store, X509_LOOKUP_hash_dir()); if(!lookup) { BTW: Did my workaround work? Best regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://linode.mirt.net/pipermail/stunnel-users/attachments/20060613/03ca 6249/attachment-0001.pgp ------------------------------ _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users End of stunnel-users Digest, Vol 23, Issue 9 ******************************************** From ahall at madasafish.com Fri Jun 23 18:01:24 2006 From: ahall at madasafish.com (ahall at madasafish.com) Date: Fri, 23 Jun 2006 17:01:24 +0100 Subject: [stunnel-users] enabling zlib compression Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available URL: From yupp at centrum.sk Fri Jun 23 23:22:59 2006 From: yupp at centrum.sk (Peter Kuma) Date: Fri, 23 Jun 2006 23:22:59 +0200 Subject: [stunnel-users] Patch for stunnel 4.15 to support pgsql protocol Message-ID: <449C5BB3.50108@centrum.sk> Hi I've written a short patch for stunnel 4.15 adding support for PostgreSQL SSL negotiation. I hope it'll be useful. http://vcielka.rec.uniba.sk/~peter/stunnel-pgsql.patch PostgreSQL documentation explaining how to establish SSL connection: http://www.postgresql.org/docs/8.1/interactive/protocol-flow.html#AEN60652 http://www.postgresql.org/docs/8.1/interactive/protocol-message-formats.html Regards Peter Kuma From davehinz at gmail.com Sat Jun 24 00:20:22 2006 From: davehinz at gmail.com (Dave Hinz) Date: Fri, 23 Jun 2006 17:20:22 -0500 Subject: [stunnel-users] Solaris9/Sparc runtime library problems Message-ID: <5887232a0606231520u3af2c17cv4a4ad0a144a852da@mail.gmail.com> This is probably a very basic problem, but I've checked the FAQ and googled through the mailing list's archives and I'm not seeing what appears to be a match for this problem. I'm completely new to stunnel. It built and runs just fine on one of my linux dev boxes, but on Solaris, I can't get it to run. Attempting to run /usr/local/sbin/stunnel, I get the following: ---begin output--- jabba% ./stunnel ld.so.1: ./stunnel: fatal: libssl.so.0.9.7: open failed: No such file or directory Killed ---end output--- The various debug switches to stunnel give the same output - it's dying before anything can be started, apparently. libssl.so.0.9.7 is located on that box at /usr/local/ssl/lib/libssl.so.0.9.7and other ssl functions of the system appear to work normally. I suspect that stunnel just doesn't know how to find it, but I'm at a loss as to how to tell it where to look. Can someone suggest my next steps please? Thank you, Dave Hinz From Richard.Hall at ingenta.com Sat Jun 24 00:57:41 2006 From: Richard.Hall at ingenta.com (Richard.Hall) Date: Fri, 23 Jun 2006 23:57:41 +0100 (BST) Subject: [stunnel-users] Solaris9/Sparc runtime library problems In-Reply-To: <5887232a0606231520u3af2c17cv4a4ad0a144a852da@mail.gmail.com> Message-ID: Dave, On Fri, 23 Jun 2006, Dave Hinz wrote: > This is probably a very basic problem, but I've checked the FAQ and > googled through the mailing list's archives and I'm not seeing what > appears to be a match for this problem. I'm completely new to > stunnel. It built and runs just fine on one of my linux dev boxes, > but on Solaris, I can't get it to run. > > Attempting to run /usr/local/sbin/stunnel, I get the following: > > ---begin output--- > jabba% ./stunnel > ld.so.1: ./stunnel: fatal: libssl.so.0.9.7: open failed: No such file > or directory > Killed > ---end output--- > > The various debug switches to stunnel give the same output - it's > dying before anything can be started, apparently. > > libssl.so.0.9.7 is located on that box at > /usr/local/ssl/lib/libssl.so.0.9.7and other ssl functions of the > system appear to work normally. I suspect that stunnel just doesn't > know how to find it, but I'm at a loss as to how to tell it where to > look. Can someone suggest my next steps please? I'm aware of (at least) three ways to go about fixing this;_ 1) Mess around with crle(1) to modify the loading environment system-wide. I've never (yet) been down this road myself, so can only suggest you read the man page. 2) Set LD_LIBRARY_PATH at run-time so that stunnel can find the library. At the moment, 'ldd stunnel' will probably say something like ... libssl.so.0.9.7 => (file not found) ... whereas 'LD_LIBRARY_PATH=/usr/local/ssl/lib ldd stunnel' will hopefully say ... libssl.so.0.9.7 => /usr/local/ssl/lib/libssl.so.0.9.7 ... 3) Set LD_RUN_PATH at _compile_ time, so that the location is built into the stunnel binary. I did this at configure time - my notes from a while back say :- ./configure --prefix=/usr/local/stunnel-4.13 --disable-libwrap \ --with-ssl=/usr/local/openssl-0.9.7 \ LDFLAGS='-R /usr/local/openssl-0.9.7/lib' (LDFLAGS='-R ... is equivalent to setting LD_RUN_PATH, though I can't now remember exactly how/why!) If you run 'dump' on the resulting binary, you will see something like $ dump -Lv stunnel stunnel: **** DYNAMIC SECTION INFORMATION **** .dynamic: [INDEX] Tag Value [...] [5] NEEDED libssl.so.0.9.7 [...] [10] RUNPATH /usr/local/openssl-0.9.7/lib [11] RPATH /usr/local/openssl-0.9.7/lib [...] My understanding is that (2) is frowned upon by purists, (3) is fine if you want to fix up a single application, and (1) is better if you will be wanting to incorporate openssl into a number of applications. YMMV etc. HTH, Richard From ahall at madasafish.com Mon Jun 26 12:26:36 2006 From: ahall at madasafish.com (ahall at madasafish.com) Date: Mon, 26 Jun 2006 11:26:36 +0100 Subject: [stunnel-users] Re: enabling zlib compression Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available URL: From ahall at madasafish.com Mon Jun 26 14:09:36 2006 From: ahall at madasafish.com (ahall at madasafish.com) Date: Mon, 26 Jun 2006 13:09:36 +0100 Subject: [stunnel-users] Re: enabling zlib compression Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available URL: From dgillingham+stunnel at gmail.com Mon Jun 26 23:00:44 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Mon, 26 Jun 2006 16:00:44 -0500 Subject: [stunnel-users] Patch to fix compile errors under MS Visual C++ 2005 Message-ID: <5d6d2b290606261400l2d1613adk74393c4a99c28586@mail.gmail.com> Attached is a patch for stunnel 4.15 that allows the source to be built under Microsoft Visual Studio 2005. Here's a rundown of what's been changed: In common.h, I included io.h and fcntl.h so that pty.c would build without error. In env.c, I included the winsock headers (replicating how it was done for common.h), and removed a duplicate include of sys/socket.h. The latter change wasn't necessary for compiliation with MSVC, but I thought I'd remove what looked like an unncessary line. To get stunnel to build without warning, I defined the following preprocessor definitions: USE_WIN32 _CRT_SECURE_NO_DEPRECATE _CRT_NONSTDC_NO_DEPRECATE HAVE_GETADDRINFO HAVE_GETNAMEINFO _MBCS Later in the week, I'll post a patch to vs.mak to automate the build process (I'm still building with a solution file at the moment). To the stunnel developers: If there's anything extra I can do to ensure these changes are incorporated into the next release, please let me know. -------------- next part -------------- A non-text attachment was scrubbed... Name: 4.15-MSVC2005.patch Type: application/octet-stream Size: 1897 bytes Desc: not available URL: From ahall at madasafish.com Tue Jun 27 13:01:15 2006 From: ahall at madasafish.com (ahall at madasafish.com) Date: Tue, 27 Jun 2006 12:01:15 +0100 Subject: [stunnel-users] Re: enabling zlib compression Message-ID: An embedded and charset-unspecified text was scrubbed... Name: not available URL: From sehrawat_dheeraj at yahoo.com Wed Jun 28 05:43:28 2006 From: sehrawat_dheeraj at yahoo.com (Dheeraj Sehrawat) Date: Tue, 27 Jun 2006 20:43:28 -0700 (PDT) Subject: [stunnel-users] stunnel.cfg file Message-ID: <20060628034328.40747.qmail@web31510.mail.mud.yahoo.com> Hi All, I am looking at a problem and found the system is using stunnel with web server. From my google search I have understood that stunnel is used to make the application SSL enable. Please validate my understanding. I found following stunnel.cfg file in properties directory Port0 Enabled=0 ExternalPort=0 LocalPort=0 SSLEnabled=0 UDP=0 Port1 Enabled=1 ExternalPort=1500 LocalPort=10080 SSLEnabled=0 Port2 Enabled=0 ExternalPort=1600 LocalPort=10080 SSLEnabled=1 ------------------------------------------------------ I have the following questions: 1] what is the meaning of ExternalPort and LocalPort ? How does these ports relate with each other? Please help me in understanding this configuration file. Thanks, Dheeraj __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dgillingham+stunnel at gmail.com Wed Jun 28 18:14:16 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Wed, 28 Jun 2006 11:14:16 -0500 Subject: [stunnel-users] patch to build stunnel 4.15 with VS2005 Message-ID: <5d6d2b290606280914m20750959ge9a90b3fd3d78aa4@mail.gmail.com> All-- I have created a patch that will allow stunnel 4.15 to be built with Visual Studio 2005's command line environment. I have only tested it with VS2k5, but it should work for all Visual Studio .NET versions (that is, VS 7.0 or later). After you apply this patch to the source tree, you will need to run the makefile from a Visual Studio Command prompt (Start->Programs->Visual Studio->Visual Studio Tools->Visual Studio Command Prompt). From there, change the working directory to the stunnel\src folder and execute the command "nmake -f vs.mak all". After the build process has completed, you will have a working stunnel.exe. This patch will modify vc.mak to a working makefile for nmake (mimicing the basic structure of mingw.mak), common.h to include a couple missing headers for the I/O functions in pty.c, and env.c to include the winsock headers under the Win32 environment (replicating how it was done in common.h). This patch that is a result of internal testing/development I've done here at work and am releasing it to this list (and the stunnel developers) so that these changes could possibly be included in future stunnel releases. To the stunnel devs: if there's any additional work that can be done to get this integrated by the next release, just mention it. The other day, I tried sending the patch to the list as an attachment, but my message never showed up on either the mirt.net or google groups mirrors. I can only assume it was rejected because of the attachment. What follows is the full text of my patch file. > cat 4.15-MSVC2005.patch diff -cr stunnel-4.15-orig/src/common.h stunnel-4.15/src/common.h *** stunnel-4.15-orig/src/common.h Fri Mar 10 08:54:56 2006 --- stunnel-4.15/src/common.h Fri Jun 23 21:41:00 2006 *************** *** 153,158 **** --- 153,164 ---- #endif #include + /* include Visual Studio headers needed for I/O manipulation */ + #ifdef _MSC_VER + #include + #include + #endif + #define ECONNRESET WSAECONNRESET #define ENOTSOCK WSAENOTSOCK #define ENOPROTOOPT WSAENOPROTOOPT diff -cr stunnel-4.15-orig/src/env.c stunnel-4.15/src/env.c *** stunnel-4.15-orig/src/env.c Sat Jan 7 13:47:36 2006 --- stunnel-4.15/src/env.c Mon Jun 26 21:11:25 2006 *************** *** 31,45 **** /* getpeername() can't be declared in the following includes */ #define getpeername no_getpeername #include #include /* for AF_INET */ #include #include /* for inet_addr() */ #include /* for getenv() */ #ifdef __BEOS__ #include /* for AF_INET */ #include /* for AF_INET */ - #else - #include /* for AF_INET */ #endif #undef getpeername --- 31,52 ---- /* getpeername() can't be declared in the following includes */ #define getpeername no_getpeername #include + #ifdef USE_WIN32 + #ifdef _WIN32_WCE + #include + #else + #include + #include + #endif /* _WIN32_WCE */ + #else /* USE_WIN32 */ #include /* for AF_INET */ #include #include /* for inet_addr() */ + #endif /* USE_WIN32 */ #include /* for getenv() */ #ifdef __BEOS__ #include /* for AF_INET */ #include /* for AF_INET */ #endif #undef getpeername diff -cr stunnel-4.15-orig/src/vc.mak stunnel-4.15/src/vc.mak *** stunnel-4.15-orig/src/vc.mak Sat Jan 21 10:17:32 2006 --- stunnel-4.15/src/vc.mak Tue Jun 27 21:02:15 2006 *************** *** 1,2 **** ! # makefile for VC is not ready... --- 1,45 ---- ! # Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2006 ! # ! # Modified by David Gillingham (dgillingham at gmail.com) for Visual ! # Studio ! ! # Modify this to point to your actual openssl compile directory ! # (You did already compile openssl, didn't you???) ! SSLDIR=..\..\openssl-0.9.7j ! ! DEFINES=-DUSE_WIN32 -D_CRT_SECURE_NO_DEPRECATE \ ! -D_CRT_NONSTDC_NO_DEPRECATE -DHAVE_GETADDRINFO \ ! -DHAVE_GETNAMEINFO -D_MBCS ! CC=cl ! CFLAGS=-MD -W3 -Ox -O2 -Ob2 -Gs0 -GF -Gy -GL -nologo \ ! -I"$(SSLDIR)\inc32" $(DEFINES) ! ! LINK=link ! LDFLAGS=-INCREMENTAL:NO -NOLOGO -SUBSYSTEM:WINDOWS -OPT:REF \ ! -OPT:ICF -LTCG -MACHINE:X86 -ERRORREPORT:PROMPT ! LIBS=-LIBPATH:"$(SSLDIR)\out32dll" wsock32.lib ssleay32.lib \ ! libeay32.lib user32.lib gdi32.lib shell32.lib comdlg32.lib \ ! advapi32.lib ! ! OBJS=stunnel.obj ssl.obj ctx.obj file.obj client.obj protocol.obj \ ! sthreads.obj log.obj options.obj network.obj resolver.obj \ ! gui.obj ! ! ! all: stunnel.exe ! ! clean: ! del $(OBJS) resources.res ! del *.manifest ! del stunnel.exe ! ! stunnel.exe: $(OBJS) resources.res ! $(LINK) $(LDFLAGS) $(LIBS) -OUT:$@ $** ! IF EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;1 ! ! resources.res: resources.rc resources.h stunnel.ico ! rc /fo $@ resources.rc ! ! $(OBJS): $*.c *.h ! $(CC) $(CFLAGS) -c $*.c From davehinz at gmail.com Wed Jun 28 20:02:46 2006 From: davehinz at gmail.com (Dave Hinz) Date: Wed, 28 Jun 2006 13:02:46 -0500 Subject: [stunnel-users] stunnel in proxy mode won't start Message-ID: <5887232a0606281102n4e9cc2bai21daaa56c8fd566b@mail.gmail.com> I'm trying to run stunnel in proxy mode, to accept connections on port 443, and forward them to an application listening at port 9999 on the same box. I believe I have the configuration correct, but I'm obviously overlooking something. Environment: stunnel 4.15 on sparc-sun-solaris2.9 with OpenSSL 0.9.7g 11 Apr 2005 I have built an stunnel.conf file, and a stunnel.pem file which are located in the correct place with the right permissions. I verified that by moving or changing permissions and seeing that errors were produced. I've changed the debug level to 7, and the following information is displayed when I try to start stunnel: cert# stunnel 2006.06.28 13:01:14 LOG7[9088:1]: Snagged 64 random bytes from /users/dave/.rnd 2006.06.28 13:01:14 LOG7[9088:1]: Wrote 1024 new random bytes to /users/dave/.rnd 2006.06.28 13:01:14 LOG7[9088:1]: RAND_status claims sufficient entropy for the PRNG 2006.06.28 13:01:14 LOG6[9088:1]: PRNG seeded successfully 2006.06.28 13:01:14 LOG7[9088:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2006.06.28 13:01:14 LOG7[9088:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2006.06.28 13:01:14 LOG7[9088:1]: Verify directory set to / 2006.06.28 13:01:14 LOG5[9088:1]: Peer certificate location / 2006.06.28 13:01:14 LOG7[9088:1]: SSL context initialized for service test cert# Same thing if I run it as stunnel stunnel.conf -fd The prompt comes back immediately, ps -ef shows no stunnel running, and nothing is answering on port 443 which is where I'm telling it to listen: stunnel.conf file: cert = /usr/local/etc/stunnel/stunnel.pem chroot = /usr/local/etc/stunnel # PID is created inside chroot jail pid = /pid/stunnel.pid #setuid = nobody #setgid = nogroup # Authentication stuff verify = 3 # don't forget about c_rehash CApath # it is located inside chroot jail: CApath = / # Some debugging stuff debug = 7 output = stunnel.log # Use it for client mode client = no # Service-level configuration [test] accept = 127.0.0.1:443 connect = 127.0.0.1:9999 #TIMEOUTclose = 0 ---end stunnel.conf file--- The pem files are located in the same directory as the stunnel.conf, hence the "/" for the pathname above. What am I overlooking please? From Michal.Trojnara at mobi-com.net Thu Jun 29 11:33:43 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Thu, 29 Jun 2006 11:33:43 +0200 Subject: [stunnel-users] patch to build stunnel 4.15 with VS2005 In-Reply-To: <5d6d2b290606280914m20750959ge9a90b3fd3d78aa4@mail.gmail.com> References: <5d6d2b290606280914m20750959ge9a90b3fd3d78aa4@mail.gmail.com> Message-ID: <44A39E77.4060104@mobi-com.net> David Gillingham wrote: > This patch will modify vc.mak to a working makefile for nmake > (mimicing the basic structure of mingw.mak), common.h to include a > couple missing headers for the I/O functions in pty.c, and env.c to > include the winsock headers under the Win32 environment (replicating > how it was done in common.h). pty.c and env.c are both only useful on Unix. They should *not* be compiled on Windows platform. 8-) Best regards, Mike From dgillingham+stunnel at gmail.com Thu Jun 29 18:45:43 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Thu, 29 Jun 2006 11:45:43 -0500 Subject: [stunnel-users] patch to build stunnel 4.15 with VS2005 In-Reply-To: <44A3F4F3.80005@mobi-com.net> References: <5d6d2b290606280914m20750959ge9a90b3fd3d78aa4@mail.gmail.com> <44A39E77.4060104@mobi-com.net> <5d6d2b290606290826y1cfbd0bcg9774b5d067ef7551@mail.gmail.com> <44A3F4F3.80005@mobi-com.net> Message-ID: <5d6d2b290606290945h7f829648q273e642b21bebdcb@mail.gmail.com> Surely. Here are the contents of the patch file for vs.mak. >cat 4.15-MSVC2005.patch diff -cr stunnel-4.15-orig/src/vc.mak stunnel-4.15/src/vc.mak *** stunnel-4.15-orig/src/vc.mak Sat Jan 21 10:17:32 2006 --- stunnel-4.15/src/vc.mak Thu Jun 29 17:31:43 2006 *************** *** 1,2 **** ! # makefile for VC is not ready... --- 1,42 ---- ! # Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2006 ! # ! # Modified by David Gillingham (dgillingham at gmail.com) for Visual ! # Studio + # Modify this to point to your actual openssl compile directory + # (You did already compile openssl, didn't you???) + SSLDIR=..\openssl-0.9.7j + + OBJS=stunnel.obj ssl.obj ctx.obj file.obj client.obj protocol.obj \ + sthreads.obj log.obj options.obj network.obj resolver.obj \ + gui.obj + + CC=cl + CFLAGS=-MD -W3 -Ox -O2 -Ob2 -Gs0 -GF -Gy -GL -nologo \ + -I"$(SSLDIR)\inc32" $(DEFINES) + DEFINES=-DUSE_WIN32 -D_CRT_SECURE_NO_DEPRECATE \ + -D_CRT_NONSTDC_NO_DEPRECATE -DHAVE_GETADDRINFO \ + -DHAVE_GETNAMEINFO -D_MBCS + + LINK=link + LDFLAGS=-INCREMENTAL:NO -NOLOGO -SUBSYSTEM:WINDOWS -OPT:REF \ + -OPT:ICF -LTCG -MACHINE:X86 -ERRORREPORT:PROMPT + LIBS=-LIBPATH:"$(SSLDIR)\out32dll" wsock32.lib ssleay32.lib \ + libeay32.lib user32.lib gdi32.lib shell32.lib comdlg32.lib \ + advapi32.lib + + all: stunnel.exe + + clean: + del $(OBJS) resources.res + del *.manifest + del stunnel.exe + + stunnel.exe: $(OBJS) resources.res + $(LINK) $(LDFLAGS) $(LIBS) -OUT:$@ $** + IF EXIST $@.manifest mt -nologo -manifest $@.manifest -outputresource:$@;1 + + resources.res: resources.rc resources.h stunnel.ico + rc -fo $@ resources.rc + + $(OBJS): *.h vc.mak On 6/29/06, Michal Trojnara wrote: > > That's possible. Could you prepare a patch with a minimal set of > changes (not including anything needed to build those Unix-specific files?). From dgillingham+stunnel at gmail.com Thu Jun 29 20:57:33 2006 From: dgillingham+stunnel at gmail.com (David Gillingham) Date: Thu, 29 Jun 2006 13:57:33 -0500 Subject: [stunnel-users] Stunnel 4.15 cannot handle PKCS8 format private keys Message-ID: <5d6d2b290606291157j17831b2ay84cbfa90f4651ef8@mail.gmail.com> In modifying stunnel to work with the OpenSSL FIPS-certified module, I found out that private keys cannot be in the default OpenSSL format; they must be in PKCS8 format (due to the MD5 algorithm being disabled in FIPS mode). Talking to Dr. Henson of the OpenSSL group I was able to convert my private keys from the default format to PKCS8, but I found that stunnel was not able to handle these keys. I got the following error output (note that server.pem contains a PKCS8 private key and a PKCS7 public cert): 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 : error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt error 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 : error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm 2006.06.08 17:49:42 LOG3[1120:616]: Server is down Continuing with Dr. Henson, he informed me that this ssl error output meant that "the PBE table has not been initialized in the application". I corrected this by adding a call to OpenSSL_add_all_algorithms() into ssl_init() in ssl.c. This fixed my error with the PEM files. I am posting this so that this bug may be fixed for the next stunnel release. Additionally, I'd like verification that my fix makes sense given the structure of the stunnel code. From doing some searches in the stunnel source, I could not find any existing code that initialized the PBE table so adding the call to ssl_init() made sense _to me_. Michal: do you agree? From john.boxall at bmo.com Thu Jun 29 22:15:43 2006 From: john.boxall at bmo.com (Boxall, John) Date: Thu, 29 Jun 2006 16:15:43 -0400 Subject: [stunnel-users] Expired certificate? Message-ID: Michal, et al, When attempting to connect from a Windows box to a Solaris box (as the server), the Solaris stunnel log (debug = 7) shows that the certificate on the Windows box (included with the download) has expired. I can connect from a Solaris 9 client box with no problems. The Solaris box is running as an NTP client to an internal NTP server. The Windows box isn't logged into a domain, but the time is within 5 minutes of the Solaris box. Solaris server: Solaris 9 (2004/09, no patches) OpenSSL 0.9.8a Stunnel 4.15 Application: Syslog-ng 1.6.11 (working fine on a client Solaris 9 box) Windows client: Windows XP Stunnel 4.15 Application: EventReporter 8.0.268/8.0.219 stunnel.conf: (borrowed and modified from a Solaris client box) ; ;CLIENT-ONLY stunnel configuration file ; client = yes cert = C:\Program Files\stunnel\stunnel.pem-client-certificate CAfile = C:\Program Files\stunnel\stunnel.pem-server-certificate ;chroot = /var/run/stunnel ;pid = /usr/local/var/run/stunnel/stunnel.pid ;setuid = stunnel ;setgid = stunnel verify = 3 ;foreground = yes debug = 7 output = C:\Program Files\stunnel\stunnel.log [5140] accept = 127.0.0.1:514 connect = 192.168.0.143:5140 If the certificate has truly expired, could you post a new one? If not, any suggestions? Regards, John Boxall From Michal.Trojnara at mobi-com.net Thu Jun 29 22:48:10 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Thu, 29 Jun 2006 22:48:10 +0200 Subject: [stunnel-users] Expired certificate? In-Reply-To: References: Message-ID: On 2006-06-29, at 22:15, Boxall, John wrote: > If the certificate has truly expired, could you post a new one? > If not, any suggestions? You could test it with: $ openssl x509 -text -in stunnel.pem | grep GMT Not Before: Apr 8 15:09:08 1999 GMT Not After : Apr 7 15:09:08 2000 GMT You should never use the sample certificate except for testing! Create your own certificate/key instead: http://www.pseudonym.org/ssl/ssl_cook.html Best regards, Mike From Michal.Trojnara at mobi-com.net Thu Jun 29 23:17:01 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Thu, 29 Jun 2006 23:17:01 +0200 Subject: [stunnel-users] Stunnel 4.15 cannot handle PKCS8 format private keys In-Reply-To: <5d6d2b290606291157j17831b2ay84cbfa90f4651ef8@mail.gmail.com> References: <5d6d2b290606291157j17831b2ay84cbfa90f4651ef8@mail.gmail.com> Message-ID: <0307d894dbfaea95aad5ec3aac0f950a@mobi-com.net> On 2006-06-29, at 20:57, David Gillingham wrote: > I corrected this by adding a call to > OpenSSL_add_all_algorithms() into ssl_init() in ssl.c. This fixed my > error with the PEM files. > > I am posting this so that this bug may be fixed for the next stunnel > release. Additionally, I'd like verification that my fix makes sense > given the structure of the stunnel code. From doing some searches in > the stunnel source, I could not find any existing code that > initialized the PBE table so adding the call to ssl_init() made sense > _to me_. Michal: do you agree? Yes, I do. OpenSSL_add_all_algorithms() will be used in the next release. Best regards, Mike From john.boxall at bmo.com Fri Jun 30 17:04:17 2006 From: john.boxall at bmo.com (Boxall, John) Date: Fri, 30 Jun 2006 11:04:17 -0400 Subject: [stunnel-users] Bad certificate? (was Expired certificate?) Message-ID: Mike, I've created a self-signed certificate on my Windows test box using OpenSSL 0.9.7j (the version from Shining Light). I created the key file with the following command: "openssl genrsa 1024 > \host.key Here is the command I used to create the self-signed cert: "openssl req -new -x509 -nodes -sha1 -days 9999 -key \host.key > \host.cert" I then copied the key/cert to the appropriate file in the stunnel directory. I then copied the cert to the Solaris server and included it with all other client certs. Here is the Windows configuration file: ; ;CLIENT-ONLY stunnel configuration file ; client = yes cert = C:\Program Files\stunnel\stunnel.pem-client-certificate CAfile = C:\Program Files\stunnel\stunnel.pem-server-certificate ;chroot = /var/run/stunnel ;pid = /usr/local/var/run/stunnel/stunnel.pid ;setuid = stunnel ;setgid = stunnel verify = 3 ;foreground = yes debug = 7 output = C:\Program Files\stunnel\stunnel.log [5140] accept = 127.0.0.1:514 connect = 172.17.99.143:5140 Here is the Solaris configuration file: ; ;SERVER-ONLY stunnel configuration file ; cert = /usr/local/etc/stunnel/stunnel.pem-server-certificate CAfile = /usr/local/etc/stunnel/stunnel.pem-all-client-certificates ;chroot = /var/run/stunnel ;pid = /var/run/stunnel/run/stunnel.pid ;setuid = stunnel ;setgid = stunnel verify = 3 ;foreground = yes debug = 7 output=/stunnel.log [5140] accept = 172.17.99.143:5140 connect = 127.0.0.1:514 The following happens on the Windows box when I first launch stunnel: 2006.06.30 09:51:31 LOG5[516:360]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005 2006.06.30 09:51:31 LOG5[516:360]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2006.06.30 09:51:31 LOG5[516:392]: No limit detected for the number of clients 2006.06.30 09:51:31 LOG7[516:392]: FD 1904 in non-blocking mode 2006.06.30 09:51:31 LOG7[516:392]: SO_REUSEADDR option set on accept socket 2006.06.30 09:51:31 LOG7[516:392]: 5140 bound to 127.0.0.1:514 Nothing happens on the Solaris box. When I start EventReporter, the following happens, in a continuous loop (until I stop EventReporter): 2006.06.30 10:16:26 LOG7[296:700]: 5140 accepted FD=156 from 127.0.0.1:1154 2006.06.30 10:16:26 LOG7[296:700]: Creating a new thread 2006.06.30 10:16:26 LOG7[296:700]: New thread created 2006.06.30 10:16:27 LOG7[296:1204]: 5140 started 2006.06.30 10:16:27 LOG7[296:1204]: FD 156 in non-blocking mode 2006.06.30 10:16:27 LOG5[296:1204]: 5140 connected from 127.0.0.1:1154 2006.06.30 10:16:27 LOG7[296:1204]: FD 188 in non-blocking mode 2006.06.30 10:16:27 LOG7[296:1204]: 5140 connecting 172.17.99.143:5140 2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: waiting 10 seconds 2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: connected 2006.06.30 10:16:27 LOG7[296:1204]: Remote FD=188 initialized 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): before/connect initialization 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client hello A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server hello A 2006.06.30 10:16:27 LOG5[296:1204]: VERIFY OK: depth=0, /C=CA/ST=ONTARIO/L=TORONTO/O=BANK OF MONTREAL/OU=LMG-DTS/CN=jdb2u10 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server certificate A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server certificate request A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server done A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client certificate A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client key exchange A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write certificate verify A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write change cipher spec A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write finished A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 flush data 2006.06.30 10:16:27 LOG3[296:1204]: SSL_connect: Peer suddenly disconnected 2006.06.30 10:16:27 LOG5[296:1204]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.30 10:16:27 LOG7[296:1204]: 5140 finished (0 left) On the Solaris box, here is the matching entry, also in a continuous loop: 2006.06.30 10:16:47 LOG7[1214:1]: 5140 accepted FD=2 from 172.17.99.150:1155 2006.06.30 10:16:47 LOG7[1214:800]: 5140 started 2006.06.30 10:16:47 LOG7[1214:800]: FD 2 in non-blocking mode 2006.06.30 10:16:47 LOG5[1214:800]: 5140 connected from 172.17.99.150:1155 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): before/accept initialization 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 read client hello A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write server hello A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write certificate A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write certificate request A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 flush data 2006.06.30 10:16:48 LOG4[1214:800]: VERIFY ERROR: depth=0, error=self signed certificate: /C=CA/ST=ONTARIO/L=TORONTO/O=BMO/OU=LMG-DTS/CN=jdb1winxp 2006.06.30 10:16:48 LOG7[1214:800]: SSL alert (write): fatal: bad certificate 2006.06.30 10:16:48 LOG3[1214:800]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2006.06.30 10:16:48 LOG5[1214:800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.30 10:16:48 LOG7[1214:800]: 5140 finished (1 left) It appears the server cert is ok, but "something" is wrong with the client (Windows box) cert. Any chance you could post the command used in the "make install" to kick off the creation of the self-signed cert on Unix? I grep'd for it, but couldn't find it. Regards, John Boxall