From steven at lovebug.org Tue May 2 18:41:59 2006 From: steven at lovebug.org (Steven) Date: Tue, 2 May 2006 12:41:59 -0400 Subject: [stunnel-users] Stunnel + Snort + MySQL Message-ID: <002b01c66e07$55a37540$dc02a8c0@island55> I have a problem that I have been unsuccessful in solve thus far with Stunnel, Snort, and MySQL. Stunnel (client & server): 4.04 Snort: 2.4.4 on the client MySQL Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) [not the latest and greatest by any means] I setup stunnel so that traffic destined for localhost 3306 (mysql) on the client goes to port 3307 on the server. Stunnel on the server is setup to take traffic from 3307 and send it to 3306 locally. This connection works fine. I can fire up Snort and have events properly log to my snort database on the server from the client. However, if stunnel is stopped/restarted on either the client or the server Snort is not able to keep writing to the database unless it is restarted. I just get this error: May 2 12:44:03 box snort[44126]: database: Problem inserting a new signature 'Test Snort Signature' May 2 12:44:03 box1 snort[44126]: database: mysql_error: MySQL server has gone away SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('4', '22', '0', '2006-05-02 16:44:03.322') May 2 12:44:03 box snort[44126]: database: mysql_error: MySQL server has gone away SQL=ROLLBACK Whenever I close stunnel it sends traffic to the other end. I can restart it and open up new connections just fine. However, Snort will not even try and connect to port 3306. Once stunnel has been stopped (or even restarted) it just immediately fails to even try and connect to the port. It seems there's some kind of signal sent that kills the connection (and all future connections?). I cannot figure oout why this happens. Any ideas? Thanks Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From ascendant600 at gmail.com Tue May 2 20:51:02 2006 From: ascendant600 at gmail.com (Matthew Case) Date: Tue, 2 May 2006 14:51:02 -0400 Subject: [stunnel-users] Wrapping interclient connections outbound to many servers Message-ID: <2451016a0605021151j49dedc45o23372341a072e128@mail.gmail.com> Hello all, I have searched high and low for a solution to this problem, but I haven't found anything so I am coming here in hopes someone will be able to help me. I have to wrap the interclient protocol (>1024 to 3060) in some manner of encryption to appease one of my clients. I have already wrapped the ajp13 protocol between the apache server and the tomcat server, but now the tomcat server (which acts as an stunnel server in the ajp13 setup) must also act as a client and wrap all outbound and return traffic to 10 servers to and from port 3060. Making large modifications to the source code is not going to be feasible given my current time crunch (it must be implemented in two weeks). Has anyone run into anything like this and does anyone have any tips? Thanks in advance! - Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From ludovic.duflot at univ-savoie.fr Wed May 3 08:08:38 2006 From: ludovic.duflot at univ-savoie.fr (Ludovic DUFLOT) Date: Wed, 03 May 2006 08:08:38 +0200 Subject: [stunnel-users] certificate unknown Message-ID: <445848E6.6070803@univ-savoie.fr> Hi, I tried to use stunnel to connect in SSL to a LDAP server. But I can't and I've got this error message: certificate unknown I use stunnel for establishing connexion with IMAPS server and all is right but not for LDAP connexion. The certificate is self-signate. I searched on the list's archives and with google but I can't find any solution... Help !!! Ludo ps: these are the stunnel.conf and the log: *************************** cert = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Some debugging stuff useful for troubleshooting debug = 7 ;output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [ldaps] accept = 389 connect = 10.0.0.1:636 verify = 0 [imaps] accept = 143 connect = 10.0.0.2:993 *************************** 2006.05.03 07:52:40 LOG7[4436:2436]: RAND_status claims sufficient entropy for the PRNG 2006.05.03 07:52:40 LOG6[4436:2436]: PRNG seeded successfully 2006.05.03 07:52:40 LOG7[4436:2436]: Certificate: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: Key file: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: SSL context initialized for service ldaps 2006.05.03 07:52:40 LOG7[4436:2436]: Certificate: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: Key file: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: SSL context initialized for service imaps 2006.05.03 07:52:40 LOG7[4436:2436]: Certificate: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: Key file: stunnel.pem 2006.05.03 07:52:40 LOG7[4436:2436]: SSL context initialized for service https 2006.05.03 07:52:40 LOG5[4436:2436]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7f 22 Mar 2005 2006.05.03 07:52:40 LOG5[4436:2436]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2006.05.03 07:52:40 LOG5[4436:4612]: No limit detected for the number of clients 2006.05.03 07:52:40 LOG7[4436:4612]: FD 192 in non-blocking mode 2006.05.03 07:52:40 LOG7[4436:4612]: SO_REUSEADDR option set on accept socket 2006.05.03 07:52:40 LOG7[4436:4612]: ldaps bound to 0.0.0.0:389 2006.05.03 07:52:40 LOG7[4436:4612]: FD 196 in non-blocking mode 2006.05.03 07:52:40 LOG7[4436:4612]: SO_REUSEADDR option set on accept socket 2006.05.03 07:52:40 LOG7[4436:4612]: imaps bound to 0.0.0.0:143 2006.05.03 07:52:40 LOG7[4436:4612]: FD 212 in non-blocking mode 2006.05.03 07:52:40 LOG7[4436:4612]: SO_REUSEADDR option set on accept socket 2006.05.03 07:52:40 LOG7[4436:4612]: https bound to 0.0.0.0:443 2006.05.03 07:52:50 LOG7[4436:4612]: ldaps accepted FD=220 from 127.0.0.1:2893 2006.05.03 07:52:50 LOG7[4436:4612]: Creating a new thread 2006.05.03 07:52:50 LOG7[4436:4612]: New thread created 2006.05.03 07:52:50 LOG7[4436:5780]: ldaps started 2006.05.03 07:52:50 LOG7[4436:5780]: FD 220 in non-blocking mode 2006.05.03 07:52:50 LOG7[4436:5780]: TCP_NODELAY option set on local socket 2006.05.03 07:52:50 LOG5[4436:5780]: ldaps connected from 127.0.0.1:2893 2006.05.03 07:52:50 LOG7[4436:5780]: FD 244 in non-blocking mode 2006.05.03 07:52:50 LOG7[4436:5780]: ldaps connecting 10.0.0.1:636 2006.05.03 07:52:50 LOG7[4436:5780]: connect_wait: waiting 10 seconds 2006.05.03 07:52:50 LOG7[4436:5780]: connect_wait: connected 2006.05.03 07:52:50 LOG7[4436:5780]: Remote FD=244 initialized 2006.05.03 07:52:50 LOG7[4436:5780]: TCP_NODELAY option set on remote socket 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): before/connect initialization 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client hello A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server hello A 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=0, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=ldap-bourget.univ-savoie.fr 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server certificate A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server certificate request A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server done A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client certificate A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client key exchange A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write certificate verify A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write change cipher spec A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write finished A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 flush data 2006.05.03 07:52:50 LOG7[4436:5780]: SSL alert (read): fatal: certificate unknown 2006.05.03 07:52:50 LOG3[4436:5780]: SSL_connect: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2006.05.03 07:52:50 LOG5[4436:5780]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.05.03 07:52:50 LOG7[4436:5780]: ldaps finished (0 left) From Harry.Boeck at t-online.de Thu May 4 02:33:23 2006 From: Harry.Boeck at t-online.de (Harry Boeck) Date: Thu, 4 May 2006 02:33:23 +0200 Subject: [stunnel-users] stunnel 4.15 crashes with vnc server 4.1.1 Message-ID: <191429642.20060504023323@t-online.de> Hallo stunnel users, i'm learning to use ssl and ssh tools to get secured access to my home server from work and other places. I already have a working ssh installation but stumbled over stunnel ba accident. I would like to use it, because i still have computers in use with win98 (both for myself and among my clients) and this little program is exactly all what i would need to use vnc over a secured connection. SSH to the contrary needs a little bit more setup (over a cygwin that serves the only purpose of aquiring such tools like SSH), needs its own crypto library compilation and so on. Now, there is the problem that stunnel 4.15 crashes at the moment, when the vnc server 4.1.1 tries to deliver its first screen to the client. Stunnel was downloaded from http://www.stunnel.org/download/binaries.html, vnc was downloaded from http://www.realvnc.com (already some times ago). Both where downloaded as binaries, for the typical help hints on forums for the question "i have a compile problem on windows" being "how dare you"... Both machines i'm using for testing use win98 as operating system. The crash happens both when testing a configuration on one machine with stunnel running both as server and as client, as well as when using it to connect two machines with stunnel running as server on the machine with vnc server and as client on the machine with vnc client. VNC runs correct for itself as well as via an ssh secured connection. Stunnel is startet with only the server versus the client configuration file as command line parameter. The configuration files are: http://harryboeck.dyndns.org/Sicherheit/stunnel-server.ini http://harryboeck.dyndns.org/Sicherheit/stunnel-client.ini Stunnel delivers correctly the data between vnc server and client (including connection establishment and authentication) until the point of first screen transfer (when the screen on the client side turns black and the screen on the server side should remove the background image and visual effects). The output of stunnel server and client is: http://harryboeck.dyndns.org/Sicherheit/stunnel-server.log http://harryboeck.dyndns.org/Sicherheit/stunnel-client.log The output of "stunnel -version" is: http://harryboeck.dyndns.org/Sicherheit/stunnel-version.txt I have no clue what '6. Output of "uname -a"' should mean, if that is somehow important for hints, please let me know. openssl version is: OpenSSL 0.9.8a 11 Oct 2005 I would appreciate any suggestions or hints on the interaction of vnc and stunnel. with best regards Harry Boeck From Michal.Trojnara at mobi-com.net Thu May 4 10:28:41 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Thu, 04 May 2006 10:28:41 +0200 Subject: [stunnel-users] stunnel 4.15 crashes with vnc server 4.1.1 In-Reply-To: <191429642.20060504023323@t-online.de> References: <191429642.20060504023323@t-online.de> Message-ID: <4459BB39.9060804@mobi-com.net> Harry Boeck wrote: > Now, there is the problem that stunnel 4.15 crashes at the moment, > when the vnc server 4.1.1 tries to deliver its first screen to the client. Do you have any debugging tools to show where it crashed? The simplest one is Dr. Watson: http://support.microsoft.com/default.aspx?scid=kb;EN-US;308538 Did you try disabling zlib compression? AFAIR vnc does a pretty nice compression by itself. Best regards, Mike From Trishul.Shah at bluesq.com Thu May 4 16:27:53 2006 From: Trishul.Shah at bluesq.com (Trishul Shah) Date: Thu, 4 May 2006 15:27:53 +0100 Subject: [stunnel-users] stunnel install issues with mknod command Message-ID: Hi, I was wondering if you could help me, I am trying to install stunnel on a machine running solaris 10, but the catch is that I am trying to install it within a zone in solaris 10, unfortunately during the installation process after the source is compiled I see the following error: Making install in src test -z "/usr/local/lib" || /bin/bash ../auto/mkinstalldirs "/usr/local/lib" /bin/bash ../libtool --mode=install ../auto/install-sh -c 'libstunnel.la' '/usr/local/lib/libstunnel.la' ../auto/install-sh -c .libs/libstunnel.so /usr/local/lib/libstunnel.so chmod +x /usr/local/lib/libstunnel.so ../auto/install-sh -c .libs/libstunnel.lai /usr/local/lib/libstunnel.la ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - use the `-RLIBDIR' linker flag See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- test -z "/usr/local/sbin" || /bin/bash ../auto/mkinstalldirs "/usr/local/sbin" /bin/bash ../libtool --mode=install ../auto/install-sh -c 'stunnel' '/usr/local/sbin/stunnel' ../auto/install-sh -c stunnel /usr/local/sbin/stunnel test -z "/usr/local/sbin" || /bin/bash ../auto/mkinstalldirs "/usr/local/sbin" ../auto/install-sh -c 'stunnel3' '/usr/local/sbin/stunnel3' Making install in doc test -z "/usr/local/share/doc/stunnel" || /bin/bash ../auto/mkinstalldirs "/usr/local/share/doc/stunnel" ../auto/install-sh -c -m 644 'stunnel.html' '/usr/local/share/doc/stunnel/stunnel.html' ../auto/install-sh -c -m 644 'stunnel.pl.html' '/usr/local/share/doc/stunnel/stunnel.pl.html' ../auto/install-sh -c -m 644 'stunnel.fr.html' '/usr/local/share/doc/stunnel/stunnel.fr.html' test -z "/usr/local/man/man8" || /bin/bash ../auto/mkinstalldirs "/usr/local/man/man8" ../auto/install-sh -c -m 644 './stunnel.8' '/usr/local/man/man8/stunnel.8' ../auto/install-sh -c -m 644 './stunnel.pl.8' '/usr/local/man/man8/stunnel.pl.8' ../auto/install-sh -c -m 644 './stunnel.fr.8' '/usr/local/man/man8/stunnel.fr.8' Making install in tools test -z "/usr/local/etc/stunnel" || /bin/bash ../auto/mkinstalldirs "/usr/local/etc/stunnel" ../auto/install-sh -c -m 644 'stunnel.conf-sample' '/usr/local/etc/stunnel/stunnel.conf-sample' if test ! -r /usr/local/etc/stunnel/stunnel.pem; then \ if test -r "/dev/urandom"; then \ dd if="/dev/urandom" of=stunnel.rnd bs=256 count=1; \ RND="-rand stunnel.rnd"; \ else \ RND=""; \ fi; \ /usr/local/bin/openssl req -new -x509 -days 365 -nodes $RND \ -config ./stunnel.cnf \ -out stunnel.pem -keyout stunnel.pem; \ test -eq 0 || /usr/local/bin/openssl gendh $RND 512 >> stunnel.pem; \ /usr/local/bin/openssl x509 -subject -dates -fingerprint -noout -in stunnel.pem; \ ../auto/install-sh -c -m 600 stunnel.pem /usr/local/etc/stunnel/stunnel.pem; \ rm stunnel.pem; \ fi mkdir -p /usr/local/var/stunnel chmod a=rwx,+t /usr/local/var/stunnel if uname | grep SunOS; then \ mkdir -p /usr/local/var/stunnel/dev; \ chmod u=rwx,go=rx /usr/local/var/stunnel/dev; \ mknod /usr/local/var/stunnel/dev/zero c 13 12; \ chmod a=rw /usr/local/var/stunnel/dev/zero; \ fi SunOS mknod: Not owner *** Error code 2 make: Fatal error: Command failed for target `install-data-local' Current working directory /export/home/playtech/stunnel-4.14/tools *** Error code 1 The following command caused the error: make install-exec-am install-data-am make: Fatal error: Command failed for target `install-am' Current working directory /export/home/playtech/stunnel-4.14/tools *** Error code 1 The following command caused the error: failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo install-recursive | sed s/-recursive//`; \ list='src doc tools'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" make: Fatal error: Command failed for target `install-recursive' After much digging around I have discovered that the mknod command cannot be used within a solaris 10 zone, I have gotten round this previously by installing stunnel from the global zone but that intertwines the parent zone with the child zone and ideally we would like to keep these as independent of each other as possible as we use these zones for 3rs party applications and hence we have a lot of other user traffic on these zones. Thanks in advance for your help. Kind Regards, Trishul Shah Blue Square Tel: 020 7288 7920 Mob: 07789 982 688 Fax: 020 7288 7955 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Harry.Boeck at t-online.de Thu May 4 20:12:18 2006 From: Harry.Boeck at t-online.de (Harry Boeck) Date: Thu, 4 May 2006 20:12:18 +0200 Subject: [stunnel-users] Re: stunnel 4.15 crashes with vnc server 4.1.1 Message-ID: <555219499.20060504201218@t-online.de> Hallo stunnel-users, @Michal Trojnara: Thanks for your help, Mike! The solution came overnight when i remembered my own message: > and the screen on the server side should remove the background image > and visual effects). Well: I disabled the desktop modifications in vnc and it runs. Something is incompatible in the stunnel GUI with the removal of global windows GUI behaviour (despite the fact, that i have not a single one of them in use - to the best of my knowledge), what has nothing to do with the dedication of stunnel. Maybe there's a simple GUI message not handled correctly? As this seems to be something common to all windows versions, could this possibly happen in windows xp, too? (I don't use one, so somone would have to investigate this.) It's another motivation to start compiling in cygnus. But unfortunally at this very moment i'm occupied with other tasks. May be some other guy has the fancy to look at this matter... Mit freundlichem Gruß Harry Boeck From gonzalo.diethelm at diethelm.org Fri May 5 01:33:51 2006 From: gonzalo.diethelm at diethelm.org (Gonzalo Diethelm) Date: Thu, 04 May 2006 19:33:51 -0400 Subject: [stunnel-users] Using stunnel to add https support to ONE virtual host Message-ID: <1146785631.8238.42.camel@localhost.localdomain> Hello, I have Apache serving plain http pages for several domains running as virtual hosts on one machine (debian). I know SSL will not work with this setup, and I understand the reasons why (at least I think I do). Let's say the virtual hosts are www.server1.com www.server2.com www.server3.com I would like to use stunnel to add https capabilities to ONE of the virtual hosts (say, www.server3.com). In other words, I would like to configure stunnel in server mode with a certificate file, listening on www.server3.com:443, so that if I use a browser to visit https://www.server3.com/ then stunnel will accept the connection and forward all traffic to www.server3.com:80, letting Apache handle it; in particular, this would have to allow Apache to recognize which of the virtual hosts is being visited; I wouldn't like to have www.server1.com respond to my requests instead of www.server3.com. Is this possible? Any caveats, hints, recommendations? Thanks in advance, and best regards, -- Gonzalo Diethelm gonzalo.diethelm at aditiva.com From gonzalo.diethelm at diethelm.org Fri May 5 01:17:57 2006 From: gonzalo.diethelm at diethelm.org (Gonzalo Diethelm) Date: Thu, 04 May 2006 19:17:57 -0400 Subject: [stunnel-users] Using stunnel to add https support to ONE virtual host Message-ID: <1146784677.8238.38.camel@localhost.localdomain> Hello, I have Apache serving plain http pages for several domains running as virtual hosts on one machine (debian). I know SSL will not work with this setup, and I understand the reasons why (at least I think I do). Let's say the virtual hosts are www.server1.com www.server2.com www.server3.com I would like to use stunnel to add https capabilities to ONE of the virtual hosts (say, www.server3.com). In other words, I would like to configure stunnel in server mode with a certificate file, listening on www.server3.com:443, so that if I use a browser to visit https://www.server3.com/ then stunnel will accept the connection and forward all traffic to www.server3.com:80, letting Apache handle it; in particular, this would have to allow Apache to recognize which of the virtual hosts is being visited; I wouldn't like to have www.server1.com respond to my requests instead of www.server3.com. Is this possible? Any caveats, hints, recommendations? Thanks in advance, and best regards, -- Gonzalo Diethelm gonzalo.diethelm at aditiva.com From cobalt-users1 at fishnet.co.uk Fri May 5 10:52:08 2006 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Fri, 05 May 2006 09:52:08 +0100 Subject: [stunnel-users] Using stunnel to add https support to ONE virtual host In-Reply-To: <1146785631.8238.42.camel@localhost.localdomain> Message-ID: <445B2048.21015.7520B137@cobalt-users1.fishnet.co.uk> On 4 May 2006 at 19:33, Gonzalo Diethelm wrote: > Hello, > > I have Apache serving plain http pages for several domains running as > virtual hosts on one machine (debian). I know SSL will not work with > this setup, and I understand the reasons why (at least I think I do). > Let's say the virtual hosts are > > www.server1.com > www.server2.com > www.server3.com > > I would like to use stunnel to add https capabilities to ONE of the > virtual hosts (say, www.server3.com). In other words, I would like to > configure stunnel in server mode with a certificate file, listening on > www.server3.com:443, so that if I use a browser to visit > > https://www.server3.com/ > > then stunnel will accept the connection and forward all traffic to > www.server3.com:80, letting Apache handle it; in particular, this would > have to allow Apache to recognize which of the virtual hosts is being > visited; I wouldn't like to have www.server1.com respond to my requests > instead of www.server3.com. > > Is this possible? Any caveats, hints, recommendations? > > Thanks in advance, and best regards, Hi, I assume all these virtual hosts are listening on one IP? If so then you don't really need to use stunnel, you can use mod_ssl and have everything handled by apache. The http virtual hosts will listen on port 80 and the single https host will listen on 443. You only get a problem if you want to use more than one https site on one IP (you can't basically). If you want any help with this setup off list I can give you a few pointers. Regards Ian From donw at iradeon.net Sat May 6 00:52:07 2006 From: donw at iradeon.net (Don Werve) Date: Fri, 05 May 2006 15:52:07 -0700 Subject: [stunnel-users] Performance Problems. Message-ID: <445BD717.9010405@iradeon.net> After a fair bit of poking, prodding, and googling, I have yet to find the solution to my problem. So, here goes: stunnel looks to be running slowly. Very slowly. We're starting to analyze it with gprof to see where it spends all of its time when we're trying to do content negotiation, and I've whipped up a quick-and-dirty Ruby script that grabs data from the server and then spits out the performace results; I'm sitting on my own T1, so our connectivity is pretty good. The results with this script are similar with 'delay=yes', 'session=600', and 'compression=zlib'. So, here's what happens when I nab data from our stunnel-ed server with said script (I can supply the script if anyone is interested): #File Size time thrpht time thrprt multiple ---------------------------------------------------------------------- index.html 7k http 0.1548 ( 46k/s) https 0.7449 ( 9k/s) * 4.8131 test1.jpg 1k http 0.0928 ( 12k/s) https 0.6379 ( 1k/s) * 6.8726 test2.jpg 10k http 0.1812 ( 59k/s) https 0.6743 ( 16k/s) * 3.7208 test3.jpg 19k http 0.2236 ( 85k/s) https 0.7677 ( 24k/s) * 3.4338 test4.jpg 53k http 0.5668 ( 94k/s) https 1.1543 ( 46k/s) * 2.0365 test5.jpg 97k http 0.7861 (123k/s) https 2.1974 ( 44k/s) * 2.7954 test6.jpg 214k http 1.4061 (152k/s) https 2.3735 ( 90k/s) * 1.6880 test7.jpg 140k http 0.9434 (149k/s) https 1.9331 ( 72k/s) * 2.0491 test8.jpg 470k http 2.8590 (164k/s) https 3.7696 (124k/s) * 1.3185 ('multiple' is the number of times 'slower' https is versus http). And, here's my stunnel config: *** cert = /etc/certs/combined.pem setuid = nobody setgid = nobody pid = /var/run/stunnel/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 0 output = /var/log/stunnel [https] local = 64.40.110.16 accept = 443 connect = 64.40.110.16:80 TIMEOUTclose = 0 *** So, any ideas why stunnel is working so slowly? I mean, I know there's the overhead of the SSL negotiation, and I've heard some things about a stunnel session cache, but nothing about enabling/using it (unless 'session = something bigger than zero' does so?). Any suggestions to improve performance, especially for large batches of small transfers? Thanks-in-advance! -- Don Werve Chief Systems Administrator / Systems Architect From srilalitha.m at hcl.in Mon May 8 13:09:42 2006 From: srilalitha.m at hcl.in (Srilalitha Muralidhara(HCL Capital Market Services)) Date: Mon, 8 May 2006 16:39:42 +0530 Subject: [stunnel-users] client certificate authentication Message-ID: <7D9386E4B8FE7F41B26D65E1F91278F101D85155@DSL-EXCHBE.DSL.HCLTECH.COM> Hi, I am new to stunnel. My application listens on 6 socket ports. External applications either dump data on these socket ports or send requests on these socket ports to receive data. Thus, my application is a server and external applications are clients. We got to authenticate these external applications before accepting the requests/data. So I am planning to use client certificate authentication of stunnel. In this case, should the server have a certificate as well? Will the server be authenticated? Is it necessary for all the external applications to be using the same certificate? Thanks, Sri Disclaimer: *********** The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erez.Nadav at verint.com Mon May 8 18:55:08 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Mon, 8 May 2006 19:55:08 +0300 Subject: [stunnel-users] Stunnel configuration Message-ID: <13DD73899260DF4F81FA8ED9BA953F17651B35@tlvmail3.IL.Corp.Verintsystems.com> Hi all, How can I configure my stunnel client application (windows) with the following parameter : TLSv1only = yes Nadav Erez R&D Verint Systems Ltd. Phone: +972-9-962-4753 Cell: +972-54-778-4753 Email: erez.nadav at verint.com Web: www.verint.com __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erez.Nadav at verint.com Tue May 9 10:21:43 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Tue, 9 May 2006 11:21:43 +0300 Subject: [stunnel-users] Trying to load stunnel sources Message-ID: <13DD73899260DF4F81FA8ED9BA953F17651C07@tlvmail3.IL.Corp.Verintsystems.com> Hi all, I am a programmer and I want to compile the stunnel for windows application in order to try to fix some non working TLS issues. I having problem when accessing http://www.stunnel.org/download/source.html address. I have the following questions: 1. Where and How can I load all stunnel sources ? 2. How should I compile it on windows machine ? 3. How should I use the mentioned PGP key Thanks Erez __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From John.Moehrke at med.ge.com Tue May 9 13:31:13 2006 From: John.Moehrke at med.ge.com (Moehrke, John (GE Healthcare)) Date: Tue, 9 May 2006 06:31:13 -0500 Subject: [stunnel-users] Stunnel configuration Message-ID: <45A5295FFA1CBE4D9BF44E8534D2686C0EE07700@MKEMLVEM07.e2k.ad.ge.com> I would further like to ask: Is it true that the proper way to get to TLSv1 is to start with SSLv3? Is there a reference that someone can point me at? John _____ From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Nadav, Erez Sent: Monday, May 08, 2006 11:55 AM To: stunnel-users at mirt.net Subject: [stunnel-users] Stunnel configuration Hi all, How can I configure my stunnel client application (windows) with the following parameter : TLSv1only = yes Nadav Erez R&D Verint Systems Ltd. Phone: +972-9-962-4753 Cell: +972-54-778-4753 Email: erez.nadav at verint.com Web: www.verint.com ________________________________________________________________________ __________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From shinoycb at yahoo.co.in Tue May 9 16:20:17 2006 From: shinoycb at yahoo.co.in (Shinoy) Date: Tue, 9 May 2006 15:20:17 +0100 (BST) Subject: [stunnel-users] Installing Stunnel on AIX5.3 Message-ID: <20060509142017.46660.qmail@web8603.mail.in.yahoo.com> Hi, I want to install Stunnel on AIX 5.3 and configure it. I was trying to find some documentation and also know if it will work on AIX 5.3. Any help is greatly appreciated. --------------------------------- Yahoo! India Answers: Share what you know. Learn something new. Click here Send instant messages to your online friends - NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: From clund at tax.state.vt.us Tue May 9 16:36:37 2006 From: clund at tax.state.vt.us (Claus Lund) Date: Tue, 9 May 2006 10:36:37 -0400 Subject: [stunnel-users] Installing Stunnel on AIX5.3 In-Reply-To: <20060509142017.46660.qmail@web8603.mail.in.yahoo.com> Message-ID: <005201c67375$fa4b13f0$0200fea9@vttaxnet.tax.state.vt.us> It will work on AIX5.3 ... but I don't have the compile doc handy so I can't help with the first part of your questions. -Claus -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net]On Behalf Of Shinoy Sent: Tuesday, May 09, 2006 10:20 AM To: stunnel-users at mirt.net Subject: [stunnel-users] Installing Stunnel on AIX5.3 Hi, I want to install Stunnel on AIX 5.3 and configure it. I was trying to find some documentation and also know if it will work on AIX 5.3. Any help is greatly appreciated. ---------------------------------------------------------------------------- -- Yahoo! India Answers: Share what you know. Learn something new. Click here Send instant messages to your online friends - NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erez.Nadav at verint.com Mon May 8 18:10:23 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Mon, 8 May 2006 19:10:23 +0300 Subject: [stunnel-users] stunnel use with TLS Message-ID: <13DD73899260DF4F81FA8ED9BA953F17651B26@tlvmail3.IL.Corp.Verintsystems.com> Hi all, 1. Can I use stunnel as a client which connects in TLS protocol ? 2. I am using Stunnel 4.14 in client mode and trying to connect in TLS protocol to certain server. The connection failed with the following log file: 2006.05.03 10:42:52 LOG7[2388:1756]: connect_wait: waiting 10 seconds 2006.05.03 10:42:52 LOG7[2388:1756]: connect_wait: connected 2006.05.03 10:42:52 LOG7[2388:1756]: Remote FD=244 initialized 2006.05.03 10:42:52 LOG7[2388:1756]: TCP_NODELAY option set on remote socket 2006.05.03 10:42:52 LOG7[2388:1756]: SSL state (connect): before/connect initialization 2006.05.03 10:42:52 LOG7[2388:1756]: SSL state (connect): SSLv3 write client hello A 2006.05.03 10:42:52 LOG7[2388:1756]: SSL alert (write): fatal: handshake failure 2006.05.03 10:42:52 LOG3[2388:1756]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number I had tried to configure stunnel configuration file with options = NO_SSLv3, but nothing changed. Did I miss anything ? Can anybody help ? Thanks Nadav Erez R&D Verint Systems Ltd. Phone: +972-9-962-4753 Cell: +972-54-778-4753 Email: erez.nadav at verint.com Web: www.verint.com __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgifford at suspectclass.com Wed May 10 03:45:57 2006 From: sgifford at suspectclass.com (Scott Gifford) Date: Tue, 09 May 2006 21:45:57 -0400 Subject: [stunnel-users] stunnel use with TLS In-Reply-To: <13DD73899260DF4F81FA8ED9BA953F17651B26@tlvmail3.IL.Corp.Verintsystems.com> (Erez Nadav's message of "Mon, 8 May 2006 19:10:23 +0300") References: <13DD73899260DF4F81FA8ED9BA953F17651B26@tlvmail3.IL.Corp.Verintsystems.com> Message-ID: "Nadav, Erez" writes: > > > Hi all, > > > > 1. Can I use stunnel as a client which connects in TLS protocol ? Assuming you mean over a channel that starts of plaintext and is later converted to encryption, the command to start TLS is usually specific to the application protocol. What protocol are you using? For example, SMTP, IMAP, ?... ---Scott. From darques at uoc.edu Wed May 10 06:05:25 2006 From: darques at uoc.edu (David Arques Perolada) Date: Wed, 10 May 2006 06:05:25 +0200 Subject: [stunnel-users] problems installing stunnel 4.15 Message-ID: <2654668.1147233952650.JavaMail.root@bermudas> I get the following message after doing "make" /usr/lib/gcc/i586-suse-linux/4.0.2/../../../../i586-suse-linux/bin/ld: cannot find -lwrap collect2: ld returned 1 exit status make[1]: *** [stunnel] Error 1 make[1]: Leaving directory `/root/Stunnel/stunnel-4.15/src' make: *** [all-recursive] Error 1 All help will be welcome Thanks in advance David Arques i Perolada E-Mail : darques at uoc.edu From Erez.Nadav at verint.com Wed May 10 12:19:00 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Wed, 10 May 2006 13:19:00 +0300 Subject: [stunnel-users] stunnel use with TLS Message-ID: <13DD73899260DF4F81FA8ED9BA953F17651E5C@tlvmail3.IL.Corp.Verintsystems.com> I am using simple tcp/ip connection, which fail on the first hello message -----Original Message----- From: Scott Gifford [mailto:sgifford at suspectclass.com] Sent: Wednesday, May 10, 2006 4:46 AM To: Nadav, Erez Cc: stunnel-users at mirt.net Subject: Re: [stunnel-users] stunnel use with TLS "Nadav, Erez" writes: > > > Hi all, > > > > 1. Can I use stunnel as a client which connects in TLS protocol ? Assuming you mean over a channel that starts of plaintext and is later converted to encryption, the command to start TLS is usually specific to the application protocol. What protocol are you using? For example, SMTP, IMAP, ?... ---Scott. __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). From Erez.Nadav at verint.com Wed May 10 20:23:14 2006 From: Erez.Nadav at verint.com (Nadav, Erez) Date: Wed, 10 May 2006 21:23:14 +0300 Subject: [stunnel-users] need HELP!! HELP!! with stunnel compile Message-ID: <13DD73899260DF4F81FA8ED9BA953F17651F8D@tlvmail3.IL.Corp.Verintsystems.com> Hi all, Hi all stunnel users. I want to debug and fix some TLS bugs with stunnel. I loaded stunnel 4.14 sources but i failed to compile it with visual studio 6, under windows 2000 environment. 1. Does anybody has the dsp file to be used under VC6++ for proper stunnel compilation ??? 2. Do I need any other libraries beside openssl to link ? I will appreciate any help Regards Erez __________________________________________________________________________________________ This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s)or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email (1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From stunnelhelp at gmail.com Thu May 11 23:46:20 2006 From: stunnelhelp at gmail.com (Steve Cohen) Date: Fri, 12 May 2006 02:16:20 +0430 Subject: [stunnel-users] SSL2Proxy Message-ID: <9bb6234d0605111446o5b73bd48uba9af5f3eb8df0ea@mail.gmail.com> Hello all, I'm tyring to get around content based(notHostBased) int*rn*t cen$0ring. (don't want this page to be indexed with that keyword, so please don't wite it in your response). This is what I need to do: Set Browser on client machine to use , but I want content to be encrypted. The proxy is trusted(ownedByMe), everything else in between is not, after the proxy everything is trusted. So this would be the setup: SetupA: ClientBroswer <> STunnelOnRemoteServer <> LocalProxyServerOnSameServer(Squid) <> RestOfTheInternet And NOT this: SetupB: Browser<>LocalSTunnel<>RemoteSTunnel<>Proxy<>RestOfTheInternet Because I don't want any special kind of configuration on the client's local machine except for setting the proxy.(I am currently doing this via ssh tunneling) -I have squid running on remote server listening on 3128 and it works -I have stunnel running on remote server listening on 8686 and forwarding to localhost:3128, -I have Firefox set to use as proxy But when trying to use it, Firefox says connection reset.... Please tell me why this is happening and what I need to do. Feel free to make any suggestions you want, I won't be annoyed if you tell me something I already know. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ludovic.duflot at univ-savoie.fr Fri May 12 07:06:35 2006 From: ludovic.duflot at univ-savoie.fr (Ludovic DUFLOT) Date: Fri, 12 May 2006 07:06:35 +0200 Subject: [stunnel-users] certificate unknown - error:14094416 Message-ID: <446417DB.3000305@univ-savoie.fr> Hi, I tried to use stunnel to connect in SSL to a LDAP server. But I can't and I've got this error message: certificate unknown The certificate is self-signed. If I use stunnel for establishing connexion with IMAPS server with a self-signed certificate too, all is right but not for LDAP connexion. I searched on the list's archives and with google but I can't find any solution... Help !!! Ludo ps: these are the stunnel.conf and the log: *************************** cert = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Some debugging stuff useful for troubleshooting debug = 7 ;output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [ldaps] accept = 389 connect = 10.0.0.1:636 verify = 0 [imaps] accept = 143 connect = 10.0.0.2:993 *************************** 2006.05.03 07:52:50 LOG7[4436:5780]: ldaps connecting 10.0.0.1:636 2006.05.03 07:52:50 LOG7[4436:5780]: connect_wait: waiting 10 seconds 2006.05.03 07:52:50 LOG7[4436:5780]: connect_wait: connected 2006.05.03 07:52:50 LOG7[4436:5780]: Remote FD=244 initialized 2006.05.03 07:52:50 LOG7[4436:5780]: TCP_NODELAY option set on remote socket 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): before/connect initialization 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client hello A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server hello A 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=1, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=DSI CA/emailAddress=admin at univ-savoie.fr 2006.05.03 07:52:50 LOG5[4436:5780]: VERIFY IGNORE: depth=0, /C=FR/ST=Savoie/L=Chambery/O=Universite de Savoie/OU=DSI/CN=ldap-bourget.univ-savoie.fr 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server certificate A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server certificate request A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 read server done A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client certificate A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write client key exchange A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write certificate verify A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write change cipher spec A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 write finished A 2006.05.03 07:52:50 LOG7[4436:5780]: SSL state (connect): SSLv3 flush data 2006.05.03 07:52:50 LOG7[4436:5780]: SSL alert (read): fatal: certificate unknown 2006.05.03 07:52:50 LOG3[4436:5780]: SSL_connect: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2006.05.03 07:52:50 LOG5[4436:5780]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.05.03 07:52:50 LOG7[4436:5780]: ldaps finished (0 left) From Michal.Trojnara at mobi-com.net Fri May 12 09:08:15 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Fri, 12 May 2006 09:08:15 +0200 Subject: [stunnel-users] SSL2Proxy In-Reply-To: <9bb6234d0605111446o5b73bd48uba9af5f3eb8df0ea@mail.gmail.com> References: <9bb6234d0605111446o5b73bd48uba9af5f3eb8df0ea@mail.gmail.com> Message-ID: <4464345F.6080704@mobi-com.net> Steve Cohen wrote: > I'm tyring to get around content based(notHostBased) int*rn*t cen$0ring. Did you consider using tor? http://tor.eff.org/ Best regards, Mike From penghe at intelliquant.com Fri May 12 23:45:21 2006 From: penghe at intelliquant.com (Peng He) Date: Fri, 12 May 2006 16:45:21 -0500 Subject: [stunnel-users] Need a help in installation Message-ID: Hi, I want to install Stunnel 4.15 into MAC OS X machine. Somehow I do not have the right to make any directory in /usr so I can not install Stunnel in /usr/local. How do I install Stunnel into different directory? Thanks Peng -------------- next part -------------- An HTML attachment was scrubbed... URL: From stunnel at rsw.co.za Mon May 15 08:15:36 2006 From: stunnel at rsw.co.za (Craig) Date: Mon, 15 May 2006 08:15:36 +0200 Subject: [stunnel-users] Need a help in installation In-Reply-To: Message-ID: Don't know Mac, but can't u pass a prefix like in Linux to specify another directory, for example your home directory? ./configure --prefix=/your/destination/directory Hope this helps Craig _____ From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Peng He Sent: 12 May 2006 11:45 PM To: stunnel-users at mirt.net Subject: [stunnel-users] Need a help in installation Hi, I want to install Stunnel 4.15 into MAC OS X machine. Somehow I do not have the right to make any directory in /usr so I can not install Stunnel in /usr/local. How do I install Stunnel into different directory? Thanks Peng -------------- next part -------------- An HTML attachment was scrubbed... URL: From M.Weiser at science-computing.de Tue May 16 15:42:17 2006 From: M.Weiser at science-computing.de (Michael Weiser) Date: Tue, 16 May 2006 15:42:17 +0200 Subject: [stunnel-users] stunnel-4.15 segfaulting and looping under FreeBSD-CURRENT Message-ID: <20060516134216.GB32508@science-computing.de> Hi, I've run into the problem mentioned in: > Scott Tuc Ellentuch at T-B-O-H ml at t-b-o-h.net > Fri Apr 21 23:45:11 CEST 2006 > Hi, > I just did a portupgrade in FreeBSD from 4.14 to 4.15, and now it > seems to be looping the command that I asked it, instead of just doing > it once. Has there been an option added I need to tell it to just do > once? > Thanks, Tuc I'm running stunnel in client mode. It execs uucico which receives and sends uucp jobs via stdin/stdout. The first call to uucico actually succeeds. It seems like stunnel is segfaulting and then re-exec-ing when it would normally quit. A core file is created in the current directory. But stunnel never quits and indefinitely continues to re-exec itself. Has there been any progress in solving this problem? -- Thanks, Michael From penghe at intelliquant.com Tue May 16 19:11:27 2006 From: penghe at intelliquant.com (Peng He) Date: Tue, 16 May 2006 12:11:27 -0500 Subject: [stunnel-users] Re: Re:Need a help in installation (Craig) In-Reply-To: <20060515100006.E71841C1ED@linode.mirt.net> Message-ID: Thanks a lot! Craig. I use your method: ./configure --prefix=/stunnel2 It seems that installation is successful. It successfully generate a directory ./stunnel2, in which there are six subdirectories: etc lib man sbin share var But when I run stunnel command in the teminal window. It does not take it as a command. Is it supposed to run stunnel command after the installation or not? Is there anything missing in the Mac machine before it can run stunnel? Thanks Peng > From: > Reply-To: > Date: Mon, 15 May 2006 12:00:06 +0200 (CEST) > To: > Subject: stunnel-users Digest, Vol 22, Issue 12 > > Send stunnel-users mailing list submissions to > stunnel-users at mirt.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > stunnel-users-request at mirt.net > > You can reach the person managing the list at > stunnel-users-owner at mirt.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. RE: Need a help in installation (Craig) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 May 2006 08:15:36 +0200 > From: "Craig" > Subject: RE: [stunnel-users] Need a help in installation > To: > Message-ID: > wBAAAAAA==@rsw.co.za> > > Content-Type: text/plain; charset="us-ascii" > > Don't know Mac, but can't u pass a prefix like in Linux to specify another > directory, for example your home directory? > > > > ./configure --prefix=/your/destination/directory > > > > Hope this helps > > > > Craig > > > > _____ > > From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] > On Behalf Of Peng He > Sent: 12 May 2006 11:45 PM > To: stunnel-users at mirt.net > Subject: [stunnel-users] Need a help in installation > > > > Hi, > > I want to install Stunnel 4.15 into MAC OS X machine. Somehow I do not have > the right to make any directory in /usr so I can not install Stunnel in > /usr/local. How do I install Stunnel into different directory? > > Thanks > Peng > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://linode.mirt.net/pipermail/stunnel-users/attachments/20060515/98f25e6c/a > ttachment.html > > ------------------------------ > > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > > End of stunnel-users Digest, Vol 22, Issue 12 > ********************************************* > From Michal.Trojnara at mobi-com.net Tue May 16 19:14:32 2006 From: Michal.Trojnara at mobi-com.net (Michal Trojnara) Date: Tue, 16 May 2006 19:14:32 +0200 Subject: [stunnel-users] stunnel-4.15 segfaulting and looping under FreeBSD-CURRENT In-Reply-To: <20060516134216.GB32508@science-computing.de> References: <20060516134216.GB32508@science-computing.de> Message-ID: On 2006-05-16, at 15:42, Michael Weiser wrote: > It seems like stunnel is segfaulting and then re-exec-ing when > it would normally quit. A core file is created in the current > directory. Can you send us a stack backtrace of this core dump? http://www.gentoo.org/proj/en/qa/backtraces.xml?style=printable Best regards, Mike From stunnel at rsw.co.za Wed May 17 13:19:37 2006 From: stunnel at rsw.co.za (Craig) Date: Wed, 17 May 2006 13:19:37 +0200 Subject: FW: [stunnel-users] Re: Re:Need a help in installation (Craig) Message-ID: Oops, mailed it directly to Peng :-0, Sorry for that ;-) Re:Need a help in installation (Craig) >Thanks a lot! Craig. I use your method: > ./configure --prefix=/stunnel2 No Problem ;-) >It seems that installation is successful. It successfully generate a >directory ./stunnel2, in which there are six subdirectories: etc lib man >sbin share var That looks right >But when I run stunnel command in the teminal window. It does not take it as >a command. Is it supposed to run stunnel command after the installation or >not? Is there anything missing in the Mac machine before it can run stunnel? If you go to the directory " /stunnel2/sbin " without quotes, do you see 2 files named stunnel and stunnel3? If you see these files, you can execute the stunnel file with something like ./stunnel --help To display the options available to you for the daemon to run. Let me know if there is something else you require ;) Regards, Craig >Thanks >Peng > From: > Reply-To: > Date: Mon, 15 May 2006 12:00:06 +0200 (CEST) > To: > Subject: stunnel-users Digest, Vol 22, Issue 12 > > Send stunnel-users mailing list submissions to > stunnel-users at mirt.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > stunnel-users-request at mirt.net > > You can reach the person managing the list at > stunnel-users-owner at mirt.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. RE: Need a help in installation (Craig) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 May 2006 08:15:36 +0200 > From: "Craig" > Subject: RE: [stunnel-users] Need a help in installation > To: > Message-ID: > wBAAAAAA==@rsw.co.za> > > Content-Type: text/plain; charset="us-ascii" > > Don't know Mac, but can't u pass a prefix like in Linux to specify another > directory, for example your home directory? > > > > ./configure --prefix=/your/destination/directory > > > > Hope this helps > > > > Craig > > > > _____ > > From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] > On Behalf Of Peng He > Sent: 12 May 2006 11:45 PM > To: stunnel-users at mirt.net > Subject: [stunnel-users] Need a help in installation > > > > Hi, > > I want to install Stunnel 4.15 into MAC OS X machine. Somehow I do not have > the right to make any directory in /usr so I can not install Stunnel in > /usr/local. How do I install Stunnel into different directory? > > Thanks > Peng > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://linode.mirt.net/pipermail/stunnel-users/attachments/20060515/98f25e6c /a > ttachment.html > > ------------------------------ > > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > > End of stunnel-users Digest, Vol 22, Issue 12 > ********************************************* > _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From M.Weiser at science-computing.de Wed May 17 17:52:47 2006 From: M.Weiser at science-computing.de (Michael Weiser) Date: Wed, 17 May 2006 17:52:47 +0200 (CEST) Subject: [stunnel-users] stunnel-4.15 segfaulting and looping under FreeBSD-CURRENT In-Reply-To: References: <20060516134216.GB32508@science-computing.de> Message-ID: <45611.192.168.1.13.1147881167.squirrel@webmail.science-computing.de> Michal Trojnara wrote: > On 2006-05-16, at 15:42, Michael Weiser wrote: >> It seems like stunnel is segfaulting and then re-exec-ing when >> it would normally quit. A core file is created in the current >> directory. > > Can you send us a stack backtrace of this core dump? > http://www.gentoo.org/proj/en/qa/backtraces.xml?style=printable I recompiled it without any patches and "-ggdb -O1". The problem persists and the backtrace reads: [root at khazad-dum:/home/michael/stunnel-4.15] gdb src/stunnel --core stunnel.core --batch -ex "thread apply all bt full" -ex "quit" Core was generated by `stunnel'. Program terminated with signal 11, Segmentation fault. #0 0x280caf44 in SSL_get_peer_certificate () from /usr/lib/libssl.so.4 [New LWP 100077] I'm now retrying with a freshly compiled openssl-0.9.8b to see if that has anything to do with anything. -- Thanks, Micha From M.Weiser at science-computing.de Wed May 17 18:01:36 2006 From: M.Weiser at science-computing.de (Michael Weiser) Date: Wed, 17 May 2006 18:01:36 +0200 (CEST) Subject: [stunnel-users] stunnel-4.15 segfaulting and looping under FreeBSD-CURRENT In-Reply-To: <45611.192.168.1.13.1147881167.squirrel@webmail.science-computing.de> References: <20060516134216.GB32508@science-computing.de> <45611.192.168.1.13.1147881167.squirrel@webmail.science-computing.de> Message-ID: <45708.192.168.1.13.1147881696.squirrel@webmail.science-computing.de> Michael Weiser wrote: > I'm now retrying with a freshly compiled openssl-0.9.8b to see if that has > anything to do with anything. The problem persists with openssl-0.9.8b: # gdb src/stunnel --core stunnel.core --batch -ex "thread apply all bt full" -ex "quit" Core was generated by `stunnel'. Program terminated with signal 11, Segmentation fault. #0 0x280d07b5 in SSL_get_peer_certificate () from ../bin/openssl-0.9.8b/lib/libssl.so.0.9.8 [New LWP 100077] -- bye, Micha From srilalitha.m at hcl.in Mon May 22 08:31:58 2006 From: srilalitha.m at hcl.in (Srilalitha Muralidhara(HCL Capital Market Services)) Date: Mon, 22 May 2006 12:01:58 +0530 Subject: [stunnel-users] SSL23_GET_CLIENT_HELLO:unknown protocol Message-ID: <7D9386E4B8FE7F41B26D65E1F91278F101ECC043@DSL-EXCHBE.DSL.HCLTECH.COM> Hi I am getting SSL23_GET_CLIENT_HELLO:unknown protocol error stunnel. Any guesses about the cause of the problem? Here is the complete log 2006.05.22 07:01:55 LOG5[734:1]: stunnel 4.15 on sparc-sun-solaris2.6 with OpenSSL 0.9.8b 04 May 2006 2006.05.22 07:01:55 LOG5[734:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP 2006.05.22 07:01:55 LOG6[734:1]: file ulimit = 64 (can be changed with 'ulimit -n') 2006.05.22 07:01:55 LOG6[734:1]: poll() used - no FD_SETSIZE limit for file descriptors 2006.05.22 07:01:55 LOG5[734:1]: 29 clients allowed 2006.05.22 07:01:55 LOG7[734:1]: FD 5 in non-blocking mode 2006.05.22 07:01:55 LOG7[734:1]: FD 6 in non-blocking mode 2006.05.22 07:01:55 LOG7[734:1]: FD 7 in non-blocking mode 2006.05.22 07:01:55 LOG7[734:1]: SO_REUSEADDR option set on accept socket 2006.05.22 07:01:55 LOG7[734:1]: rssvr bound to 10.140.42.11:25433 2006.05.22 07:01:55 LOG7[735:1]: Created pid file /home/sri/stunnel/var/lib/stunnel/stunnel.pid 2006.05.22 07:04:09 LOG7[735:1]: rssvr accepted FD=0 from 10.140.42.11:44360 2006.05.22 07:04:09 LOG7[735:4]: rssvr started 2006.05.22 07:04:09 LOG7[735:4]: FD 0 in non-blocking mode 2006.05.22 07:04:09 LOG7[735:4]: TCP_NODELAY option set on local socket 2006.05.22 07:04:09 LOG7[735:4]: FD 1 in non-blocking mode 2006.05.22 07:04:09 LOG7[735:4]: FD 2 in non-blocking mode 2006.05.22 07:04:09 LOG7[735:4]: Connection from 10.140.42.11:44360 permitted by libwrap 2006.05.22 07:04:09 LOG5[735:4]: rssvr connected from 10.140.42.11:44360 2006.05.22 07:04:09 LOG7[735:1]: Cleaning up the signal pipe 2006.05.22 07:04:09 LOG6[735:1]: Child process 938 finished with code 0 2006.05.22 07:04:09 LOG7[735:4]: SSL state (accept): before/accept initialization 2006.05.22 07:04:09 LOG3[735:4]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2006.05.22 07:04:09 LOG5[735:4]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.05.22 07:04:09 LOG7[735:4]: rssvr finished (0 left) Thanks, Sri Disclaimer: *********** The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aliquippa1 at o2.pl Tue May 23 10:59:50 2006 From: aliquippa1 at o2.pl (=?UTF-8?Q?aliquippa1?=) Date: Tue, 23 May 2006 10:59:50 +0200 Subject: [stunnel-users] multiple connection Message-ID: <190a9e5b.2a2decf8.4472cf06.af03d@o2.pl> Hello I have problem with stunnel. I want to use feature which I'm not sure if is available. I want to accept connection from a host and then connect to a few hosts. I want to have something like this: accept = xxx.xxx.xxx.xxx:xxxx connect = yyy.yyy.yyy.yyy:yyyy connect = zzz.zzz.zzz.zzz:zzzz connect = vvv.vvv.vvv.vvv:vvv Now I want to get such situation: 1.accept connection from xxx. 2.try to connect to yyy. 3 if it doesn't work try to connect to zzz. 4 if it doesn't work try to connect to vvv. I wonder if it's possible, because if I use stunnel and connect from xxx it connects me only to the first host and when I connect from xxx again it connects me to the second host and after the third trial from xxx it connects me to vvv. Thanx Agnes From pmehta at gnr.com Wed May 24 11:46:25 2006 From: pmehta at gnr.com (Pritesh Mehta) Date: Wed, 24 May 2006 10:46:25 +0100 Subject: [stunnel-users] Using a signed *.domain.com with ssl - Getting "unable to get local issuer certificate" Message-ID: <1148463985.29745.17.camel@ketil> Hello all, I have had a good hunt around and am having trouble finding a solution. I am using stunnel to provide encrypted pop3 access to our mail server, and we have recently purchased a signed *.XXX.com certificate from godaddy. This has been great since I can use the same cert on all our servers, and this has worked cleanly with the webservices. However, I am having some issues with the stunnel and pop3 service. I am not entirely certain whether it is caused by the *.XXX.com certificate (although I think it unlikely) but was hoping someone more knowledgeable could enlighten me? I currently have stunnel configured thusly: stunnel -f \ -A /etc/stunnel/certs/sf_issuing.pem \ -p /etc/stunnel/certs/wildcard.XXX.com.stunnel.pem \ -r 127.0.0.1:110 Unfortunately my users are getting warnings, and using the openssl client I get: $ openssl s_client -connect mail.XXX.com:995 CONNECTED(00000003) depth=1 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info at valicert.com --- Server certificate -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE----- subject=/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com --- No client certificate CA names sent --- SSL handshake has read 2381 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 4E550C07BDA9661C4B532A28110E5616549CB9FA72D37E5C979E3C6579F8FB99 Session-ID-ctx: Master-Key: 2E588101AA098463FA40C0353009F5842FA19B1C3D48D9A0000EB2E241EFB70BB10D52FE9BC444344D49653B9FEB25F4 Key-Arg : None Start Time: 1148463445 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- I am positive this must have been covered before somewhere, but I haven't been able to find anything conclusive. Apologies if I'm covering well trodden ground :) TIA, -- Pritesh Mehta Global Name Registry _____________________________________________________ Information contained herein is Global Name Registry Proprietary Information and/or Registry Sensitive Information and is made available to you because of your interest in or affiliation with our company. This information is submitted in confidence and its disclosure to you is not intended to constitute public disclosure or authorization for disclosure to other parties. Should you have received this email and are not an intended recipient, please delete this email in its entirety. Global Name Registry is registered with the Office of the UK Information Commissioner. From HManocha at eGain.com Wed May 24 22:58:35 2006 From: HManocha at eGain.com (Happy Manocha) Date: Thu, 25 May 2006 02:28:35 +0530 Subject: [stunnel-users] libwrap support Message-ID: <27C744FEEBBCD411B386000629D57616062F3D07@egmail9.egain.in> Hello All, Can someone throw some light on libwrap support feature of stunnel? What it is and how it can be used? Thanks in advance. Regds Happy Manocha -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmansilla at ulagos.cl Thu May 25 22:43:25 2006 From: cmansilla at ulagos.cl (Carlos E. Mansilla G.) Date: Thu, 25 May 2006 16:43:25 -0400 Subject: [stunnel-users] stunnel + socks v5 Message-ID: <447616ED.9000409@ulagos.cl> I need to know please, if can I accept connections from sock5 clients in stunnel4.. thnx. Carlos Mansilla From cmansilla at ulagos.cl Thu May 25 22:33:57 2006 From: cmansilla at ulagos.cl (Carlos E. Mansilla G.) Date: Thu, 25 May 2006 16:33:57 -0400 Subject: [stunnel-users] stunnel + socks v5 Message-ID: <447614B5.4020500@ulagos.cl> I need to know please, if can I accept connections from sock5 clients in stunnel4.. thnx. Carlos Mansilla From HManocha at eGain.com Thu May 25 23:57:06 2006 From: HManocha at eGain.com (Happy Manocha) Date: Fri, 26 May 2006 03:27:06 +0530 Subject: [stunnel-users] DNS Spoofing Message-ID: <27C744FEEBBCD411B386000629D57616062F3DDE@egmail9.egain.in> Hello All, >From Website I came to know Stunnel can help in DNS spoofing. Can someone redirect to know how this can be achieved. Stunnel can help: Protect interception of data Prevent manipulation of data And, if compiled with libwrap support: Defend against IP source routing, (one host sending packets as if they came from somewhere else) DNS spoofing (an attacker forging name server records) Regds Happy Manocha -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at weiser.dinsnail.net Fri May 26 07:29:11 2006 From: michael at weiser.dinsnail.net (Michael Weiser) Date: Fri, 26 May 2006 07:29:11 +0200 Subject: [stunnel-users] stunnel-4.15 segfaulting and looping under FreeBSD-CURRENT In-Reply-To: <45708.192.168.1.13.1147881697.squirrel@webmail.science-computing.de> References: <20060516134216.GB32508@science-computing.de> <45611.192.168.1.13.1147881167.squirrel@webmail.science-computing.de> <45708.192.168.1.13.1147881697.squirrel@webmail.science-computing.de> Message-ID: <20060526052911.GA14370@weiser.dinsnail.net> On Wed, May 17, 2006 at 06:01:37PM +0200, Michael Weiser wrote: > > I'm now retrying with a freshly compiled openssl-0.9.8b to see if that has > > anything to do with anything. > The problem persists with openssl-0.9.8b: > # gdb src/stunnel --core stunnel.core --batch -ex "thread apply all bt > full" -ex "quit" > Core was generated by `stunnel'. > Program terminated with signal 11, Segmentation fault. > #0 0x280d07b5 in SSL_get_peer_certificate () from > ../bin/openssl-0.9.8b/lib/libssl.so.0.9.8 > [New LWP 100077] The problem is triggered by a change to src/client.c in stunnel-4.15. client() now loops over calls to run_client() instead of doing it just once. The first, successful (!) call to run_client() seems to leave the ssl context in an undefined state which makes the following calls to run_client() segfault in the forked child which in turn produces the core file. My guess is, that it's not actually supposed to loop if the call to run_client() is successful. Reverting client.c to roughly 4.14 fixes the problem for me. A patch is attached. Any insights and a more permanent fix would be highly appreciated. BTW: I configured stunnel with --with-threads=pthread. By default, ucontext is detected, which is broken in stunnel-4.14 as well. After finishing, 4.14 hangs in s_poll_wait waiting for -1 seconds on 0 fds (!?). I can provide debugging log and gdb output if needed. -- bye, Michael -------------- next part -------------- --- src/client.c~ Thu May 25 12:09:43 2006 +++ src/client.c Thu May 25 12:49:15 2006 @@ -106,10 +106,8 @@ if(c->opt->option.remote && c->opt->option.program) { /* connect and exec options specified together */ /* -> spawn a local program instead of stdio */ - while((c->local_rfd.fd=c->local_wfd.fd=connect_local(c))>=0) { - run_client(c); - sleep(1); /* FIXME: not a good idea in ucontext threading */ - } + c->local_rfd.fd=c->local_wfd.fd=connect_local(c); + run_client(c); } else #endif { From p.stepowski at qut.edu.au Mon May 29 06:39:27 2006 From: p.stepowski at qut.edu.au (Paul Stepowski) Date: Mon, 29 May 2006 14:39:27 +1000 Subject: [stunnel-users] Problem getting stunnel to chroot on Suse 10 Message-ID: <447A7AFF.1060201@qut.edu.au> Hi list, I'm using stunnel package that comes standard with Suse 10.0 stunnel 4.10 on i686-suse-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7g 11 Apr 2005 I can tunnel ports over ssl using stunnel but the chroot directive doesn't seem to be working. E.g. my pid file is being created under / rather than /var/lib/stunnel-syslogng. The other paths in the config file are taken by stunnel as relative to / rather than the chroot directory. What am I missing? Here's my stunnel config. I'm not passing any other flags when running stunnel. ---snip--- client = no #debug = 7 #foreground = yes chroot = /var/lib/stunnel-syslogng setuid = stunnel setgid = nogroup pid = /stunnel.pid #output = stunnel.log socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 #compression = rle #options = DONT_INSERT_EMPTY_FRAGMENTS #verify = 2 #CApath = /certs #CAfile = /certs/stunnel.pem #CRLpath = /crls #CRLfile = /etc/stunnel/crls.pem cert = /var/lib/stunnel-syslogng/certs/stunnel.pem ---snip--- Thanks, Paul From trent.w.townsend at erdc.usace.army.mil Tue May 30 19:18:33 2006 From: trent.w.townsend at erdc.usace.army.mil (Trent Townsend) Date: Tue, 30 May 2006 12:18:33 -0500 Subject: [stunnel-users] stunnel and bad rsa signature Message-ID: <93999676-A0E4-4B4C-B78F-A5BDD5CA063E@erdc.usace.army.mil> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On a test environment, I successfully had stunnel securing MySQL traffic between 2 systems using a verify level of 3. However, with the production system and what I would call an identical setup (albeit with new certificates), I get the following errors (see log below.) The version I'm running of stunnel is 4.11. I saw the "bad rsa signature" message in the server's output, so I regenerated the private key file to be sure I'd used the right one. Everything seems to be in order, but it will not work. Any ideas? Client: 2006.05.30 09:20:21 LOG5[21951:1]: stunnel 4.11 on i686-pc-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.05.30 09:20:21 LOG5[21951:1]: 499 clients allowed 2006.05.30 09:20:25 LOG5[21951:2]: stunnel_mysql connected from 127.0.0.1:32853 2006.05.30 09:20:25 LOG3[21951:2]: SSL_connect: 14094410: error: 14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 2006.05.30 09:20:25 LOG5[21951:2]: stack_info: size=65536, current=15296 (23%), maximum=15296 (23%) Server: 2006.05.30 09:19:42 LOG7[19964:3086334176]: RAND_status claims sufficient entropy for the PRNG 2006.05.30 09:19:42 LOG6[19964:3086334176]: PRNG seeded successfully 2006.05.30 09:19:42 LOG7[19964:3086334176]: Certificate: /usr/KRB5/ openssl/ssl/private/server.key 2006.05.30 09:19:42 LOG7[19964:3086334176]: Key file: /usr/KRB5/ openssl/ssl/private/server.key 2006.05.30 09:19:42 LOG7[19964:3086334176]: Verify directory set to / usr/KRB5/openssl/ssl/certs 2006.05.30 09:19:42 LOG5[19964:3086334176]: Peer certificate location /usr/KRB5/openssl/ssl/certs 2006.05.30 09:19:42 LOG7[19964:3086334176]: SSL context initialized for service stunnel_mysqld 2006.05.30 09:19:42 LOG5[19964:3086334176]: stunnel 4.15 on i686-pc- linux-gnu with OpenSSL 0.9.7a Feb 19 2003 2006.05.30 09:19:42 LOG5[19964:3086334176]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP 2006.05.30 09:19:42 LOG6[19964:3086334176]: file ulimit = 1022 (can be changed with 'ulimit -n') 2006.05.30 09:19:42 LOG6[19964:3086334176]: poll() used - no FD_SETSIZE limit for file descriptors 2006.05.30 09:19:42 LOG5[19964:3086334176]: 499 clients allowed 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 4 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 5 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 6 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: SO_REUSEADDR option set on accept socket 2006.05.30 09:19:42 LOG7[19964:3086334176]: stunnel_mysqld bound to 0.0.0.0:606 2006.05.30 09:19:42 LOG7[19964:3086334176]: Created pid file /usr/ local/var/stunnel/stunnel.pid 2006.05.30 09:20:40 LOG7[19964:3086334176]: stunnel_mysqld accepted FD=7 from xxx.xxx.xxx.xxx:32854 2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld started 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 7 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 8 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 9 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: Connection from xxx.xxx.xxx.xxx:32854 permitted by libwrap 2006.05.30 09:20:40 LOG5[19964:3086330800]: stunnel_mysqld connected from xxx.xxx.xxx.xxx:32854 2006.05.30 09:20:40 LOG7[19964:3086334176]: Cleaning up the signal pipe 2006.05.30 09:20:40 LOG6[19964:3086334176]: Child process 19967 finished with code 0 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=2, ... (Root CA) 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=1, ... (CA) 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=0, ... (client) 2006.05.30 09:20:40 LOG3[19964:3086330800]: error stack: 1408807A : error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature 2006.05.30 09:20:40 LOG3[19964:3086330800]: SSL_accept: 4077068: error:04077068:rsa routines:RSA_verify:bad signature 2006.05.30 09:20:40 LOG5[19964:3086330800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld finished (0 left) Thanks. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRHx+bI0HAxBKv2yIEQIJ1wCcCVJ+9ZqXdxWGTBAS8y7ldUv+J4UAn1al ZYIA5gmw38iwsYuE7tG9esAk =ljGb -----END PGP SIGNATURE-----