[stunnel-users] building browser like client application based on OpenSSL

josealf at rocketmail.com josealf at rocketmail.com
Thu Dec 22 11:02:26 CET 2011


My suggestion is that you use a higher level toolkit that internally calls OpenSSL, for example libcurl, which have binds for many programming languages.

Which development platform are you planning to use?


Regards,
Jose
-----Original Message-----
From: "Zubair Ali Mansoor" <zubair at 01systems.net>
Sender: stunnel-users-bounces at stunnel.org
Date: Thu, 22 Dec 2011 11:50:15 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] building browser like client application based on
	OpenSSL

Hi, 

Can I develop an application based on OpenSSL such that it can communicate
with all trusted sites ? Like browser can communicates? Actually I have
desktop application that uses SSL. Now this application may communicate with
any trusted server application. How can I achieve this ? 

Thanks,

Zubair

-----Original Message-----
From: stunnel-users-bounces at stunnel.org
[mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
stunnel-users-request at stunnel.org
Sent: Wednesday, December 21, 2011 9:27 PM
To: stunnel-users at stunnel.org
Subject: stunnel-users Digest, Vol 89, Issue 21

Send stunnel-users mailing list submissions to
	stunnel-users at stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://stunnel.mirt.net/mailman/listinfo/stunnel-users
or, via email, send a message with subject or body 'help' to
	stunnel-users-request at stunnel.org

You can reach the person managing the list at
	stunnel-users-owner at stunnel.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of stunnel-users digest..."


Today's Topics:

   1. Re: Configuring VeriSign certificate with STunnel
      (Michal Trojnara)
   2. stunnel segfault, please advise (Mehdi Bennani)
   3. Re: Configuring VeriSign certificate with STunnel (Ludovic LEVET)
   4. Segfault with stunnel (yassine ayachi)
   5. Re: Segfault with stunnel (Scott Damron)
   6. unsubscribe (Brian McGinity)
   7. Re: Missing bytes? (Arthur Murray)
   8. Re: Segfault with stunnel (yassine ayachi)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Dec 2011 13:30:45 +0100
From: Michal Trojnara <Michal.Trojnara at mirt.net>
To: <stunnel-users at stunnel.org>
Subject: Re: [stunnel-users] Configuring VeriSign certificate with
	STunnel
Message-ID: <f039775ca5efe5be73a2858b88f0ebc2 at mirt.net>
Content-Type: text/plain; charset=UTF-8; format=flowed

Zubair Ali Mansoor wrote:
> 2011.12.21 13:31:30 LOG3[5144:2256]: 
> SSL_CTX_use_certificate_chain_file:
> D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
> tag

I don't think this problem is specific to stunnel:
https://encrypted.google.com/search?q=%22ASN1_CHECK_TLEN%3Awrong+tag%22+veri
sign

Mike


------------------------------

Message: 2
Date: Wed, 21 Dec 2011 07:34:19 -0500
From: Mehdi Bennani <mehdibennani at hotmail.com>
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] stunnel segfault, please advise
Message-ID: <SNT134-W33BCBEA69CFD9694C37B7EC3A50 at phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"


Hi you guys,

I proposed stunnel as a potential solution to our product about 4-5 months
ago and I am in the process of testing a prototype I have built around that
proposition. 
I am using stunnel v. 4.41. I am relatively new to stunnel myself.

The env. is as follows:
We are trying to secure an rdp connection from a java applet running in a
web browser into a windows 2008 server machine behind our firewall.
Presently, the java applet opens up an RDP connection into a machine (I will
call it the SSL machine) where Stunnel is presently installed.
Stunnel then forwards properly the incoming traffic (from portA) into its
final destination (i.e: the windows Server 2008 machine) on port B.
Further, I have configured Stunnel to use an SSL certificate. (Although, I
have not been able to test that yet to make sure it works)

Anyhow, it is all working as expected and I am pretty happy about the proof
of concept. 
However, while testing it a bit, I noticed that it was relatively easy to
bring stunnel down. The way I went about it, was to simply run a "telnet
IP_of_MySSLMachine portA" from any DOS command window from any machine with
internet access. From the Stunnel logs, I can tell that I get a response
from Stunnel and on the DOS window side, I have a cursor waiting for
input....
Writing any gibberish into that DOS windows and waiting a little bit makes
stunnel stop and die in the SSL machine. I found nothing in the stunnel log,
but grepping in the /var/log/, I found the segfault

sslmahine:/var/log/#  grep stunnel messages
kernel: [1996904.624042] stunnel [19696]:  segfault at 8 ip b768d361 sp
b7601210 error 4 in libc-2.7.so[b7621000+138000]

After another telnet execution, few days later:
sslmahine:/var/log/#  grep stunnel messages
kernel: [4930384.164316] stunnel [14540]:  segfault at 8 ip b7629b61 error 6
in libc-2.7.so[b75bd000+138000]

Basically, if I don't issue that telnet command, stunnel works properly. As
soon as I issue that command and start typing few things in that DOS
console, stunnel dies. I have to manually restart it.

Question:
I was wondering if you guys could shed some light into this behavior. Is it
a known behavior/bug? Is there a way to solve it by maybe upgrading into a
later version of stunnel?
Also, I was thinking to block telnet altogether at the firewall level, but
then I am not sure what other protocols could people use to hack into the
system...so should I block all of them? 
And, finally is there a more secure way to setup stunnel?

Thank you in advance

Mehdi/ 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/63f295
a2/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 21 Dec 2011 14:09:07 +0100
From: Ludovic LEVET <llevet at ludosoft.org>
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Configuring VeriSign certificate with
	STunnel
Message-ID: <4EF1DA73.7010105 at ludosoft.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

verify the format of your cert by :

openssl x509 -inform DER -in stunnel.pem -noout -text

or

openssl x509 -inform PEM -in stunnel.pem -noout -text



Ludovic.



Le 21/12/2011 13:30, Michal Trojnara a ?crit :
> Zubair Ali Mansoor wrote:
>> 2011.12.21 13:31:30 LOG3[5144:2256]: SSL_CTX_use_certificate_chain_file:
>> D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
>> tag
>
> I don't think this problem is specific to stunnel:
> https://encrypted.google.com/search?q=%22ASN1_CHECK_TLEN%3Awrong+tag%2
> 2+verisign
>
>
> Mike



------------------------------

Message: 4
Date: Wed, 21 Dec 2011 16:51:00 +0000
From: yassine ayachi <ayachi.yassine at gmail.com>
To: stunnel-users at stunnel.org
Subject: [stunnel-users] Segfault with stunnel
Message-ID:
	<CAKjL==brtu09bgvqcyMctFKKVvYCaGGOivDHqo9G-Qs2+uA+hw at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi all,

I'am trying to encrypt a connection between two hosts using stunnel.
----- here is my config file ----
cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = debug
output = stunnel.log
---
[rdps]
accept = 1957
connect = remote_machine:3389

Avery think was working fine until I tried to telnet to the port 1957 on the
machine running stunnel, the process stunnel was killed alone leaving this
in /var/log/messages :

Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault at
8 ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]

Does anybody have an idea about this problem,

thanks in advance,

Yassine
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/c7a37c
fc/attachment-0001.html>

------------------------------

Message: 5
Date: Wed, 21 Dec 2011 10:57:22 -0600
From: Scott Damron <sdamron at gmail.com>
To: yassine ayachi <ayachi.yassine at gmail.com>
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Segfault with stunnel
Message-ID:
	<CA+WRXa9qZUd1T2fPqAFGDH-4otxjicTx+gpy0otGjefO1N5o3g at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

You need to have an IP address for the local connection and you need the
client portion enabled as well.

Scott

On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi <ayachi.yassine at gmail.com>
wrote:
> Hi all,
>
> I'am trying to encrypt a connection between two hosts using stunnel.
> ----- here is my config file ----
> cert = /usr/local/etc/stunnel/stunnel.pem
> chroot = /usr/local/var/lib/stunnel/
> setuid = nobody
> setgid = nogroup
> pid = /stunnel.pid
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
>
> debug = debug
> output = stunnel.log
> ---
> [rdps]
> accept = 1957
> connect = remote_machine:3389
>
> Avery think was working fine until I tried to telnet to the port 1957 
> on the machine running stunnel, the process stunnel was killed alone 
> leaving this in /var/log/messages :
>
> Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: 
> segfault at 8 ip b7629b61 sp b758d16c error 6 in 
> libc-2.7.so[b75bd000+138000]
>
> Does anybody have an idea about this problem,
>
> thanks in advance,
>
> Yassine
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>


------------------------------

Message: 6
Date: Wed, 21 Dec 2011 11:54:02 -0600
From: "Brian McGinity" <brian at databaseknowledge.com>
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] unsubscribe
Message-ID: <001401ccc009$87062fb0$95128f10$@com>
Content-Type: text/plain; charset="us-ascii"

Unsubscribe

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/c8605a
c3/attachment-0001.html>

------------------------------

Message: 7
Date: Wed, 21 Dec 2011 10:04:21 -0800
From: Arthur Murray <amurrayfsf at gmail.com>
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Missing bytes?
Message-ID:
	<CAEk9t8D-tyMAYAbsNrC_oCX8853GbMBGiuLXz4OjD_pTZkXpHw at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Dec 16, 2011 at 9:32 AM, Arthur Murray <amurrayfsf at gmail.com> wrote:
>> I tried really hard to reproduce your issue, but it works just fine 
>> on each of the three machines I used for testing.
>>
>> Please send us:
>> ?- The output of "stunnel -version", and
>> ?- All lines of stunnel debug log (enable debug logging with "debug =
>> 7") corresponding to this connection.
>>
>> Mike
>
> I have put all of it here:
>
> http://pastebin.com/R7ZqSpdV

Are you able to reproduce this problem or is it just me?


------------------------------

Message: 8
Date: Wed, 21 Dec 2011 18:26:48 +0000
From: yassine ayachi <ayachi.yassine at gmail.com>
To: Scott Damron <sdamron at gmail.com>
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Segfault with stunnel
Message-ID:
	<CAKjL==bA44dj7Bojd8PVyHqHozDfOJ2h7v1WX6c96rF-fnaf=Q at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi Scott,

I am not quite sure to understand your answer. Let me add some more info to
make it clear onto how I get the segfault.:

A java applet (from web browser) is invoking the stunnel machine on the port
1957 stunnel then redirects the traffic into the remote_machine, so I only
have the server stunnel portion installed (in the stunnel machine ).

when I run a telnet on any machine connected to the internet this way:
telnet stunnel_machine 1957
the stunnel on the stunnel machine dies...with the error posted previously.

Greetings,
--
Yassine

2011/12/21 Scott Damron <sdamron at gmail.com>

> You need to have an IP address for the local connection and you need 
> the client portion enabled as well.
>
> Scott
>
> On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi 
> <ayachi.yassine at gmail.com> wrote:
> > Hi all,
> >
> > I'am trying to encrypt a connection between two hosts using stunnel.
> > ----- here is my config file ----
> > cert = /usr/local/etc/stunnel/stunnel.pem
> > chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = 
> > nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket =
> > r:TCP_NODELAY=1
> >
> > debug = debug
> > output = stunnel.log
> > ---
> > [rdps]
> > accept = 1957
> > connect = remote_machine:3389
> >
> > Avery think was working fine until I tried to telnet to the port
> > 1957 on
> the
> > machine running stunnel, the process stunnel was killed alone 
> > leaving
> this
> > in /var/log/messages :
> >
> > Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: 
> > segfault
> at 8
> > ip b7629b61 sp b758d16c error 6 in libc-2.7.so[b75bd000+138000]
> >
> > Does anybody have an idea about this problem,
> >
> > thanks in advance,
> >
> > Yassine
> >
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at stunnel.org
> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/9c9a04
57/attachment.html>

------------------------------

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users


End of stunnel-users Digest, Vol 89, Issue 21
*********************************************

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users


More information about the stunnel-users mailing list