[stunnel-users] Problem using stunnel on Windows 7

Hal Hovland hhovland at btconnect.com
Sat Nov 17 00:17:26 CET 2012


I've spent days googling this and read everything relevant in the archives.

 

I'm developing a Windows 7 program that connects to a financial trading
exchange that expects all communication to be SSL'd. Everything I read said
that stunnel is the answer because of ease of installation and use. After a
day of abortive attempts to link to the exchange, I decided to create a much
simpler test environment involving two Windows 7 computers next to each
other here.

 

One, let's call it Riven-II (192.168.1.9), is set up with a simple Listener
program that listens on port 8000. From stunnel's viewpoint this will be a
server. The second machine, Lightning (192.168.1.158), has a simple Sender
program that sends a text message via port 7999 to Riven-II
(192.168.1.9:8000) - this will be the Client. In the absence of stunnel, all
messages sent from Lightning/Sender appears on the window of Listener. So
far so good.

 

I've downloaded and installed the very latest version (4.54) of stunnel on
both machines. On installation I entered the same responses to the
certificate generating process.

 

On the Server machine, hard wired to a Broadband Router, I configured
stunnel.conf as (removing comments for simplicity)

 

debug = 7

output = stunnel.log

 

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

 

cert = stunnel.pem

key = stunnel.pem

 

options = NO_SSLv2

 

taskbar=yes

 

[Listener]

connect=8000

accept=8001

 

On the Client machine, connected to the router via wi-fi, we have in
stunnel.conf

 

debug = 7

output = stunnel.log

 

cert = stunnel.pem

 

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

 

fips=no

 

options = NO_SSLv2

 

delay=yes

taskbar=yes

 

client=yes

 

[sender]

accept  = 0.0.0.0:7999       (I've tried just 7999 and 192.168.1.158:7999,
here. Makes no difference)

connect = 192.168.1.9:8001

 

I've tried many variations with the same result, but the above is where they
have ended up.

 

My understanding of this is that stunnel both ends will be intercepting port
8000 on the Server and port 7999 on the Client and presenting/receiving SSL
encoded messages across the wire on port 8001.

 

Starting stunnel in the Server  (not as a Windows service, although I did
try that as well) the following log appears:

 

2012.11.16 22:34:08 LOG7[3484:6184]: No limit detected for the number of
clients

2012.11.16 22:34:08 LOG5[3484:6184]: stunnel 4.54 on x86-pc-msvc-1500
platform

2012.11.16 22:34:08 LOG5[3484:6184]: Compiled/running with OpenSSL
1.0.1c-fips 10 May 2012

2012.11.16 22:34:08 LOG5[3484:6184]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS
Auth:none Sockets:SELECT+IPv6

2012.11.16 22:34:08 LOG5[3484:6184]: Reading configuration from file
stunnel.conf

2012.11.16 22:34:08 LOG5[3484:6184]: FIPS mode is enabled

2012.11.16 22:34:08 LOG7[3484:6184]: Compression not enabled

2012.11.16 22:34:08 LOG7[3484:6184]: Snagged 64 random bytes from C:/.rnd

2012.11.16 22:34:08 LOG7[3484:6184]: Wrote 1024 new random bytes to C:/.rnd

2012.11.16 22:34:08 LOG7[3484:6184]: PRNG seeded successfully

2012.11.16 22:34:08 LOG6[3484:6184]: Initializing service [Listener]

2012.11.16 22:34:08 LOG7[3484:6184]: Certificate: stunnel.pem

2012.11.16 22:34:08 LOG7[3484:6184]: Certificate loaded

2012.11.16 22:34:08 LOG7[3484:6184]: Key file: stunnel.pem

2012.11.16 22:34:08 LOG7[3484:6184]: Private key loaded

2012.11.16 22:34:08 LOG7[3484:6184]: Could not load DH parameters from
stunnel.pem

2012.11.16 22:34:08 LOG7[3484:6184]: Using hardcoded DH parameters

2012.11.16 22:34:08 LOG7[3484:6184]: DH initialized with 2048-bit key

2012.11.16 22:34:08 LOG7[3484:6184]: ECDH initialized with curve prime256v1

2012.11.16 22:34:08 LOG7[3484:6184]: SSL options set: 0x01000004

2012.11.16 22:34:08 LOG5[3484:6184]: Configuration successful

2012.11.16 22:34:08 LOG7[3484:6184]: Service [Listener] (FD=272) bound to
0.0.0.0:8001

 

On the Client, the log shows:

 

2012.11.16 22:25:53 LOG7[4184:4948]: No limit detected for the number of
clients

2012.11.16 22:25:53 LOG5[4184:4948]: stunnel 4.54 on x86-pc-msvc-1500
platform

2012.11.16 22:25:53 LOG5[4184:4948]: Compiled/running with OpenSSL
1.0.1c-fips 10 May 2012

2012.11.16 22:25:53 LOG5[4184:4948]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS
Auth:none Sockets:SELECT+IPv6

2012.11.16 22:25:53 LOG5[4184:4948]: Reading configuration from file
stunnel.conf

2012.11.16 22:25:53 LOG5[4184:4948]: FIPS mode is disabled

2012.11.16 22:25:53 LOG7[4184:4948]: Compression not enabled

2012.11.16 22:25:53 LOG7[4184:4948]: Snagged 64 random bytes from C:/.rnd

2012.11.16 22:25:53 LOG7[4184:4948]: Wrote 1024 new random bytes to C:/.rnd

2012.11.16 22:25:53 LOG7[4184:4948]: PRNG seeded successfully

2012.11.16 22:25:53 LOG6[4184:4948]: Initializing service [sender]

2012.11.16 22:25:53 LOG7[4184:4948]: Certificate: stunnel.pem

2012.11.16 22:25:53 LOG7[4184:4948]: Certificate loaded

2012.11.16 22:25:53 LOG7[4184:4948]: Key file: stunnel.pem

2012.11.16 22:25:53 LOG7[4184:4948]: Private key loaded

2012.11.16 22:25:53 LOG7[4184:4948]: SSL options set: 0x01000004

2012.11.16 22:25:53 LOG5[4184:4948]: Configuration successful

2012.11.16 22:25:53 LOG7[4184:4948]: Service [sender] (FD=224) bound to
0.0.0.0:7999 

 

Running the Listener on the Server and Sender on the Client adds nothing to
the log, and port sniffers on both machines show traffic between 7999 and
8000 (exactly the same as when stunnel is not running). No sign of the use
of port 8001.

 

I'd appreciate any input on this. I'm sure I must be doing something stupid,
but I've watched hours of YouTube videos, read many hundreds of web pages,
and been through the documentation quite a few times, to no avail.

 

I have a Java based version, running in a JVM in the same Windows machines,
that talks perfectly to the exchange using some inbuilt SSL capabilities of
an included library, so that should probably eliminate any hardware/router
issues?

 

Regards, Hal

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121116/0f00943b/attachment.html>


More information about the stunnel-users mailing list