From Michal.Trojnara at mirt.net Fri Jan 2 16:23:11 2015 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Fri, 02 Jan 2015 16:23:11 +0100 Subject: [stunnel-users] stunnel 5.09 released Message-ID: <54A6B7DF.7080404@mirt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.09 of stunnel. The ChangeLog entry: Version 5.09, 2015.01.02, urgency: LOW: * New features - Added PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity". - Added additional security checks to the OpenSSL memory management functions. - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags. - Added compatibility with the current OpenSSL 1.1.0-dev tree. * Bugfixes - Removed defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated). This bug was introduced in stunnel 4.34. - Fixed ./configure systemd detection (thx to Kip Walraven). - Fixed ./configure sysroot detection (thx to Kip Walraven). - Fixed compilation against old versions of OpenSSL. - Removed outdated French manual page. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8 stunnel-5.09.tar.gz 4abbddf3c1dbedf54b14fa5a18ead11e4df6387f13189b665c2ec5759c4afd30 stunnel-5.09-installer.exe 23c33dc46cc1bfb1df77c88d3c48901822bc113dd1e67d138bcf5fb1bb3d4197 stunnel-5.09-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSmt98ACgkQ/NU+nXTHMtGZowCfTspj4OZn8DRBUboG2S+1Qy2A ocoAoLdZpjJU7BjERXqQakhNIPOXFojN =/MD9 -----END PGP SIGNATURE----- From leon.p.smith at gmail.com Wed Jan 7 15:12:39 2015 From: leon.p.smith at gmail.com (Leon Smith) Date: Wed, 7 Jan 2015 09:12:39 -0500 Subject: [stunnel-users] Using stunnel to secure clients instead of servers Message-ID: Hi, this may be a slightly unusual request, but I was curious if stunnel could be used for securing clients that do not support TLS, to connect to services that optionally support TLS. So, really, stunnel already does almost everything that would be needed; except that in this use case, it would be listening for incoming unencrypted connections, and then serve as a proxy to an encrypted connection to the actual service. While it might be nice to offer certificate-based authentication options in this scenario, it wouldn't be necessary for my intended use case, so stunnel wouldn't need access to any private certificates. However, certificate pinning would be pretty essential to what I have in mind. Best, Leon. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Wed Jan 7 15:31:06 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 7 Jan 2015 15:31:06 +0100 Subject: [stunnel-users] Using stunnel to secure clients instead of servers In-Reply-To: References: Message-ID: <20150107143106.GB2954@shadow.bihl-wiedemann.de> On Wed, 2015-01-07 09:12:39 -0500, Leon Smith wrote: > Hi, this may be a slightly unusual request, but I was curious if stunnel > could be used for securing clients that do not support TLS, to connect to > services that optionally support TLS. > > So, really, stunnel already does almost everything that would be needed; > except that in this use case, it would be listening for incoming > unencrypted connections, and then serve as a proxy to an encrypted > connection to the actual service. While it might be nice to offer > certificate-based authentication options in this scenario, it wouldn't be > necessary for my intended use case, so stunnel wouldn't need access to any > private certificates. However, certificate pinning would be pretty > essential to what I have in mind. Leon, I'm not sure I understood your request, but isn't 'client = yes' what you are looking for? Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From leon.p.smith at gmail.com Wed Jan 7 16:11:39 2015 From: leon.p.smith at gmail.com (Leon Smith) Date: Wed, 7 Jan 2015 10:11:39 -0500 Subject: [stunnel-users] Using stunnel to secure clients instead of servers In-Reply-To: <20150107143106.GB2954@shadow.bihl-wiedemann.de> References: <20150107143106.GB2954@shadow.bihl-wiedemann.de> Message-ID: Actually, that may be it, thank you. I definitely overlooked this option when I browsed the man page. I'll pass on this information to some interested parties and give them a chance to make it work. And I'll probably try this myself at some point soon. (Incidentally, it's an HTTP client that doesn't support HTTPS, even though the server does, so it appears I'll need protocol=connect and CAfile=... for certificate pinning as well.) Best, Leon On Wed, Jan 7, 2015 at 9:31 AM, Ludolf Holzheid wrote: > On Wed, 2015-01-07 09:12:39 -0500, Leon Smith wrote: > > Hi, this may be a slightly unusual request, but I was curious if > stunnel > > could be used for securing clients that do not support TLS, to connect > to > > services that optionally support TLS. > > > > So, really, stunnel already does almost everything that would be > needed; > > except that in this use case, it would be listening for incoming > > unencrypted connections, and then serve as a proxy to an encrypted > > connection to the actual service. While it might be nice to offer > > certificate-based authentication options in this scenario, it wouldn't > be > > necessary for my intended use case, so stunnel wouldn't need access to > any > > private certificates. However, certificate pinning would be pretty > > essential to what I have in mind. > > Leon, > > I'm not sure I understood your request, but isn't 'client = yes' what > you are looking for? > > Ludolf > > > -- > > Bihl+Wiedemann GmbH > Floßwörthstraße 41 > 68199 Mannheim, Germany > > Tel: +49 621 33996-0 > Fax: +49 621 3392239 > > mailto:lholzheid at bihl-wiedemann.de > http://www.bihl-wiedemann.de > > Sitz der Gesellschaft: Mannheim > Geschäftsführer: Jochen Bihl, Bernhard Wiedemann > Amtsgericht Mannheim, HRB 5796 > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Wed Jan 7 17:01:00 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 7 Jan 2015 17:01:00 +0100 Subject: [stunnel-users] Using stunnel to secure clients instead of servers In-Reply-To: References: <20150107143106.GB2954@shadow.bihl-wiedemann.de> Message-ID: <20150107160100.GA9341@shadow.bihl-wiedemann.de> On Wed, 2015-01-07 10:11:39 -0500, Leon Smith wrote: > Actually, that may be it, thank you. I definitely overlooked this > option when I browsed the man page. I'll pass on this information to some > interested parties and give them a chance to make it work. And I'll > probably try this myself at some point soon. > > (Incidentally, it's an HTTP client that doesn't support HTTPS, even though > the server does, so it appears I'll need protocol=connect and CAfile=... > for certificate pinning as well.) I don't know your setup, but if there is no proxy involved, you don't need the 'protocol=...' option. For certificate pinning, you'll certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with LEVEL not below 2. HTH, Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From leon.p.smith at gmail.com Wed Jan 7 18:41:20 2015 From: leon.p.smith at gmail.com (Leon Smith) Date: Wed, 7 Jan 2015 12:41:20 -0500 Subject: [stunnel-users] Using stunnel to secure clients instead of servers In-Reply-To: <20150107160100.GA9341@shadow.bihl-wiedemann.de> References: <20150107143106.GB2954@shadow.bihl-wiedemann.de> <20150107160100.GA9341@shadow.bihl-wiedemann.de> Message-ID: On Wed, Jan 7, 2015 at 11:01 AM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: I don't know your setup, but if there is no proxy involved, you don't > need the 'protocol=...' option. For certificate pinning, you'll > certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with > LEVEL not below 2 > Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the source, wouldn't using stunnel essentially always be proxy? To be even more explicit, the HTTP client is cabal-install, which is a program that downloads and compiles code from the Hackage public source code repository for Haskell. cabal-install is HTTP only, whereas Hackage supports both HTTP and HTTPS. I _could_ modify cabal-install, as it is free, libre, and open source software, but for reasons both good and bad, getting the changes pushed upstream is problematic. So I was curious about finding a quick workaround for those concerned about possible MITM attacks injecting malicious code into the packages, and came up with the idea of a stunnel or nginx proxy. (Some of the people who run Hackage are working on code signing, but who knows when that'll finally be available...) Perhaps the man page would make a little bit more sense to me on this count if I had a better understanding of the TLS protocol and how it relates to https, but that's not something I honestly know all that much about. As it stands the man page is a bit opaque to me on this topic... Best, Leon -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Wed Jan 7 20:09:36 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 7 Jan 2015 20:09:36 +0100 Subject: [stunnel-users] Using stunnel to secure clients instead of servers In-Reply-To: References: <20150107143106.GB2954@shadow.bihl-wiedemann.de> <20150107160100.GA9341@shadow.bihl-wiedemann.de> Message-ID: <20150107190936.GB9341@shadow.bihl-wiedemann.de> On Wed, 2015-01-07 12:41:20 -0500, Leon Smith wrote: > [..] > > Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the > source, wouldn't using stunnel essentially always be proxy? No. Stunnel does not mimic an HTTP proxy. It's rather something like an TCP port forwarder, with the addition of encrypting/decrypting while forwarding. > To be even more explicit, the HTTP client is cabal-install, which is a > program that downloads and compiles code from the Hackage public source > code repository for Haskell. cabal-install is HTTP only, whereas > Hackage supports both HTTP and HTTPS. This will be easy to set up if hackage.haskell.org uses relative URLs (this seems to be the case)¹ and you can tell cabal-install to use 'http://localhost:' instead of 'http://hackage.haskell.org'. HTH, Ludolf ¹ That is, hackage.haskell.org links to e.g. clckwrks-0.22.4.tar.gz as instead of . -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From sivakumar.s.k.k at gmail.com Tue Jan 13 13:57:00 2015 From: sivakumar.s.k.k at gmail.com (Siva Kumar) Date: Tue, 13 Jan 2015 18:27:00 +0530 Subject: [stunnel-users] HTTPS support for the webserver using STUNNEL Message-ID: Hi All, I am fairly new to stunnel and also to the networking concepts. Currently we are working on a surveillance device running on monta vista linux on the ARM11 architecture. We have crossed compiled and deployed a THTTPD server which is working fine. Once you connect to the device using any of the web client (from a windows PC), it will take you to a web page where you can select and stream live video's from all the camera's connected to the device. So far everything is working fine now.. Now the real problem is that we need to support https as well along with http. Since THTTPD web server doesn't support secure connection we thought we would accomplish that using the stunnel application. We were able to download and cross compile the stunnel application for the device. Now the doubts I have here is:- 1) Do we need a stunnel server application running on the windows PC from where we will be using the web browser to connect to the client? 2) Where should be the stunnel server and stunnel client be running. I mean should the linux device be running the stunnel client and the windows PC be running the stunnel server? In that case what should be the correct accept and connect parameters in the stunnel.conf file in both the device and the windows PC? 3) Since the device and the machine can have any random IP and port, so is it feasible to dynamically set the accept and connect parameters in the stunnel.conf file? 4) Can the stunnel be considered as a solution to the problem which I have reported here. The point 3 above makes me thing otherwise. I have tried all combinations mentioned in the point 1 and 2 without success. In none of the case my web browser was able to talk to the device using HTTPS (ie https://my_device_ip). I could see a "client hello" request from the browser to which the client sends an ACK and RST. In some combination an HTTPS request from the browser only triggered a TCP connection request for which the client responded with ACK and RST. Sorry for the long mail. Any inputs would be deeply appreciated. Regards, Siva -------------- next part -------------- An HTML attachment was scrubbed... URL: From leandro.avila at ymail.com Tue Jan 13 15:33:24 2015 From: leandro.avila at ymail.com (Leandro Avila) Date: Tue, 13 Jan 2015 14:33:24 +0000 (UTC) Subject: [stunnel-users] HTTPS support for the webserver using STUNNEL In-Reply-To: References: Message-ID: <205618149.260475.1421159604063.JavaMail.yahoo@jws100120.mail.ne1.yahoo.com> Hello, Looks like you got the hard part done (cross compiling etc) 1. You don't need to run stunnel on the client machine. You will use your web browser and your browser will handle the TLS connection 2. In your case you only need a stunnel instance running as a server on the linux device. Your stunnel.conf will look something like [https] client = no accept = 443 connect = 127.0.0.1:80 The above configures stunel as a server, listening for connections on all interfaces port 443 and connecting to localhost port 80 3. I'm not sure what you mean by "the device and the machine can have any random IP and port" - You mean if both devices get a dhcp assigned ip? In that case the above config should work, because it listens in all available IPs - The port portion there are defined ports for http (port 80) and https (port 443) that should be it for the server unless your application is different. On the client side you don't need to worry about the port 4. Stunnel will provide the SSL/TLS encapsulation to your http connection. So in that regard is a solution. Other times people might opt for using a http server that supports SSL/TLS natively, but you are working on embedded systems so there are contraints there. This is an alternative for instance. http://acme.com/software/mini_httpd/ Hope this helps, feel free to ask more questions ----------------- Leandro Avila On Tuesday, January 13, 2015 6:57 AM, Siva Kumar wrote: > > >Hi All, > > >I am fairly new to stunnel and also to the networking concepts. > > >Currently we are working on a surveillance device running on monta vista linux on the ARM11 architecture. We have crossed compiled and deployed a THTTPD server which is working fine. Once you connect to the device using any of the web client (from a windows PC), it will take you to a web page where you can select and stream live video's from all the camera's connected to the device. So far everything is working fine now.. > > >Now the real problem is that we need to support https as well along with http. Since THTTPD web server doesn't support secure connection we thought we would accomplish that using the stunnel application. We were able to download and cross compile the stunnel application for the device. > > >Now the doubts I have here is:- > > >1) Do we need a stunnel server application running on the windows PC from where we will be using the web browser to connect to the client? > > >2) Where should be the stunnel server and stunnel client be running. I mean should the linux device be running the stunnel client and the windows PC be running the stunnel server? In that case what should be the correct accept and connect parameters in the stunnel.conf file in both the device and the windows PC? > > >3) Since the device and the machine can have any random IP and port, so is it feasible to dynamically set the accept and connect parameters in the stunnel.conf file? > > >4) Can the stunnel be considered as a solution to the problem which I have reported here. The point 3 above makes me thing otherwise. > > >I have tried all combinations mentioned in the point 1 and 2 without success. In none of the case my web browser was able to talk to the device using HTTPS (ie https://my_device_ip). I could see a "client hello" request from the browser to which the client sends an ACK and RST. In some combination an HTTPS request from the browser only triggered a TCP connection request for which the client responded with ACK and RST. > > >Sorry for the long mail. Any inputs would be deeply appreciated. > > > >Regards, >Siva >_______________________________________________ >stunnel-users mailing list >stunnel-users at stunnel.org >https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > From sivakumar.s.k.k at gmail.com Tue Jan 13 19:29:19 2015 From: sivakumar.s.k.k at gmail.com (Siva Kumar) Date: Tue, 13 Jan 2015 23:59:19 +0530 Subject: [stunnel-users] HTTPS support for the webserver using STUNNEL In-Reply-To: <205618149.260475.1421159604063.JavaMail.yahoo@jws100120.mail.ne1.yahoo.com> References: <205618149.260475.1421159604063.JavaMail.yahoo@jws100120.mail.ne1.yahoo.com> Message-ID: Hi All, Based on the inputs from Mr.Avila, I was able to fix the issue. Now I am able to connect to the device from the web browser using HTTPS. Thanks all of you... Regards, Siva On Tue, Jan 13, 2015 at 8:03 PM, Leandro Avila wrote: > Hello, > > Looks like you got the hard part done (cross compiling etc) > > 1. You don't need to run stunnel on the client machine. You will use your > web browser and your browser will handle the TLS connection > 2. In your case you only need a stunnel instance running as a server on > the linux device. > Your stunnel.conf will look something like > > [https] > client = no > > accept = 443 > connect = 127.0.0.1:80 > > > The above configures stunel as a server, listening for connections on all > interfaces port 443 and connecting to > localhost port 80 > > > 3. I'm not sure what you mean by "the device and the machine can have any > random IP and port" > - You mean if both devices get a dhcp assigned ip? In that case the above > config should work, because it listens in all > available IPs > - The port portion there are defined ports for http (port 80) and https > (port 443) that should be it for the server > unless your application is different. On the client side you don't need to > worry about the port > > 4. Stunnel will provide the SSL/TLS encapsulation to your http connection. > So in that regard is a solution. > Other times people might opt for using a http server that supports SSL/TLS > natively, but you are working on embedded systems > so there are contraints there. > > This is an alternative for instance. > > http://acme.com/software/mini_httpd/ > > Hope this helps, feel free to ask more questions > > ----------------- > > Leandro Avila > > On Tuesday, January 13, 2015 6:57 AM, Siva Kumar < > sivakumar.s.k.k at gmail.com> wrote: > > > > > > > >Hi All, > > > > > >I am fairly new to stunnel and also to the networking concepts. > > > > > >Currently we are working on a surveillance device running on monta vista > linux on the ARM11 architecture. We have crossed compiled and deployed a > THTTPD server which is working fine. Once you connect to the device using > any of the web client (from a windows PC), it will take you to a web page > where you can select and stream live video's from all the camera's > connected to the device. So far everything is working fine now.. > > > > > >Now the real problem is that we need to support https as well along with > http. Since THTTPD web server doesn't support secure connection we thought > we would accomplish that using the stunnel application. We were able to > download and cross compile the stunnel application for the device. > > > > > >Now the doubts I have here is:- > > > > > >1) Do we need a stunnel server application running on the windows PC from > where we will be using the web browser to connect to the client? > > > > > >2) Where should be the stunnel server and stunnel client be running. I > mean should the linux device be running the stunnel client and the windows > PC be running the stunnel server? In that case what should be the correct > accept and connect parameters in the stunnel.conf file in both the device > and the windows PC? > > > > > >3) Since the device and the machine can have any random IP and port, so > is it feasible to dynamically set the accept and connect parameters in the > stunnel.conf file? > > > > > >4) Can the stunnel be considered as a solution to the problem which I > have reported here. The point 3 above makes me thing otherwise. > > > > > >I have tried all combinations mentioned in the point 1 and 2 without > success. In none of the case my web browser was able to talk to the device > using HTTPS (ie https://my_device_ip). I could see a "client hello" > request from the browser to which the client sends an ACK and RST. In some > combination an HTTPS request from the browser only triggered a TCP > connection request for which the client responded with ACK and RST. > > > > > >Sorry for the long mail. Any inputs would be deeply appreciated. > > > > > > > >Regards, > >Siva > >_______________________________________________ > >stunnel-users mailing list > >stunnel-users at stunnel.org > >https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From member at linkedin.com Sat Jan 17 21:14:43 2015 From: member at linkedin.com (Neacsu Mihai Adrian) Date: Sat, 17 Jan 2015 20:14:43 +0000 (UTC) Subject: [stunnel-users] Stunnel, please add me to your LinkedIn network Message-ID: <311070896.8936613.1421525683874.JavaMail.app@lva1-app9016.prod> Hi Stunnel, I'd like to connect with you on LinkedIn. Neacsu Mihai Adrian Software Developer at RND Software Accept: https://www.linkedin.com/blink?simpleRedirect=0Qd3ASe34VcjAPcPsMcjcOdzARfkh9rCZFt65QqnpKqioMc3lve3oNejkRej4Re3gTc34PczoVdkAZh4BJpnhF9DhxsTlUiSlHfnBBiShBsC5EsOoUcBZOpm9JpmRvpnhFtCVFfmJB9ClQqnpKqntBryRQs6lzoS4JoyRJtCVFnSRJrScJr6RBfmtKqmJzon9Q9B5cqA9GlCRctClPi551fmVBqSZkp6BJ9ClQqnpKinhMpmdzgmZBr3Rx9DwQbmcVemZCcjlFbj1SqPsRdjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=I5962310748519559168_500&markAsRead= View Neacsu Mihai Adrian's profile: https://www.linkedin.com/blink?simpleRedirect=d3gTdPANcP8Ofkh9sClyrmlJ9C56m4sZrClHrRhEt7lx9ClJomUZpn1Vl6xQtm4Cc30RnPwScjARdjANdjwQdP0NcP8Sejl9nPwUdj8Uc34NcPRQs6lzoQ5KrSBQonhFtCVF9zwOnT9BoCRBrlZBt6BSrCAZqSkCpnhFtCVFtSlKbmlJomUJoyRJtCVFnSRJrScJr6RBfmtKqmJzon9Q9B5cqA9GlCRctClPi551fmVBqSZkp6BJ9DpMrzRQ9DwQbmcVemZCcjlFbj1SqPsRdjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=I5962310748519559168_500&markAsRead= You are receiving Invitation emails. Unsubscribe here: https://www.linkedin.com/blink?simpleRedirect=7wQbmcVemZCcjlFbj1SqPsRdjRAqmkCkmlct6l8gnlJq5pcoRpjsT5Pq6QJkBpfs3BaiP1LtQxCcTgVcllqi5h3omwRhkINoDBzlAJBsksSjklck3pibjl9qjlOlk51gl4Qdn0RhP5SrSRbi551fmhFrSMCe39vsClyrmlJnSlQqnpKqjRHpipBt6BSrCBTpmUJoDlPrDkJpyRJtCVFnSRJrScJr6RBfmtKqmJzon9Q9B5cqA9GlCRctClPi551fmVBqSZkp6BJ9CVRr3RQ9DwQbmcVemZCcjlFbj1SqPsRdjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=I5962310748519559168_500&markAsRead= This email was intended for Stunnel Users (stunnel user at n/a). Learn why we included this at the following link: https://www.linkedin.com/blink?simpleRedirect=0Ue3sQfmh9pmNzqnhOoioUcBZOpm9JpmRvpnhFtCVFfmJB9B5cqA9GlCRctClPi551fmVBqSZkp6BJ9CNOlmlzqnpOpldOpmRLt7dRoPRx9DwQbmcVemZCcjlFbj1SqPsRdjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=I5962310748519559168_500&markAsRead= © 2014, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA -------------- next part -------------- An HTML attachment was scrubbed... URL: From ma.neacsu at gmail.com Sat Jan 17 21:16:49 2015 From: ma.neacsu at gmail.com (Neacsu Mihai Adrian) Date: Sat, 17 Jan 2015 20:16:49 +0000 Subject: [stunnel-users] Stunnel, please add me to your LinkedIn network References: <311070896.8936613.1421525683874.JavaMail.app@lva1-app9016.prod> Message-ID: Sorry, please remove it. I appologize for the spam. It was unintended. On Sat, Jan 17, 2015, 22:15 Neacsu Mihai Adrian wrote: > > > [image: LinkedIn] > > > > > > > > [image: Neacsu Mihai Adrian] > > > Hi Stunnel, > > I'd like to connect with you on LinkedIn. > > Neacsu Mihai Adrian > Software > Developer at RND Software > > > Accept > > > > > View Profile > > > > > > You are receiving Invitation emails. Unsubscribe > This > email was intended for Stunnel Users (stunnel user at n/a). Learn why we > included this. > If > you need assistance or have questions, please contact LinkedIn Customer > Service > > . > > © 2014, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA > 94043, USA > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ikke_ben_colin at hotmail.com Tue Jan 20 10:33:04 2015 From: ikke_ben_colin at hotmail.com (Colin vd Zanden) Date: Tue, 20 Jan 2015 09:33:04 +0000 Subject: [stunnel-users] No DNS lookup? Message-ID: Hi, We've got a bit of a problem working with Stunnel. We are trying to connect to a domain, but the stunnel is somehow translating it to a IP adres. (We didn't know, we saw it in the log file). This is causing our connection to fail. Is there any way to prevent stunnel from translating the domain into a IP, and just connect to the domain name? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Tue Jan 20 16:07:57 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 20 Jan 2015 16:07:57 +0100 Subject: [stunnel-users] No DNS lookup? In-Reply-To: References: Message-ID: <20150120150757.GB25102@shadow.bihl-wiedemann.de> On Tue, 2015-01-20 09:33:04 +0000, Colin vd Zanden wrote: > Hi, > We've got a bit of a problem working with Stunnel. We are trying to > connect to a domain, but the stunnel is somehow translating it to a > IP adres. (We didn't know, we saw it in the log file). This is > causing our connection to fail. Is there any way to prevent stunnel > from translating the domain into a IP, and just connect to the > domain name? Colin, All connections in the Internet go to IP addresses. In the first instance, the domain name system is merely a way to avoid the need to remember all those numbers. If you type an URL into the location bar of your web browser, the first thing your computer does is to resolve the DNS name into an IP address. Moreover, you don't connect to domains, but to hosts. The domain is the part of the host name right to the leftmost dot and is an abstract entity, same as the area code is not a telephone number. /Maybe/ you are trying to connect to a host with a dynamic IP address and suffer from the fact, stunnel usually resolves the DNS names at start up. If this is the case, you might take a look at the 'delay' service-level option of stunnel. HTH, Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From c.vanderzanden at hnpostenzonen.nl Tue Jan 20 20:17:11 2015 From: c.vanderzanden at hnpostenzonen.nl (Colin van der Zanden) Date: Tue, 20 Jan 2015 20:17:11 +0100 Subject: [stunnel-users] No DNS lookup? Message-ID: Ludolf, Thanks for your quick response. I have no clue on how to respond on the stunnel users list, so i'll try it this way. The support on the host we are trying to reach states to following: It really sounds like the stunnel is not connecting to "something.host.com" but perhaps to the IP address behind it? The use of the hostname something.host.com is however an requirement. Is there anyway we can force the stunnel to connect to the hostname instead of resolving it as an IP adress? Met vriendelijke groeten, H.N. Post en Zonen Colin van der Zanden c.vanderzanden at duurzaam-transport.com c.vanderzanden at hnpostenzonen.nl ---------------------------------------------- Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Wilt u direct contact met ons opnemen indien deze e-mail bij vergissing bij u terecht is gekomen? Wij verzoeken u in dat geval de e-mail te vernietigen, de inhoud ervan niet te gebruiken en niet onder derden te verspreiden, omdat het bericht vertrouwelijke informatie kan bevatten, beschermd door een beroepsgeheim. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Tue Jan 20 21:45:07 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 20 Jan 2015 21:45:07 +0100 Subject: [stunnel-users] No DNS lookup? In-Reply-To: References: Message-ID: <20150120204507.GA27369@shadow.bihl-wiedemann.de> On Tue, 2015-01-20 20:17:11 +0100, Colin van der Zanden wrote: > Ludolf, > > Thanks for your quick response. I have no clue on how to respond on the > stunnel users list, so i'll try it this way. By changing the recipient address to stunnel-users at stunnel.org? > The support on the host we are > trying to reach states to following: > > It really sounds like the stunnel is not connecting to "something.host.com" > but perhaps to the IP address behind it? Yes. Stunnel uses IP addresses for all connections, as the Internet is based on IP adresses. All programs that use the Internet do so. 'IP' stands for 'Internet Protocol'. This is the same as for the telephone network. The telephone network is based on telephone numbers. Even if you select your dialog partner by selecting his name or his picture on a list on your mobile phone, you are (or your phone is) still dialling a telephone number if you start a call. > The use of the hostname > something.host.com is however an requirement. You should explain what you are trying to do and what does not work. HTH, Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From gromovd at gmail.com Wed Jan 21 02:50:37 2015 From: gromovd at gmail.com (Dmitry Gromov) Date: Tue, 20 Jan 2015 20:50:37 -0500 Subject: [stunnel-users] No DNS lookup? In-Reply-To: <20150120204507.GA27369@shadow.bihl-wiedemann.de> References: <20150120204507.GA27369@shadow.bihl-wiedemann.de> Message-ID: Hi On Tue, Jan 20, 2015 at 3:45 PM, Ludolf Holzheid wrote: > > > The support on the host we are > > trying to reach states to following: > > > > It really sounds like the stunnel is not connecting to "something.host.com" > > but perhaps to the IP address behind it? > This sounds like they need SNI to be passed properly. Try adding SNI = something.host.com in your client section. Dmitry -- //DG LOC(NJ) //* From ikke_ben_colin at hotmail.com Wed Jan 21 09:52:34 2015 From: ikke_ben_colin at hotmail.com (Colin vd Zanden) Date: Wed, 21 Jan 2015 08:52:34 +0000 Subject: [stunnel-users] No DNS lookup? In-Reply-To: References: , <20150120204507.GA27369@shadow.bihl-wiedemann.de>, Message-ID: Thanks Ludolf and Dmitry for replying. @Ludolf, I know what an IP adress is. It's just that it's not allowed by the host to connect on their IP. @Dmitry, I tried putting the SNI settings in the config file, but it didn't resolve our problem. This is whats in our stunnel log file: 2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] accepted connection from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: s_connect: connected 'EXTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] connected remote server from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Connection closed: 251 byte(s) sent to SSL, 188 byte(s) sent to socket The response from the host is: "403 Forbidden Request forbidden by administrative rules." Their support states it's because we are connecting to 'EXTERNAL-IP:PORT' and not 'SOMETHING.HOST.COM' . Thanks again, Colin > From: gromovd at gmail.com > Date: Tue, 20 Jan 2015 20:50:37 -0500 > CC: stunnel-users at stunnel.org > Subject: Re: [stunnel-users] No DNS lookup? > > Hi > > On Tue, Jan 20, 2015 at 3:45 PM, Ludolf Holzheid > wrote: > > > > > The support on the host we are > > > trying to reach states to following: > > > > > > It really sounds like the stunnel is not connecting to "something.host.com" > > > but perhaps to the IP address behind it? > > > > This sounds like they need SNI to be passed properly. > Try adding SNI = something.host.com in your client section. > > Dmitry > > -- > //DG LOC(NJ) > //* > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From lholzheid at bihl-wiedemann.de Wed Jan 21 12:13:20 2015 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 21 Jan 2015 12:13:20 +0100 Subject: [stunnel-users] No DNS lookup? In-Reply-To: References: <20150120204507.GA27369@shadow.bihl-wiedemann.de> Message-ID: <20150121111319.GB3102@shadow.bihl-wiedemann.de> On Wed, 2015-01-21 08:52:34 +0000, Colin vd Zanden wrote: > Thanks Ludolf and Dmitry for replying. > @Ludolf, I know what an IP adress is. It's just that it's not > allowed by the host to connect on their IP. > @Dmitry, I tried putting the SNI settings in the config file, but it didn't resolve our problem. > This is whats in our stunnel log file: > 2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] accepted connection from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: s_connect: connected 'EXTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] connected remote server from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Connection closed: 251 byte(s) sent to SSL, 188 byte(s) sent to socket > The response from the host is: "403 Forbidden Request forbidden by administrative rules." > Their support states it's because we are connecting to 'EXTERNAL-IP:PORT' and not 'SOMETHING.HOST.COM' . > Thanks again, Ah, it seems we were talking at cross purposes. On OSI layer 2 (Network) you don't have a chance to use something other than IP addresses. On OSI layer 7 (Application) you may use whatever the protocol requires. It seems you are using HTTP as layer 7 protocol, and it seems the server you are trying to connect needs to see a certain host name in the HTTP requests (possibly because there are multiple virtual hosts on the same machine, using a single IP address). In the first instance, Stunnel doesn't touch the data in layer 5 and above, i.e. it forwards the HTTP requests unchanged. However, there are service level options for stunnel ("protocol...") to tweak upper-level data. I didn't use them yet, maybe someone else could comment. A possible solution for your problem would be to configure Stunnel to not change upper level data, but make the client resolve the DNS name of the server to the IP address Stunnel listens on, e.g. by adding an appropriate entry to the 'hosts' file. HTH, Ludolf -- Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany   Tel: +49 621 33996-0 Fax: +49 621 3392239   mailto:lholzheid at bihl-wiedemann.de http://www.bihl-wiedemann.de   Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 From meresponde2001-stn at yahoo.es Wed Jan 21 21:17:48 2015 From: meresponde2001-stn at yahoo.es (Javier) Date: Wed, 21 Jan 2015 21:17:48 +0100 Subject: [stunnel-users] No DNS lookup? In-Reply-To: References: <20150120204507.GA27369@shadow.bihl-wiedemann.de> Message-ID: <20150121211748.df4969c2f4fb275548e2f33a@yahoo.es> Hi, As Ludof said, you may be trying to connect to a virtual web server and, or it is a very basic web server, or has some misconfiguration, because I use myself an old tiny web server that handles virtual severs without any problems. Make sure your web server can read the "Host" HTTP header, and, in the client side, you are not blocking or spoofing it with a browser add-on. You may need a HTTP sniffer. I have kind of your configuration in my web server for IP Host requests and only happens when you input the IP directly in the browser. Stunnel, as a tunnel, is not the problem here. Are the client and server endpoints. It not a DNS lookup problem. Regards. From Michal.Trojnara at mirt.net Thu Jan 22 18:19:55 2015 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Thu, 22 Jan 2015 18:19:55 +0100 Subject: [stunnel-users] stunnel 5.10 released Message-ID: <54C1313B.6030602@mirt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.10 of stunnel. The ChangeLog entry: Version 5.10, 2015.01.22, urgency: LOW: * New features - OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia". - Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack". * Bugfixes - OpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt - FIPS canister updated to version 2.0.9 in the Win32 binary build. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 032bfc1854f8a0b9e452343c36ec6b52c7e0daef0863423c6b13a61a7c92eb23 stunnel-5.10.tar.gz 7c29753b6488f37b29f365e9c4a6060c3da8a89000af1cd29eab7c37d419d148 stunnel-5.10-installer.exe 93cd0941580eaa7815ed62ec88a111cb449e9bad97cd1a35d7524867a8238234 stunnel-5.10-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlTBMTsACgkQ/NU+nXTHMtE+uQCg9N0butSpAQ2mM1M5ySe7T18i oe8AoOAHKJ9F7jMlUfHnmuzBtIPbbghN =e9ed -----END PGP SIGNATURE----- From patwick92 at gmail.com Thu Jan 22 19:13:12 2015 From: patwick92 at gmail.com (Patrick wickline) Date: Thu, 22 Jan 2015 13:13:12 -0500 Subject: [stunnel-users] Blue Iris Message-ID: I have stunnel set up on my machine. It works locally and lets me connect to my Blue Iris server with https. However, I am unable to do this remotely. I have forwarded the port in my router to stunnel, from stunnel to blue iris, but still doesn't work. Below is part of my conf file [Blue Iris] accept = 8344 (forwarded this in the router to my static IP of my machine) connect = 127.0.0.1:8081 (8081 is my blue iris web server) I hope someone is able to give some advice -------------- next part -------------- An HTML attachment was scrubbed... URL: From meresponde2001-stn at yahoo.es Fri Jan 23 00:52:28 2015 From: meresponde2001-stn at yahoo.es (Javier) Date: Fri, 23 Jan 2015 00:52:28 +0100 Subject: [stunnel-users] Blue Iris In-Reply-To: References: Message-ID: <20150123005228.55fc58e84f5f9510f4abe2a1@yahoo.es> On Thu, 22 Jan 2015 13:13:12 -0500 Patrick wickline wrote: > I have stunnel set up on my machine. It works locally and lets me connect > to my Blue Iris server with https. > > However, I am unable to do this remotely. I have forwarded the port in my > router to stunnel, from stunnel to blue iris, but still doesn't work. > > Below is part of my conf file > > > [Blue Iris] > accept = 8344 (forwarded this in the router to my static IP of my machine) > connect = 127.0.0.1:8081 (8081 is my blue iris web server) > > > I hope someone is able to give some advice Hi, Should work. Unless you have a firewall rule blocking it (maybe the router firewall) or you typing the wrong url (type https://server:port instead just https://server as it defaults to 443 port). As I said, should work. Also, how are you testing? If you are accesing yourself (from your LAN) typing the public address or the domain pointing to your public address, you need to know that some (old) routers make some kind of a loop and instead do translation of IP/port, they try to serve themselves with their private address as they understand the public IP are themselves. You should use a proxy, in this case, or request someone to test from outside, or using your mobile phone. Regards. From s.ochsenkuehn at munich-network.net Thu Jan 29 11:40:59 2015 From: s.ochsenkuehn at munich-network.net (=?iso-8859-1?Q?Sebastian_Ochsenk=FChn?=) Date: Thu, 29 Jan 2015 10:40:59 +0000 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 Message-ID: <1422528059341.10903@munich-network.net> Hi, I have a big problem with the new stunnel version on CentOS 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS base repository. You describe in your documentation that SSLv3 is disabled by default. -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not working?! PS: this is also not working with -NO_SSLv2 option. options = -NO_SSLv3 = NOT Working option = NO_SSLv3 = Working. Currently i have installed an older version, where the SSLv3 protocoll is not disabled by default. Is there anything that I'm doing wrong? Thanks and Regards, Sebastian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michal.Trojnara at mirt.net Thu Jan 29 11:44:43 2015 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Thu, 29 Jan 2015 11:44:43 +0100 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 In-Reply-To: <1422528059341.10903@munich-network.net> References: <1422528059341.10903@munich-network.net> Message-ID: <54CA0F1B.3040704@mirt.net> Hi Sebastian, My documentation describes the latest version of stunnel. For an old version please refer to the appropriate manual page distributed with the specific version you're using. Mike On 29.01.2015 11:40, Sebastian Ochsenkühn wrote: > > Hi, > > > I have a big problem with the new stunnel version on CentOS > 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS > base repository. > > > You describe in your documentation that SSLv3 is disabled by default. > -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not > working​! > > PS: this is also not working with -NO_SSLv2 option. > > > options = -NO_SSLv3 = NOT Working > > > option = NO_SSLv3 = Working. > > > Currently i have installed an older version, where the SSLv3 protocoll > is not disabled by default. > > > Is there anything that I'm doing wrong? > > > Thanks and Regards, > > Sebastian. > > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From s.ochsenkuehn at munich-network.net Thu Jan 29 11:58:24 2015 From: s.ochsenkuehn at munich-network.net (=?iso-8859-1?Q?Sebastian_Ochsenk=FChn?=) Date: Thu, 29 Jan 2015 10:58:24 +0000 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 In-Reply-To: <54CA0F1B.3040704@mirt.net> References: <1422528059341.10903@munich-network.net>, <54CA0F1B.3040704@mirt.net> Message-ID: <1422529104181.60445@munich-network.net> Hi Mike, thanks for your fast response, but I think there is a big issue. The latest version that is available in the CENTOS 6 Base Repo is "stunnel-4.29-3.el6_6.1.x86_64" - In this version the SSLv3 is disabled by default, but there is not option to enable it. I hope you understand my situation :-) ________________________________ Von: stunnel-users im Auftrag von Michal Trojnara Gesendet: Donnerstag, 29. Januar 2015 11:44 An: stunnel-users at stunnel.org Betreff: Re: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 Hi Sebastian, My documentation describes the latest version of stunnel. For an old version please refer to the appropriate manual page distributed with the specific version you're using. Mike On 29.01.2015 11:40, Sebastian Ochsenkühn wrote: Hi, I have a big problem with the new stunnel version on CentOS 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS base repository. You describe in your documentation that SSLv3 is disabled by default. -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not working?! PS: this is also not working with -NO_SSLv2 option. options = -NO_SSLv3 = NOT Working option = NO_SSLv3 = Working. Currently i have installed an older version, where the SSLv3 protocoll is not disabled by default. Is there anything that I'm doing wrong? Thanks and Regards, Sebastian. _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michal.Trojnara at mirt.net Thu Jan 29 12:12:59 2015 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Thu, 29 Jan 2015 12:12:59 +0100 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 In-Reply-To: <1422529104181.60445@munich-network.net> References: <1422528059341.10903@munich-network.net>, <54CA0F1B.3040704@mirt.net> <1422529104181.60445@munich-network.net> Message-ID: <54CA15BB.2070901@mirt.net> Hi Sebastian, The ChangeLog does not say anything about disabling SSLv3: http://rpmfind.net/linux/RPM/centos/updates/6.6/x86_64/Packages/stunnel-4.29-3.el6_6.1.x86_64.html I guess it may be disabled in the OpenSSL rather than in stunnel. Anyway, if you connect stunnel with some software that's so old that it doesn't support TLS, the software is almost certainly no longer supported, and most likely vulnerable to attacks. This is a serious risk! Mike On 29.01.2015 11:58, Sebastian Ochsenkühn wrote: > > Hi Mike, > > > thanks for your fast response, but I think there is a big issue. > > The latest version that is available in the CENTOS 6 Base Repo is > "stunnel-4.29-3.el6_6.1.x86_64" - In this version the SSLv3 is > disabled by default, but there is not option to enable it. > > > I hope you understand my situation :-) > > > > > > ------------------------------------------------------------------------ > *Von:* stunnel-users im Auftrag > von Michal Trojnara > *Gesendet:* Donnerstag, 29. Januar 2015 11:44 > *An:* stunnel-users at stunnel.org > *Betreff:* Re: [stunnel-users] Centos 6.6 Final > stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 > > Hi Sebastian, > > My documentation describes the latest version of stunnel. For an old > version please refer to the appropriate manual page distributed with > the specific version you're using. > > Mike > > On 29.01.2015 11:40, Sebastian Ochsenkühn wrote: >> >> Hi, >> >> >> I have a big problem with the new stunnel version on CentOS >> 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS >> base repository. >> >> >> You describe in your documentation that SSLv3 is disabled by default. >> -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not >> working​! >> >> PS: this is also not working with -NO_SSLv2 option. >> >> >> options = -NO_SSLv3 = NOT Working >> >> >> option = NO_SSLv3 = Working. >> >> >> Currently i have installed an older version, where the SSLv3 >> protocoll is not disabled by default. >> >> >> Is there anything that I'm doing wrong? >> >> >> Thanks and Regards, >> >> Sebastian. >> >> >> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users at stunnel.org >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From s.ochsenkuehn at munich-network.net Thu Jan 29 12:19:18 2015 From: s.ochsenkuehn at munich-network.net (=?iso-8859-1?Q?Sebastian_Ochsenk=FChn?=) Date: Thu, 29 Jan 2015 11:19:18 +0000 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 In-Reply-To: <54CA15BB.2070901@mirt.net> References: <1422528059341.10903@munich-network.net>, <54CA0F1B.3040704@mirt.net> <1422529104181.60445@munich-network.net>,<54CA15BB.2070901@mirt.net> Message-ID: <1422530358798.80277@munich-network.net> Hi Mike, yes your correct, but I have forced the installation with "stunnel-4.29-3.el6_4.x86_64" ( all other packages openssl, etc. updated) and SSLv3 is working again. So, for my understanding there must be a bug or they have disabled SSLv3 in version "stunnel-4.29-3.el6_6.1.x86_64". Regards, Sebastian. ________________________________ Von: stunnel-users im Auftrag von Michal Trojnara Gesendet: Donnerstag, 29. Januar 2015 12:12 An: stunnel-users at stunnel.org Betreff: Re: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 Hi Sebastian, The ChangeLog does not say anything about disabling SSLv3: http://rpmfind.net/linux/RPM/centos/updates/6.6/x86_64/Packages/stunnel-4.29-3.el6_6.1.x86_64.html I guess it may be disabled in the OpenSSL rather than in stunnel. Anyway, if you connect stunnel with some software that's so old that it doesn't support TLS, the software is almost certainly no longer supported, and most likely vulnerable to attacks. This is a serious risk! Mike On 29.01.2015 11:58, Sebastian Ochsenkühn wrote: Hi Mike, thanks for your fast response, but I think there is a big issue. The latest version that is available in the CENTOS 6 Base Repo is "stunnel-4.29-3.el6_6.1.x86_64" - In this version the SSLv3 is disabled by default, but there is not option to enable it. I hope you understand my situation :-) ________________________________ Von: stunnel-users im Auftrag von Michal Trojnara Gesendet: Donnerstag, 29. Januar 2015 11:44 An: stunnel-users at stunnel.org Betreff: Re: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 Hi Sebastian, My documentation describes the latest version of stunnel. For an old version please refer to the appropriate manual page distributed with the specific version you're using. Mike On 29.01.2015 11:40, Sebastian Ochsenkühn wrote: Hi, I have a big problem with the new stunnel version on CentOS 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS base repository. You describe in your documentation that SSLv3 is disabled by default. -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not working?! PS: this is also not working with -NO_SSLv2 option. options = -NO_SSLv3 = NOT Working option = NO_SSLv3 = Working. Currently i have installed an older version, where the SSLv3 protocoll is not disabled by default. Is there anything that I'm doing wrong? Thanks and Regards, Sebastian. _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From roam at ringlet.net Thu Jan 29 12:20:35 2015 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 29 Jan 2015 13:20:35 +0200 Subject: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 In-Reply-To: <1422529104181.60445@munich-network.net> References: <1422528059341.10903@munich-network.net> <54CA0F1B.3040704@mirt.net> <1422529104181.60445@munich-network.net> Message-ID: <20150129112035.GA4816@straylight.m.ringlet.net> On Thu, Jan 29, 2015 at 10:58:24AM +0000, Sebastian Ochsenkühn wrote: > Hi Mike, > > > thanks for your fast response, but I think there is a big issue. > > The latest version that is available in the CENTOS 6 Base Repo is "stunnel-4.29-3.el6_6.1.x86_64" - In this version the SSLv3 is disabled by default, but there is not option to enable it. > > > I hope you understand my situation :-) Yes, we do understand your situation, and yes, this is a problem that does occur now and then when popular distributions keep older versions of software in their stable release branches (for very good reasons, too, but that's another topic). The best way for you to get assistance is to contact RedHat through their CentOS support channels. They are in the best position to know exactly what changes they have made to the stock stunnel-4.29 (and apparently they have made some changes, since the stock stunnel-4.29 does not disable SSLv3 - and they have made these changes for very good reasons, too), and ask them how to configure that version of stunnel to reenable SSLv3. In fact, this always applies to packaged software obtained from a distribution: the first point of contact should always be the packagers in the distribution. G'luck, Peter > Von: stunnel-users im Auftrag von Michal Trojnara > Gesendet: Donnerstag, 29. Januar 2015 11:44 > An: stunnel-users at stunnel.org > Betreff: Re: [stunnel-users] Centos 6.6 Final stunnel-4.29-3.el6_6.1.x86_64 - options set problem SSLv3 > > Hi Sebastian, > > My documentation describes the latest version of stunnel. For an old version please refer to the appropriate manual page distributed with the specific version you're using. > > Mike > > On 29.01.2015 11:40, Sebastian Ochsenkühn wrote: > > Hi, > > > I have a big problem with the new stunnel version on CentOS 6.6 (stunnel-4.29-3.el6_6.1.x86_64) that is available in the CentOS base repository. > > > You describe in your documentation that SSLv3 is disabled by default. -> OK for me, but I need SSLv3 and the option with -NO_SSLv3 is not working?! > > PS: this is also not working with -NO_SSLv2 option. > > > options = -NO_SSLv3 = NOT Working > > > option = NO_SSLv3 = Working. > > > Currently i have installed an older version, where the SSLv3 protocoll is not disabled by default. > > > Is there anything that I'm doing wrong? > > > Thanks and Regards, > > Sebastian. -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From d_nazary at yahoo.com Thu Jan 29 19:48:18 2015 From: d_nazary at yahoo.com (David) Date: Thu, 29 Jan 2015 18:48:18 +0000 (UTC) Subject: [stunnel-users] issue with stunnel forwarding Message-ID: <1763490971.2555322.1422557298237.JavaMail.yahoo@mail.yahoo.com> I am trying to configure stunnel on a bridge server which needs to use ssl to talk to 3 others servers. below is my conf file:  ; ***************************************** Example SSL server mode services [ xyz ] accept=10.10.10.74:9908 connect= 127.0.0.10:1040 transparent = source[ hp ] accept=10.10.10.218:9904 connect=127.0.0.10:1041 transparent = source[ sql] accept=10.10.10.214:59053 connect=127.0.0.10:1042 transparent = source when I run the stunnel GUI start I get following message: [ ] No limit detected for the number of clients [.] stunnel 5.10 on x86-pc-msvc-1500 platform [.] Compiled/running with OpenSSL 1.0.1l 15 Jan 2015 [.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*_errno()) [.] Reading configuration from file stunnel.conf [ ] GUI message loop initialized [.] UTF-8 byte order mark detected [ ] Enabling support for engine "capi" [ ] Initializing engine #1 (capi) [ ] Engine #1 (capi) initialized [.] FIPS mode disabled [ ] Compression disabled [ ] Snagged 64 random bytes from C:/.rnd [ ] Wrote 1024 new random bytes to C:/.rnd [ ] PRNG seeded successfully [!] Line 62: "transparent = source": Specified option name is not valid here[!] Server is down what am I missing here?  thanks! nazja2015 -------------- next part -------------- An HTML attachment was scrubbed... URL: From amontaron at wanadoo.fr Fri Jan 30 16:45:47 2015 From: amontaron at wanadoo.fr (amontaron) Date: Fri, 30 Jan 2015 16:45:47 +0100 Subject: [stunnel-users] Can't compile stunnel 5.10 on Linux ... got fatal signal 11 error Message-ID: <54CBA72B.1090405@wanadoo.fr> Hi everybody ! I tried to compile stunnel 5.10 (latest) on my old Suse 7 Linux distrib and got "a fatal signal 11 error message" when doing the make command. Just before, openssl 1.0.2 (latest) compile fine with no errors. Also, I add some stuffs like xemacs 21.4.22 (latest) just to say that that rather old distrib is able to do all that :-D So, here is the latest messages from make I got : > Making all in src > make[1]: Entering directory `/root/stunnel-5.10/src' > make all-am > make[2]: Entering directory `/root/stunnel-5.10/src' > source='stunnel.c' object='stunnel-stunnel.o' libtool=no \ > DEPDIR=.deps depmode=gcc /bin/sh ../auto/depcomp \ > gcc -DHAVE_CONFIG_H -I. -I/usr/kerberos/include > -I/usr/local/ssl/include -DLIBDIR='"/usr/local/lib/stunnel"' > -DCONFDIR='"/usr/local/etc/stunnel"' -g -O2 -pthread -Wall > -Wformat=2 -Wconversion -Wno-long-long -Wno-deprecated-declarations > -D_FORTIFY_SOURCE=2 -c -o stunnel-stunnel.o `test -f 'stunnel.c' || > echo './'`stunnel.c > In file included from /usr/include/string.h:346, > from common.h:201, > from stunnel.c:38: > /usr/include/bits/string2.h: In function `__strsep_g': > /usr/include/bits/string2.h:1171: warning: passing arg 2 of > `__strpbrk_c2' with different width due to prototype > /usr/include/bits/string2.h:1171: warning: passing arg 3 of > `__strpbrk_c2' with different width due to prototype > /usr/include/bits/string2.h:1171: warning: passing arg 2 of > `__strpbrk_c3' with different width due to prototype > /usr/include/bits/string2.h:1171: warning: passing arg 3 of > `__strpbrk_c3' with different width due to prototype > /usr/include/bits/string2.h:1171: warning: passing arg 4 of > `__strpbrk_c3' with different width due to prototype > gcc: Internal compiler error: program cc1 got fatal signal 11 > make[2]: *** [stunnel-stunnel.o] Error 1 > make[2]: Leaving directory `/root/stunnel-5.10/src' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/root/stunnel-5.10/src' > make: *** [all-recursive] Error 1 Previously got lots of warning messages. Perhaps need "make report" also ? I've look at stunnel-users at stunnel.org mail archive up to July 2011 with no success. So, that's why I'm writting to you there... Then, I tried different versions of stunnel 4.xx like 4.00, 4.56, 4.28 and more. All simply don't compile with differents errors messages. The only one I could compile completly is stunnel 3.22 (so latest 3.xx) Note that I'm happy with that because I was running stunnel 3.3 just before and that everything works with the latest openssl version I download and everything works fine for what I would ! Remark: Suse7 distrib (not OpenSuse) is Linux 2.2.16 kernel (not latest :-D) Alex. PS: Another things, on the same machine I ran stunnel 4.56 on (old) Windows 98 with no problems. --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com