From _sa_nya at mail.ru Tue Oct 15 13:56:08 2019 From: _sa_nya at mail.ru (=?UTF-8?B?0KDQsNCz0LjQvdGPINCQ0LvQtdC60YHQsNC90LTRgA==?=) Date: Tue, 15 Oct 2019 14:56:08 +0300 Subject: [stunnel-users] =?utf-8?q?Stunnel_does_not_connect_to_email_serv?= =?utf-8?q?er?= Message-ID: <1571140568.388121661@f406.i.mail.ru> Hello. I have a problem with stunnel it does not connect to e-mail server. My situation. I have 2 servers: 1. Windows Server 2012 R2 STD. On it stunnel 5.55 is installed 2. Windows Server 2012 R2 STD. On it corporate MDaemon e-mail server is installed. Stunnel used to send e-mail from server 1 to server 2. Every worked fine... 2 days ago an SSL-certificate on e-mail server was renewed ( World CA, Sectigo). After it, new cert was installed on server 1, old cert was deleted - in Cerfificate store for Windows users - certmgr.msc. After it, stunnel saw only old cert, not new. I reinstalled it, copied settings for my e-mail server from old stunnel.conf to new. And now - stunnel does not connect to e-mail server at all. In writes: 2019.10.15 17:39:37 LOG7[6]: TLS state (connect): before SSL initialization 2019.10.15 17:39:37 LOG7[6]: TLS state (connect): SSLv3/TLS write client hello 2019.10.15 17:39:37 LOG3[6]: SSL_connect: Peer suddenly disconnected 2019.10.15 17:39:37 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket In the attachment stunnel.conf and log ( with debug = 7 ) for stunnel. Settings for e-mail server in [kvarta-mail] section.? I spent 2 days. I read manual, Google, tried some methods - but nothing... If you hope me, i'll be very happy. Thank you. -- ?????? ????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel.conf Type: application/octet-stream Size: 4773 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: stunnel_cert_errors.log Type: application/octet-stream Size: 19518 bytes Desc: not available URL: From polushindenis at gmail.com Tue Oct 22 20:22:22 2019 From: polushindenis at gmail.com (Denis Polushin) Date: Tue, 22 Oct 2019 21:22:22 +0300 Subject: [stunnel-users] stunnel : user identification in mutual auth Message-ID: Hi All, Haven't found the answer for this issue. The scheme is : TLS-client <==tls==> stunnel-server <==open==> App-server In user session stunnel-server perform authorization for client with its certificate (verify=2) and send request further to App-server. How does App-server can identify user in this session? To grand permissions. Ideally it would be good to know CN or EKU of user certificate. Is it possible? Thanks a lot!! Denis -------------- next part -------------- An HTML attachment was scrubbed... URL: From svittori at gmail.com Wed Oct 23 11:17:58 2019 From: svittori at gmail.com (simona vittori) Date: Wed, 23 Oct 2019 11:17:58 +0200 Subject: [stunnel-users] ssl offloading with stunnel Message-ID: Hello,Is it possible to have the following architecture with stunnel? stunnel client --> balancer --> db server Balancer doesn't have stunnel product installed on it. It receives encrypted packages from stunnel client and redirect clear traffico to DB server. Is it possible to realize this configuration? Thank a lot. Regards Simona -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at christopherschultz.net Fri Oct 25 16:09:00 2019 From: chris at christopherschultz.net (Christopher Schultz) Date: Fri, 25 Oct 2019 10:09:00 -0400 Subject: [stunnel-users] Strange connection failure in one environment Message-ID: <8b78fc3a-e579-6764-68a7-48f7e09e7b24@christopherschultz.net> All, I've been using stunnel in two environments (dev, prod) for a long time without any problems. Recently, my dev environment started acting funny and I can't connect to it from outside the box. Can someone take a look and let me know if you have any suggestions for where to look for a problem? Both environments have the following things in common: 1. Hosted in Amazon EC2, no load-balancer in the way 2. Configuration requires client-certificate to connect 3. All certificates are valid, self-signed, and properly-trusted by both sides 4. TLS configuration has been locked-down to TLSv1.2, selected cipher suites, FIPS mode=off 5. All versions are the same: stunnel 4.56 w/OpenSSL 1.0.2k-fips The production (working) environment happens to be i686 and the development environment happens to be x86-86, but I don't believe that is relevant. When I use e.g. "openssl s_client" to connect to the production environment and I *do not* provide a client certificate, I am able to perform the initial TLS handshake, get a cipher suite negotiated, etc. and then the connection fails because I didn't provide the client certificate, of course. I *can* see in the handshake the list of allowed client certificates. When I do the same in development, I get a handshake failure. No allowed client certificates are shown. No nothing. If I connect on localhost to the dev server, I get what I'm expecting: allowed client certificates are listed, connection is closed because I'm not using the client certificate. Connecting from another host gets my a handshake failure. Again, there are no load-balancers or anything between the outside and the EC2 instance. I'm connecting as directly as it's possible to connect. The box definitely allows incoming connections on the port I'm trying to use; the AWS security group is configured correctly. I have tried dropping ALL security configuration on the dev server's stunnel.conf such as client-cert requirements, TLS protocols, cipher suites, etc. and I get the same behavior every time. I'm starting to think that it has nothing to do with my stunnel.conf configuration at all, but I'm at a loss as to where to look, next. Any ideas? -chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 899 bytes Desc: OpenPGP digital signature URL: From chris at christopherschultz.net Fri Oct 25 17:11:54 2019 From: chris at christopherschultz.net (Christopher Schultz) Date: Fri, 25 Oct 2019 11:11:54 -0400 Subject: [stunnel-users] Strange connection failure in one environment In-Reply-To: <8b78fc3a-e579-6764-68a7-48f7e09e7b24@christopherschultz.net> References: <8b78fc3a-e579-6764-68a7-48f7e09e7b24@christopherschultz.net> Message-ID: <412029d9-436a-da59-1005-0f61393ba8da@christopherschultz.net> All, On 10/25/19 10:09, Christopher Schultz wrote: > All, > > I've been using stunnel in two environments (dev, prod) for a long time > without any problems. Recently, my dev environment started acting funny > and I can't connect to it from outside the box. > > Can someone take a look and let me know if you have any suggestions for > where to look for a problem? > > Both environments have the following things in common: > > 1. Hosted in Amazon EC2, no load-balancer in the way > 2. Configuration requires client-certificate to connect > 3. All certificates are valid, self-signed, and properly-trusted by both > sides > 4. TLS configuration has been locked-down to TLSv1.2, selected cipher > suites, FIPS mode=off > 5. All versions are the same: stunnel 4.56 w/OpenSSL 1.0.2k-fips > > The production (working) environment happens to be i686 and the > development environment happens to be x86-86, but I don't believe that > is relevant. > > When I use e.g. "openssl s_client" to connect to the production > environment and I *do not* provide a client certificate, I am able to > perform the initial TLS handshake, get a cipher suite negotiated, etc. > and then the connection fails because I didn't provide the client > certificate, of course. I *can* see in the handshake the list of allowed > client certificates. > > When I do the same in development, I get a handshake failure. No allowed > client certificates are shown. No nothing. > > If I connect on localhost to the dev server, I get what I'm expecting: > allowed client certificates are listed, connection is closed because I'm > not using the client certificate. Connecting from another host gets my a > handshake failure. > > Again, there are no load-balancers or anything between the outside and > the EC2 instance. I'm connecting as directly as it's possible to > connect. The box definitely allows incoming connections on the port I'm > trying to use; the AWS security group is configured correctly. > > I have tried dropping ALL security configuration on the dev server's > stunnel.conf such as client-cert requirements, TLS protocols, cipher > suites, etc. and I get the same behavior every time. I'm starting to > think that it has nothing to do with my stunnel.conf configuration at > all, but I'm at a loss as to where to look, next. > > Any ideas? Some more information: 0. The error I get on the client is "handshake failure" and the stunnel server drops this log message: SSL_accept: 1408A0C1: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Note that I have disabled all but TLSv1.2 on the server. Removing this restriction does not change the behavior. 1. I have multiple stunnel configuration files on this server. Actually, I have 4 of them. Connections to ports defined in 2 of these files are not connecting successfully. Connections to ports defined in the OTHER two files *are* connecting successfully. The configurations seem to follow a pattern: those using RSA certificates as the server-certificate are working as expected, while those with EC server-certificate are failing. When I say "working" versus "failing", I mean that this command will give me a cipher suite and master key, but still drop the connection because I'm not providing a client-certificate for these tests: $ openssl s_client -connect host:port 2. I have a Java-based service that *is* able to connect through this stunnel instance just fine. It's running on a recent version of Java 8. My CLI client (not OpenSSL) is also running the same version. My CLI client cannot connect. *weird* In both cases, I am using EC client certificates, but the certificates are different from each other. Both of these certificates are trusted by the server. 3. When using OpenSSL 1.0.2t, I *can* connect, get the list of acceptable client certificates, etc. even without providing a client certificate. When using OpenSSL 1.1.1d, I can *not* connect. So perhaps the inside/outside networking thing I was thinking the problem might be is incorrect. AFAIK, both versions of OpenSSL should be able to use EC certificates and cipher suites. Thanks, -chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 899 bytes Desc: OpenPGP digital signature URL: From brent_kimberley at rogers.com Sat Oct 26 12:43:49 2019 From: brent_kimberley at rogers.com (Brent Kimberley) Date: Sat, 26 Oct 2019 10:43:49 +0000 (UTC) Subject: [stunnel-users] stunnel-users Digest, Vol 183, Issue 4 In-Reply-To: References: Message-ID: <1384066250.825780.1572086629538@mail.yahoo.com> Chris.Does this help???https://stackoverflow.com/questions/40454338/no-shared-cipher-at-ssl-accept-why If you can rule out libraries like OpenSSL, then look at your config + initial setup?exchange. Date: Fri, 25 Oct 2019 11:11:54 -0400 From: Christopher Schultz Subject: Re: [stunnel-users] Strange connection failure in one environmentOn 10/25/19 10:09, Christopher Schultz wrote: > All, > > I've been using stunnel in two environments (dev, prod) for a long time > without any problems. Recently, my dev environment started acting funny > and I can't connect to it from outside the box. > > Can someone take a look and let me know if you have any suggestions for > where to look for a problem? > > Both environments have the following things in common: > > 1. Hosted in Amazon EC2, no load-balancer in the way > 2. Configuration requires client-certificate to connect > 3. All certificates are valid, self-signed, and properly-trusted by both > sides > 4. TLS configuration has been locked-down to TLSv1.2, selected cipher > suites, FIPS mode=off > 5. All versions are the same: stunnel 4.56 w/OpenSSL 1.0.2k-fips > > The production (working) environment happens to be i686 and the > development environment happens to be x86-86, but I don't believe that > is relevant. > > When I use e.g. "openssl s_client" to connect to the production > environment and I *do not* provide a client certificate, I am able to > perform the initial TLS handshake, get a cipher suite negotiated, etc. > and then the connection fails because I didn't provide the client > certificate, of course. I *can* see in the handshake the list of allowed > client certificates. > > When I do the same in development, I get a handshake failure. No allowed > client certificates are shown. No nothing. > > If I connect on localhost to the dev server, I get what I'm expecting: > allowed client certificates are listed, connection is closed because I'm > not using the client certificate. Connecting from another host gets my a > handshake failure. > > Again, there are no load-balancers or anything between the outside and > the EC2 instance. I'm connecting as directly as it's possible to > connect. The box definitely allows incoming connections on the port I'm > trying to use; the AWS security group is configured correctly. > > I have tried dropping ALL security configuration on the dev server's > stunnel.conf such as client-cert requirements, TLS protocols, cipher > suites, etc. and I get the same behavior every time. I'm starting to > think that it has nothing to do with my stunnel.conf configuration at > all, but I'm at a loss as to where to look, next. > > Any ideas? Some more information: 0. The error I get on the client is "handshake failure" and the stunnel server drops this log message: SSL_accept: 1408A0C1: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Note that I have disabled all but TLSv1.2 on the server. Removing this restriction does not change the behavior. 1. I have multiple stunnel configuration files on this server. Actually, I have 4 of them. Connections to ports defined in 2 of these files are not connecting successfully. Connections to ports defined in the OTHER two files *are* connecting successfully. The configurations seem to follow a pattern: those using RSA certificates as the server-certificate are working as expected, while those with EC server-certificate are failing. When I say "working" versus "failing", I mean that this command will give me a cipher suite and master key, but still drop the connection because I'm not providing a client-certificate for these tests: $ openssl s_client -connect host:port 2. I have a Java-based service that *is* able to connect through this stunnel instance just fine. It's running on a recent version of Java 8. My CLI client (not OpenSSL) is also running the same version. My CLI client cannot connect. *weird* In both cases, I am using EC client certificates, but the certificates are different from each other. Both of these certificates are trusted by the server. 3. When using OpenSSL 1.0.2t, I *can* connect, get the list of acceptable client certificates, etc. even without providing a client certificate. When using OpenSSL 1.1.1d, I can *not* connect. So perhaps the inside/outside networking thing I was thinking the problem might be is incorrect. AFAIK, both versions of OpenSSL should be able to use EC certificates and cipher suites. Thanks, -chris -------------- next part -------------- An HTML attachment was scrubbed... URL: