From mirq-linux at rere.qmqm.pl Sat Apr 4 05:57:24 2020 From: mirq-linux at rere.qmqm.pl (=?iso-8859-2?Q?Micha=B3_Miros=B3aw?=) Date: Sat, 4 Apr 2020 05:57:24 +0200 Subject: [stunnel-users] [PATCH] SMTP server with PROXY Message-ID: <20200404035724.GA31880@qmqm.qmqm.pl> Hi, I've been using stunnel as a SSL frontend to an SMTP server. The server usually has use for original client's address, so I made a patch that adds PROXY protocol headers on backend (unwrapped) connection. Best Regards, Micha? Miros?aw Index: stunnel4-5.56/src/protocol.c =================================================================== --- stunnel4-5.56.orig/src/protocol.c +++ stunnel4-5.56/src/protocol.c @@ -58,7 +58,9 @@ NOEXPORT char *smtp_client(CLI *, SERVIC NOEXPORT void smtp_client_negotiate(CLI *); NOEXPORT void smtp_client_plain(CLI *, const char *, const char *); NOEXPORT void smtp_client_login(CLI *, const char *, const char *); +NOEXPORT void smtp_server_negotiate(CLI *, char *, int); NOEXPORT char *smtp_server(CLI *, SERVICE_OPTIONS *, const PHASE); +NOEXPORT char *smtp_proxy_server(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *pop3_client(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *pop3_server(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *imap_client(CLI *, SERVICE_OPTIONS *, const PHASE); @@ -97,6 +99,10 @@ char *protocol(CLI *c, SERVICE_OPTIONS * return opt->option.client ? pgsql_client(c, opt, phase) : pgsql_server(c, opt, phase); + if(!strcasecmp(opt->protocol, "smtp+proxy")) + return opt->option.client ? + "The 'proxy' protocol is not supported in the client mode" : + smtp_proxy_server(c, opt, phase); if(!strcasecmp(opt->protocol, "smtp")) return opt->option.client ? smtp_client(c, opt, phase) : @@ -837,6 +843,12 @@ NOEXPORT void smtp_client_login(CLI *c, NOEXPORT char *smtp_server(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { char *line, *domain, *greeting; + if (opt->protocol_domain) { + if(phase==PROTOCOL_EARLY) + smtp_server_negotiate(c, opt->protocol_domain, 1); + return NULL; + } + if(phase==PROTOCOL_CHECK) opt->option.connect_before_ssl=1; /* c->remote_fd needed */ if(phase!=PROTOCOL_MIDDLE) @@ -881,17 +893,32 @@ NOEXPORT char *smtp_server(CLI *c, SERVI } str_free(line); + smtp_server_negotiate(c, domain, 0); + return NULL; +} + +NOEXPORT void smtp_server_negotiate(CLI *c, char *domain, int static_domain) { + char *line; + + if (static_domain) { + if (!domain) + domain=(char *)"smtp.example.com"; + fd_printf(c, c->local_wfd.fd, "220 %s stunnel", domain); + } + /* process client's EHLO */ line=fd_getline(c, c->local_rfd.fd); if(!is_prefix(line, "EHLO ")) { s_log(LOG_ERR, "Unknown client EHLO"); str_free(line); - str_free(domain); + if (!static_domain) + str_free(domain); throw_exception(c, 1); } str_free(line); fd_printf(c, c->local_wfd.fd, "250-%s", domain); - str_free(domain); + if (!static_domain) + str_free(domain); fd_putline(c, c->local_wfd.fd, "250 STARTTLS"); /* process client's STARTTLS */ @@ -903,7 +930,13 @@ NOEXPORT char *smtp_server(CLI *c, SERVI } fd_putline(c, c->local_wfd.fd, "220 Go ahead"); str_free(line); +} +NOEXPORT char *smtp_proxy_server(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { + if(phase==PROTOCOL_LATE) + return proxy_server(c, opt, phase); + if(phase==PROTOCOL_EARLY) + smtp_server_negotiate(c, opt->protocol_domain, 1); return NULL; } From rshdwork at gmail.com Wed Apr 8 06:07:06 2020 From: rshdwork at gmail.com (Ray) Date: Wed, 8 Apr 2020 14:07:06 +1000 Subject: [stunnel-users] Stunnel to accept SSL and connect SSL Message-ID: Hi everyone, Simple question - How can I configure Stunnel to accept SSL from downlinks and connect to an SSL uplink? Thanks Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From andre.leonard at celotoise.com Fri Apr 10 09:46:29 2020 From: andre.leonard at celotoise.com (=?UTF-8?Q?Andr=C3=A9_L=C3=A9onard?=) Date: Fri, 10 Apr 2020 09:46:29 +0200 Subject: [stunnel-users] CERT: Pre-verification error: unsupported certificate purpose Message-ID: <1a2bba7f82b899d6e208303bc3a8ad6d@celotoise.com> Hi, I upgraded stunnel from version 5.44 to 5.56. But now I'm getting the following error : CERT: Pre-verification error: unsupported certificate purpose Rejected by CERT Setting verifiy to 0 slove temporary the issue but is not secure at all. As testing pupose, I recreated new certificate with the following command but ending with the same issue: openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem How to fix this ? Thanks for you help, Andr?. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brent_kimberley at rogers.com Fri Apr 10 22:38:06 2020 From: brent_kimberley at rogers.com (Brent Kimberley) Date: Fri, 10 Apr 2020 20:38:06 +0000 (UTC) Subject: [stunnel-users] stunnel-users Digest, Vol 189, Issue 3 In-Reply-To: References: Message-ID: <1540716477.2543756.1586551086900@mail.yahoo.com> Hi Andre. Can you please post your template? Salut, Brent Friday, April 10, 2020, 6:00:08 a.m. EDT, stunnel-users-request at stunnel.org wrote: Send stunnel-users mailing list submissions to ??? stunnel-users at stunnel.org To subscribe or unsubscribe via the World Wide Web, visit ??? https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to ??? stunnel-users-request at stunnel.org You can reach the person managing the list at ??? stunnel-users-owner at stunnel.org When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..." Today's Topics: ? 1. CERT: Pre-verification error: unsupported certificate purpose ? ? ? (Andr? L?onard) ---------------------------------------------------------------------- Message: 1 Date: Fri, 10 Apr 2020 09:46:29 +0200 From: Andr? L?onard To: stunnel-users at stunnel.org Subject: [stunnel-users] CERT: Pre-verification error: unsupported ??? certificate purpose Message-ID: <1a2bba7f82b899d6e208303bc3a8ad6d at celotoise.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" Hi, I upgraded stunnel from version 5.44 to 5.56. But now I'm getting the following error : CERT: Pre-verification error: unsupported certificate purpose Rejected by CERT Setting verifiy to 0 slove temporary the issue but is not secure at all. As testing pupose, I recreated new certificate with the following command but ending with the same issue: openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem How to fix this ? Thanks for you help, Andr?. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer _______________________________________________ stunnel-users mailing list stunnel-users at stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users ------------------------------ End of stunnel-users Digest, Vol 189, Issue 3 ********************************************* From tim.turner at lmax.com Sat Apr 18 11:13:13 2020 From: tim.turner at lmax.com (Tim Turner) Date: Sat, 18 Apr 2020 09:13:13 +0000 Subject: [stunnel-users] stunnel ignoring config file for port binding Message-ID: Config and logs below but redacted, this is running on 2016 server, if it matters I am starting it over an RDP session I find that the port is ignored in the config file and it always binds to ports in the 23*** range ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment ;cert = stunnel.pem ;key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = /stunnel.log ; Use it for client mode client = yes ; Service-level configuration [Service Config] accept=127.0.0.1:40001 connect = redacted:443 log file 2020.04.18 10:08:18 LOG7[main]: Dispatching a signal from the signal pipe 2020.04.18 10:08:18 LOG7[main]: Processing SIGNAL_RELOAD_CONFIG 2020.04.18 10:08:18 LOG7[main]: Running on Windows 6.2 2020.04.18 10:08:18 LOG5[main]: Reading configuration from file stunnel.conf 2020.04.18 10:08:18 LOG5[main]: UTF-8 byte order mark detected 2020.04.18 10:08:18 LOG7[main]: Compression disabled 2020.04.18 10:08:18 LOG7[main]: No PRNG seeding was required 2020.04.18 10:08:18 LOG6[main]: Initializing service [Service Config] 2020.04.18 10:08:18 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2020.04.18 10:08:18 LOG7[main]: TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 2020.04.18 10:08:18 LOG7[main]: TLS options: 0x02100004 (+0x00000000, -0x00000000) 2020.04.18 10:08:18 LOG7[main]: No certificate or private key specified 2020.04.18 10:08:18 LOG4[main]: Service [Digital-Prod-MTF-FIX-MD] needs authentication to prevent MITM attacks 2020.04.18 10:08:18 LOG5[main]: Configuration successful 2020.04.18 10:08:18 LOG7[main]: Deallocating section defaults 2020.04.18 10:08:18 LOG5[main]: Logging to C:\Users\turnert\AppData\Local\/stunnel.log 2020.04.18 10:08:18 LOG7[main]: Binding service [New Broker FIX Demo-Trading] 2020.04.18 10:08:18 LOG7[main]: Listening file descriptor created (FD=1296) 2020.04.18 10:08:18 LOG7[main]: Setting accept socket options (FD=1296) 2020.04.18 10:08:18 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2020.04.18 10:08:18 LOG6[main]: Service [New Broker FIX Demo-Trading] (FD=1296) bound to 127.0.0.1:23471 2020.04.18 10:08:18 LOG7[main]: Binding service [Service Config] This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Group is the holding company of LMAX Exchange, LMAX Global and LMAX Digital. Our registered address is Yellow Building, 1A Nicholas Road, London W11 4AN. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pcoviello at ccsusa.com Tue Apr 21 19:49:36 2020 From: pcoviello at ccsusa.com (Coviello, Paul) Date: Tue, 21 Apr 2020 17:49:36 +0000 Subject: [stunnel-users] port ? and password Message-ID: <6403b151577e4e07a769e4b5d928cd86@ccsusa.com> It's been awhile since I've played with this and now there is a need to bring it back online. Can I designate any port numbers? I have an application that requires 'a' on the client and 'b' on the server Also is there a way to change the password in the startup of stunnell on VMS? Thanks Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: From kxkvi at outlook.com Wed Apr 22 01:58:41 2020 From: kxkvi at outlook.com (Thomas Eifert) Date: Tue, 21 Apr 2020 18:58:41 -0500 Subject: [stunnel-users] Stunnel Cleanup on Uninstall Message-ID: I've recently removed Stunnel 5.56 from several machines running Windows 10 x64. In every case, the uninstaller leaves behind the stunnel directory, bin subdirectory, and the file libssp-0.dll.? Easy enough to remove manually, but I seem to recall in previous versions that the uninstaller managed to get everything. Regards, Thomas -- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately. From joes at quietrack.com Thu Apr 30 21:04:42 2020 From: joes at quietrack.com (Joe Sterk) Date: Thu, 30 Apr 2020 19:04:42 +0000 Subject: [stunnel-users] REDIR not Working in Chrome, Edge (new), Opera In-Reply-To: References: Message-ID: We are running stunnel on a windows 2019 server. When running Chrome/Opera/Edge(new), on our redirect we get the following: Hmmm... can't reach this page It looks like the webpage at https://xx.xxxxxxxx.com/xap/tqv000?NAME=&domain=xxxxxxxx might be having issues, or it may have moved permanently to a new web address. ERR_RESPONSE_HEADERS_TRUNCATED The code that is being called is: !************************************************************************ B$='REDIR https://' + STRIP(HOST$) + '/mainlobby.aspx' We even tried to redirect to www.google.com and got the same error. Our log files shows the following: [04/23/20 14:25:39 409 ]Q.BUTTON1 = Ok [04/23/20 14:25:39 409 ]REDIR http://www.google.com [04/23/20 14:25:39 409 ]Result=+OK REDIR [04/23/20 14:25:42 ]GET /xap/tqv001 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, */* The stunnel.conf file has the following connection information: sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 ;header always set x-xss-protection "1; mode=block" ;ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ;options = CIPHER_SERVER_PREFERENCE TIMEOUTclose = 0 [https] accept = 443 connect = 8080 I don't see any error messages but the redirect is not working. It still works in IE and Firefox (for now). Joe Sterk CIO (Chief Information Officer) [Description: Description: cid:image004.jpg at 01CD22BD.40F8C160] Insurance Services Corp. ? (972) 896-0384 (Mobile) * (707) 303-8105 (Work) * joes at QuieTrack.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2035 bytes Desc: image001.jpg URL: