stunnel-users June 2008

stunnel-users@stunnel.org

21 participants
23 discussions

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-… [View More]

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to … [View More]

3 2

Using externally signed certificate with stunnel 4
by Tim Skirvin 07 Jul '08

07 Jul '08

I've got a comodo signed SSL certificate that I'm trying to use with stunnel4 to allow secure NNTP connections from a wide variety of clients. The certificate at least partially works; if I leave 'verify' off in the stunnel.conf file, then the service runs and users can connect, albeit while still having to verify the cert. But if I turn 'verify' on, then it doesn't work on *either* side. I've tried playing with CAfile and CApath without much luck. I'll attach my configuration … [View More]files, the relevant pems, and some debugging information; is there something else I'm missing? I've already contacted comodo, and after several rounds of conversation they suggest I contact the list. Errors from the client side (note that I'm using a debug port here): + openssl s_client -connect news:565 -verify -debug verify depth is 0 CONNECTED(00000003) depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 6976:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:951: ...and on the server, I get this: 2008.06.30 14:08:38 LOG7[10039:47679267941088]: nntps accepted FD=7 from 171.64.19.111:56122 2008.06.30 14:08:38 LOG7[10039:1073809760]: nntps started 2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 7 in non-blocking mode 2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 8 in non-blocking mode 2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 9 in non-blocking mode 2008.06.30 14:08:38 LOG7[10039:47679267941088]: Cleaning up the signal pipe 2008.06.30 14:08:38 LOG6[10039:47679267941088]: Child process 10247 finished with code 0 2008.06.30 14:08:38 LOG7[10039:1073809760]: Connection from 171.64.19.111:56122 permitted by libwrap 2008.06.30 14:08:38 LOG5[10039:1073809760]: nntps connected from 171.64.19.111:56122 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): before/accept initialization 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 read client hello A 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write server hello A 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write certificate A 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write certificate request A 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 flush data 2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL alert (read): fatal: unknown CA 2008.06.30 14:08:38 LOG3[10039:1073809760]: SSL_accept: 14094418: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2008.06.30 14:08:38 LOG5[10039:1073809760]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.06.30 14:08:38 LOG7[10039:1073809760]: nntps finished (0 left) Basic Requested Information that wasn't supplied above: * stunnel 4.18-2 on Debian etch (2.6.18-6-686 #1 SMP) * Running standalone with '/usr/bin/stunnel4 /etc/news/stunnel.conf' * libc6, no gcc, OpenSSL 0.9.8c-4etch3 * The log on startup: 2008.06.30 14:00:15 LOG7[26276:3083523776]: Snagged 64 random bytes from /root/.rnd 2008.06.30 14:00:15 LOG7[26276:3083523776]: Wrote 1024 new random bytes to /root/.rnd 2008.06.30 14:00:15 LOG7[26276:3083523776]: RAND_status claims sufficient entropy for the PRNG 2008.06.30 14:00:15 LOG7[26276:3083523776]: PRNG seeded successfully 2008.06.30 14:00:15 LOG7[26276:3083523776]: Configuration SSL options: 0x01000000 2008.06.30 14:00:15 LOG7[26276:3083523776]: SSL options set: 0x01000000 2008.06.30 14:00:15 LOG7[26276:3083523776]: Certificate: /etc/ssl/certs/news-stunnel.pem 2008.06.30 14:00:15 LOG7[26276:3083523776]: Certificate loaded 2008.06.30 14:00:15 LOG7[26276:3083523776]: Key file: /etc/ssl/private/news-stunnel.key 2008.06.30 14:00:15 LOG7[26276:3083523776]: Private key loaded 2008.06.30 14:00:15 LOG7[26276:3083523776]: Loaded verify certificates from /etc/ssl/certs/comodo.cert 2008.06.30 14:00:15 LOG7[26276:3083523776]: SSL context initialized for service nntps - Tim Skirvin (tskirvin(a)stanford.edu) -- Information Technology Services http://www.stanford.edu/~tskirvin/ System Software Developer, Unix Team Stanford University [View Less]

1 1

Stunnel v4.25 vs v4.20
by James Moe 30 Jun '08

30 Jun '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I upgraded to v4.25 and stunnel aborts right away. v4.20 works just fine. What is protocol family 47? ====[ log file ]==== 2008.06.26 11:31:01 LOG5[282:8553]: stunnel 4.25 on i386-pc-os2-emx with OpenSSL 0.9.8h 28 May 2008 2008.06.26 11:31:01 LOG5[282:8553]: Threading: SSL:ENGINE Sockets:SELECT,IPv4 2008.06.26 11:31:01 LOG3[282:8553]: Error binding pop3.sma.com_L110-R995 to 127.0.0.1:110 2008.06.26 11:31:01 LOG3[282:8553]: bind: … [View More]

1 1

Re: [stunnel-users] Stunnel 4.21 99% cpu ultilization
by Fat Wallet 30 Jun '08

30 Jun '08

Hi, Can someone please help with this issue? This 100% cpu utilization issue happens randomly on multiprocess cpu. Thanks! ----- Original Message ---- From: Fat Wallet <fat8wallet(a)yahoo.com> To: stunnel-users(a)mirt.net Sent: Monday, June 23, 2008 10:39:16 AM Subject: Stunnel 4.21 99% cpu ultilization Hi All, I've been googling for this issue but it seems like google is not my friend at the moment. I am running Linux with 4 cpus and top command shows stunnel at 99-100% cpu. … [View More]

2 1

UPNP & Nat-PMP with Stunnel
by Dean Shavit 26 Jun '08

26 Jun '08

Stunnel works great for me, but with dynamic port forwarding, I've not been able to get it working. I suspect it's because stunnel is a bit confusing about which port to reply to... Anyone else found a way to crack this nut?

1 0

How do I kill stunnel?
by Grant Edwards 25 Jun '08

25 Jun '08

I've got an application that starts stunnel using equivalent of a fork/exec. The stunnel process then appears to fork off multiple copies of itself. Before the application exits, it needs to stop stunnel. I send a SIGINT to the PID that was created using the fork, but only the first "master" copy terminates -- the master stunnel process doesn't terminate its children when it exits. So I end up with a bunch of "orphaned" stunnel processes. They're not zombies, they're process that are … [View More]

2 4

Stunnel config files incompatible between 4.05 and 4.21 ?
by Brian McKee 25 Jun '08

25 Jun '08

Hi All, I have a stunnel config file that works fine on an older Mandrake machine running stunnel 4.05. If I use that same config file on a new Ubuntu machine running 4.21 it just dies with "/etc/stunnel/stunnel.pem: No such file or directory" IIUC, running in client mode it doesn't need a .pem file, and I didn't create any certifcates on the Mandrake machines. Do I need to generate a cert for some reason? I've attached the config below. Brian =============================== … [View More]

1 0

Is the "HTTP Proxy connect" feature implemented?
by alex Wright 24 Jun '08

24 Jun '08

Hey, I'm trying to use stunnel in the following scenerio: ssh-client -> stunnel (to ssl) -> Proxy -> server(ssl to ssh). I downloaded stunnel 4.25, but I hadn't noiticed any support for this. However, in the "patches" page (http://www.stunnel.org/patches/) - three patches seem to be suitable: (connect-proxy_dunbar.patch<http://www.stunnel.org/patches/patches/connect-proxy_dunbar.patch>, connect-proxy.mwald.patch<http://www.stunnel.org/patches/patches/connect-proxy.mwald.patch… [View More]

1 0

Stunnel 4.21 99% cpu ultilization
by Fat Wallet 23 Jun '08

23 Jun '08

Hi All, I've been googling for this issue but it seems like google is not my friend at the moment. I am running Linux with 4 cpus and top command shows stunnel at 99-100% cpu. Please help. //stunnel configuration file # PID is created inside chroot jail pid = /var/run/stunnel.pid # debug debug = 7 output = /var/log/stunnel.log # Authentication stuff verify = 2 cert = /etc/stunnel/cert.pem CAfile = /etc/stunnel/ca.pem #Some performance tunings socket = l:TCP_NODELAY=1 socket = r:… [View More]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users June 2008