stunnel-users November 2010

stunnel-users@stunnel.org

18 participants
22 discussions

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: … [View More]

5 9

patch for using stunnel as client with pkcs11-engine and opensc smartcard
by Märt Laak 29 Jan '12

29 Jan '12

Dear stunnel managers, I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux. We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT --- Problem is, with this setup stunnel … [View More]does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ---- I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { --- After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded --- It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation Thank you very much for excellent piece of software! With best regards, Märt Laak [View Less]

2 2

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-… [View More]

3 3

Stunnel 4.33 released
by Michal Trojnara 22 Apr '11

22 Apr '11

The ChangeLog entry: Version 4.33, 2010.04.05, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 1.0.0. This library requires to c_rehash CApath/CRLpath directories on upgrade. - Win32 DLLs for zlib 1.2.4. - Experimental support for local mode on WIN32 platform. Try "exec = c:\windows\system32\cmd.exe". * Bugfixes - Inetd mode fixed SHA-1 value for stunnel-4.33.tar.gz: 695c7ef834952cb8ddbc790e10b6e32798fc2767 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.… [View More]

4 6

How to define stunnel.conf so openvpn packet will go thru stunnel to as HTTP?
by UARE1234 29 Nov '10

29 Nov '10

Hi, >From what I read the examples in stunnel site it possible to wrap VPN's using Stunnel tool. Is it possible to do it for openvpn packets? I can configure thru the openvpn configurations that it packets will go thru port 80 and use TCP but the packets are not http pure. I need to wrap this packets using the stunnel tool. The purpose is to use openvpn over http. I will appreceate if someone can give me a solution for combinig Stunnel and openvpn if possible. Thanks -- View this … [View More]

1 0

Is it possible to wrap openvpn thru stunnel to HTTP-Like
by UARE1234 28 Nov '10

28 Nov '10

Hi, I understand that it is possible to wrap VPN's using Stunnel tool. How Can I do that for openvpn. The purpose is to use openvpn over http like. OpenVPN can establish an HTTP connection to a proxy server, where it will issue a CONNECT to establish a binary connection to the VPN server on port 443/TCP. This works in 99,9% but not in this case since I am talking about a very restrictive network but yet Skype for example works on it since it works in a way of http like. I will … [View More]

1 0

Stunnel resource usage
by Avinash Gaonkar 26 Nov '10

26 Nov '10

Hi All, I need to understand how can we calculate the throughput for stunnel based on allocated CPU and memory. For e.g if we allocate 512Mb of RAM and 1 core for the stunnel in Vmware, what would be the throughput in Mbps. Regards, Avinash gaonkar

1 0

Enhance description of transparent mode in FAQ
by Ivan Trancik 25 Nov '10

25 Nov '10

Hello, I would suggest to improve 'transparent = yes | no (Unix only)' section of http://www.stunnel.org/faq/stunnel.html#service_level_options and how this option work on OS X. I think that this part remote mode (I<connect> option) on Linux >=2.6.28 remote mode (I<connect> option) 2.2.x local mode (I<exec> option) is not clear. Remote mode is a "I<connect> option"? What the heck? And local mode is a "I<exec> option"? Does this "I" thingie stand for unnamed … [View More]

2 1

Problems with cert
by Ross 25 Nov '10

25 Nov '10

Hello, we were using Stunnel 4.25 for a long time without any problems. We used "verify=3". Our client config file: service = stunnel-client cert = client.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CApath = certificates CAfile = CAcert.pem client = yes [rdp] accept = 3398 connect = XX.XX.XX.XX:3398 But after switching to Stunnel 4.34 (preserving configuration) we started to get errors: 2010.11.25 13:13:30 LOG5[8332:5336]: Service rdp-database accepted … [View More]

2 1

Re: [stunnel-users] ssl renegotiation
by Jason Haar 25 Nov '10

25 Nov '10

On 11/25/2010 05:42 AM, Joe Williams wrote: > > Got it, so there's no way to configure stunnel to disable it without building a new openssl from source. I was thinking there might be an SSL option I could pass in. > That kind of feature was only introduced into the newer versions of OpenSSL, so by definition, older versions can't have an option to disable it ;-) FYI I still have to run fully patched Apache with "SSLInsecureRenegotiation on" due to MSIE still not supporting proper … [View More]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users November 2010