Hi,
First apologies I posted this question on a google stunnel group, but I
realise that does not have much activity, so posting here also.
I am trying to get stunnel up and running and getting the error in the subject. The full error text is:
"SSL_accept: ssl/record/ssl3_record.c:354: error:0A00010B:SSL routines::wrong version number"
I have a simple service which seems to load fine. I have stunnel up at the "server side" on a VM in azure and if I telnet to the VM public address I can …
[View More]see the activity in the stunnel logs on the VM, so I know at least a pipe is open.
I can hit the port server side and see the log activity in stunnel also.
If I try a telnet to the local stunnel accept port. I see the error above.
This is the full log.
2023.08.23 11:01:04 LOG7[service]: Found 1 ready file descriptor(s)
2023.08.23 11:01:04 LOG7[service]: FD=604 ifds=r-x ofds=---
2023.08.23 11:01:04 LOG7[service]: FD=664 ifds=r-x ofds=r--
2023.08.23 11:01:04 LOG7[service]: Service [dev-dev-testHarness] accepted (FD=708) from 127.0.0.1:10756
2023.08.23 11:01:04 LOG7[service]: Creating a new thread
2023.08.23 11:01:04 LOG7[service]: New thread created
2023.08.23 11:01:04 LOG7[4]: Service [dev-dev-testHarness] started
2023.08.23 11:01:04 LOG7[4]: Setting local socket options (FD=708)
2023.08.23 11:01:04 LOG7[4]: Option TCP_NODELAY set on local socket
2023.08.23 11:01:04 LOG5[4]: Service [dev-dev-testHarness] accepted connection from 127.0.0.1:10756
2023.08.23 11:01:04 LOG6[4]: Peer certificate not required
2023.08.23 11:01:04 LOG7[4]: TLS state (accept): before SSL initialization
2023.08.23 11:01:04 LOG7[4]: TLS alert (write): fatal: decode error
2023.08.23 11:01:04 LOG3[4]: SSL_accept: ssl/record/rec_layer_s3.c:303: error:0A000126:SSL routines::unexpected eof while reading
2023.08.23 11:01:04 LOG5[4]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.08.23 11:01:04 LOG7[4]: Local descriptor (FD=708) closed
2023.08.23 11:01:04 LOG7[4]: Service [dev-dev-testHarness] finished (0 left)
What am I missing, I haven't used stunnel for quite a while and previous effort were on linux and I did not see this problem then.
Using telnet/TNC as the local test tools and stunnel was installed with bare default installation. The only thing I have done different is to set a config fragment folder to separate services on the sever side and they report as loading fine.
any help greatly appreciated.
Stu
[View Less]
I think I'm confused here.
My objective is for requests sent to port 3389 on the Windows 10 machine to be
"validated" by stunnel, then passed on to the service listening on that port. Am
I mistaken about what stunnel is supposed to do?
If not, what would my config look like to accomplish this?
I don't see how changing the RDC port would help. Regardless of what port RDC
listens on, it's still going to be used by RDC and therefore I don't see why the
'accept' wouldn't continue to fail.
Sorry …
[View More]to be so obtuse on this. I just don't get it and haven't found any
examples for stunneling to RDC.
--Mark
-----Original Message-----
From: Michael Curran <mike_curran(a)hotmail.com>
To: Mark Foley <mfoley(a)novatec-inc.com>,
"stunnel-users(a)stunnel.org"
<stunnel-users(a)stunnel.org>
Subject: Re: [stunnel-users] Re: Need help setting up new stunnel config
Date: Fri, 1 Sep 2023 17:39:25 +0000
Mark --
Your full stanza should look like this
[dbserver]
accept = <some port>
connect = 3389
CAfile = stunnel.pem
The IP:PORT was a suggestion for the RDC connection string. If you cannot start RDC with an IP:PORT, then you can change the internal RDC port from 3389 to something else. I have not done this, you will have to review Microsofts site to find out how.
If RDC can be changed , but not the RDC connection string then your stanza might look like
[dbserver]
accept = 3389
connect = <new rdc port>
CAfile = stunnel.pem
Mike
________________________________
From: Mark Foley <mfoley(a)novatec-inc.com>
Sent: Friday, September 1, 2023 1:28 PM
To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org>
Subject: [stunnel-users] Re: Need help setting up new stunnel config
Michael - thanks for your response.
I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just
use 'port'. Below is the config I tried:
[DBSERVER]
connect = 3389
CAfile = stunnel.pem
When running I got the following errors:
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[ ] No limit detected for the number of clients
[.] stunnel 5.70 on x64-pc-mingw32-gnu platform
[.] Compiled/running with OpenSSL 3.0.9 30 May 2023
[.] Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_errno())
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf
[.] UTF-8 byte order mark detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [DBSERVER]
[!] Service [DBSERVER]: TLS server needs a certificate
[!] Configuration failed
[ ] Deallocating temporary section defaults
[ ] Deallocating section [DBSERVER]
Notice "TLS server needs a certificate". The installation dialog steps me
through creating a certificate which it puts in stunnel.pem. So why this
message? I also tried the full pathname to stunnel.pem.
--Mark
-----Original Message-----
From: Michael Curran <michael.curran(a)cosocloud.com>
To: Mark Foley <mfoley(a)novatec-inc.com>,
"stunnel-users(a)stunnel.org"
<stunnel-users(a)stunnel.org>
Subject: Re: [stunnel-users] Need help setting up new stunnel config
Date: Fri, 1 Sep 2023 13:12:30 +0000
accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already
connect would be 3389
I think in the connection string for RDC you can just specify ip:port to connect
If you cannot , you can also redesignate the port remote desktop answers on
--
Michael Curran
Systems Architect| CoSo Cloud
D 614.568.2285 | C 614.403.6320 | michael.curran(a)cosocloud.com
From: Mark Foley <mfoley(a)novatec-inc.com>
Date: Thursday, August 31, 2023 at 11:33 AM
To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org>
Subject: [stunnel-users] Need help setting up new stunnel config
I used stunnel about 5 years ago and now I want to use it again, but my notes
are terrible and I'm having trouble getting started.
I want to create a connection between Windows computer on port 3389. The
"client" will be some remote Windows computer, perhaps at someone's home office.
The "server" will be a Windows workstation at the office.
I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname
COMMONW10. I'm at a loss creating the config file on this machine. I have:
[COMMONW10]
;client = yes
accept = 3389
;connect = ???:xxxx
CAfile = stunnel.pem
The stunnel.pem was create when I installed stunnel. I have no idea what the
'connect' line should have. When I run stunnel (clicking on desktop icon) I get:
[.] Configuration successful
[ ] Deallocating deployed section defaults
[ ] Binding service [COMMONW10]
[ ] Listening file descriptor created (FD=724)
[ ] Setting accept socket options (FD=724)
[ ] Option SO_EXCLUSIVEADDRUSE set on accept socket
[.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013)
[!] Binding service [COMMONW10] failed
[ ] Unbinding service [COMMONW10]
[ ] Service [COMMONW10] closed
[ ] Deallocating deployed section defaults
[ ] Deallocating section [COMMONW10]
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
Server is down
I'm assuming the "Permission denied" is because Remote Desktop is already listening on
3389. So, I'm stuck and feeling quite ignorant!
Help appreciated.
--Mark
_______________________________________________
stunnel-users mailing list -- stunnel-users(a)stunnel.org
To unsubscribe send an email to stunnel-users-leave(a)stunnel.org
This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department.
_______________________________________________
stunnel-users mailing list -- stunnel-users(a)stunnel.org
To unsubscribe send an email to stunnel-users-leave(a)stunnel.org
[View Less]
Michael - thanks for your response.
I did not see the "ip:port" syntax you suggested in the stunnel doc, so I just
use 'port'. Below is the config I tried:
[DBSERVER]
connect = 3389
CAfile = stunnel.pem
When running I got the following errors:
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[ ] No limit detected for the number of clients
[.] stunnel 5.70 on x64-pc-mingw32-gnu platform
[.] Compiled/running with OpenSSL 3.0.9 30 May 2023
[.] Threading:WIN32 Sockets:SELECT,…
[View More]IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_errno())
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
[.] Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf
[.] UTF-8 byte order mark detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [DBSERVER]
[!] Service [DBSERVER]: TLS server needs a certificate
[!] Configuration failed
[ ] Deallocating temporary section defaults
[ ] Deallocating section [DBSERVER]
Notice "TLS server needs a certificate". The installation dialog steps me
through creating a certificate which it puts in stunnel.pem. So why this
message? I also tried the full pathname to stunnel.pem.
--Mark
-----Original Message-----
From: Michael Curran <michael.curran(a)cosocloud.com>
To: Mark Foley <mfoley(a)novatec-inc.com>,
"stunnel-users(a)stunnel.org"
<stunnel-users(a)stunnel.org>
Subject: Re: [stunnel-users] Need help setting up new stunnel config
Date: Fri, 1 Sep 2023 13:12:30 +0000
accept is the port you want them to connect on remotely – which would have to be other than 3389 since it is open already
connect would be 3389
I think in the connection string for RDC you can just specify ip:port to connect
If you cannot , you can also redesignate the port remote desktop answers on
--
Michael Curran
Systems Architect| CoSo Cloud
D 614.568.2285 | C 614.403.6320 | michael.curran(a)cosocloud.com
From: Mark Foley <mfoley(a)novatec-inc.com>
Date: Thursday, August 31, 2023 at 11:33 AM
To: stunnel-users(a)stunnel.org <stunnel-users(a)stunnel.org>
Subject: [stunnel-users] Need help setting up new stunnel config
I used stunnel about 5 years ago and now I want to use it again, but my notes
are terrible and I'm having trouble getting started.
I want to create a connection between Windows computer on port 3389. The
"client" will be some remote Windows computer, perhaps at someone's home office.
The "server" will be a Windows workstation at the office.
I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname
COMMONW10. I'm at a loss creating the config file on this machine. I have:
[COMMONW10]
;client = yes
accept = 3389
;connect = ???:xxxx
CAfile = stunnel.pem
The stunnel.pem was create when I installed stunnel. I have no idea what the
'connect' line should have. When I run stunnel (clicking on desktop icon) I get:
[.] Configuration successful
[ ] Deallocating deployed section defaults
[ ] Binding service [COMMONW10]
[ ] Listening file descriptor created (FD=724)
[ ] Setting accept socket options (FD=724)
[ ] Option SO_EXCLUSIVEADDRUSE set on accept socket
[.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013)
[!] Binding service [COMMONW10] failed
[ ] Unbinding service [COMMONW10]
[ ] Service [COMMONW10] closed
[ ] Deallocating deployed section defaults
[ ] Deallocating section [COMMONW10]
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
Server is down
I'm assuming the "Permission denied" is because Remote Desktop is already listening on
3389. So, I'm stuck and feeling quite ignorant!
Help appreciated.
--Mark
_______________________________________________
stunnel-users mailing list -- stunnel-users(a)stunnel.org
To unsubscribe send an email to stunnel-users-leave(a)stunnel.org
This is an external email and may have suspicious content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department.
[View Less]
Hi, I'm trying to connect to Outlook 365 with this setup
[office365]
client = yes
accept = 127.0.0.1:993
connect = outlook.office365.com:993
unfortunately, when from my penthao software, I try to connect with email and password stunnel responds like this:
2023.09.01 09:57:33 LOG5[2]: Service [office365] accepted connection from 127.0.0.1:63027
2023.09.01 09:57:33 LOG5[2]: s_connect: connected 52.98.206.242:993
2023.09.01 09:57:33 LOG5[2]: Service [office365] connected remote server from 192.…
[View More]168.1.228:63028
2023.09.01 09:57:33 LOG5[2]: Connection closed: 258 byte(s) sent to TLS, 160 byte(s) sent to socket
could you help me? is it necessary to configure the certificates? How should it be done?
Thank you!
[View Less]
I used stunnel about 5 years ago and now I want to use it again, but my notes
are terrible and I'm having trouble getting started.
I want to create a connection between Windows computer on port 3389. The
"client" will be some remote Windows computer, perhaps at someone's home office.
The "server" will be a Windows workstation at the office.
I've installed stunnel 5.70 on a Windows 10 workstation at the office, hostname
COMMONW10. I'm at a loss creating the config file on this machine. I have:
…
[View More]
[COMMONW10]
;client = yes
accept = 3389
;connect = ???:xxxx
CAfile = stunnel.pem
The stunnel.pem was create when I installed stunnel. I have no idea what the
'connect' line should have. When I run stunnel (clicking on desktop icon) I get:
[.] Configuration successful
[ ] Deallocating deployed section defaults
[ ] Binding service [COMMONW10]
[ ] Listening file descriptor created (FD=724)
[ ] Setting accept socket options (FD=724)
[ ] Option SO_EXCLUSIVEADDRUSE set on accept socket
[.] Binding service [COMMONW10] to 127.0.0.1:3389: Permission denied (WSAEACCES) (10013)
[!] Binding service [COMMONW10] failed
[ ] Unbinding service [COMMONW10]
[ ] Service [COMMONW10] closed
[ ] Deallocating deployed section defaults
[ ] Deallocating section [COMMONW10]
[ ] Initializing inetd mode configuration
[ ] Running on Windows 6.2
Server is down
I'm assuming the "Permission denied" is because Remote Desktop is already listening on
3389. So, I'm stuck and feeling quite ignorant!
Help appreciated.
--Mark
[View Less]
Hi,
Trying to build stunnel the following warning showed up:
network.c: In function 's_read':
network.c:737:44: warning: unknown conversion type character 'l' in format [-Wformat=]
s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)",
^
network.c:737:66: warning: unknown conversion type character 'l' in format [-Wformat=]
s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)",
…
[View More] ^
network.c:737:24: warning: too many arguments for format [-Wformat-extra-args]
s_log(LOG_ERR, "s_read: Received %llu out of requested %llu byte(s)",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And one more of the same kind.
I wonder how it didn't happen in the official binaries. Are they being built using the instructions in INSTALL.W32 ? Using xmingw-64 ?
Roie
[View Less]
In these days, our provider Ionos/1&1 starts to accept only encrypted access to its mail server and at least TLS 1.2.
There are no problems with incoming mails. In order to be on the safe side with our Win SBS Server 2008 (no comments please!) with outgoing mails, I now have interposed stunnel as recommended many times on the web. This works in principle. Unfortunate exception: In some cases - expecially if the mail recipient has a Microsoft address like @hotmail.de, @live.de, @outlook.…
[View More]com -, sending aborts with error 503 5.5.2 ("Need mail command").
Unfortunately, I'm quite innocent with SMTP, SSL and certificates, but worked hard to create the following stunnel configuration file:
socket = l:TCP_NODELAY=0
socket = r:TCP_NODELAY=0
client = yes
output = C:\Program Files (x86)\stunnel\stunnel.log
[smtpionos]
accept = localhost:465
connect = smtp.ionos.de:465
verifyChain = yes
verifyPeer = yes
CAfile = C:\Program Files (x86)\stunnel\config\amakor2022.pem
checkHost = remote.management-kommunikation.de
protocolHost = smtp.ionos.de
protocolAuthentication = login
protocolUsername = OUR_USERNAME
protocolPassword = OUR_PASSWORD
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.2
delay = yes
protocol = smtp
amakor2022.pem is the "PositiveSSL" certificate that we acquired for our subdomain remote.management-kommunikation.de. "Our_Username" and "Our_Password" are of course our correct access data.
After spending hours searching the web for a solution, does anyone have a tip what's wrong and what to do?
[View Less]
Hi,
Our setup has stunnel and HAproxy running on same server. Our clients (postgresql clients) connect to port where stunnel is listening. Clients are sending encrypted data (setting sslmode=require in pgsql connection options). Stunnel listens to encrypted traffic and writes unencrypted traffic to another port on same host where HAproxy is listening. Then, HAProxy passes this request to one of many postgresql servers. These servers are custom written to implement postgresql protocol. We want …
[View More]IP of the postgresql clients to be captured at the server. HAProxy documentation says that proxy protocol is only way to pass original client IP for non-http traffic. Can you please suggest how we can configure Stunnel to listen to encrypted postgresql client traffic (pgsql protocol) and write unencrypted data to HAProxy instance in proxy protocol.
Following are our current configurations for stunnel and HAProxy:
Stunnel:
foreground = yes
debug = 5
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = l:TCP_KEEPIDLE=120
socket = l:TCP_KEEPINTVL=30
socket = l:TCP_KEEPCNT=3
ciphers = HIGH:MEDIUM
[postgres-serverB]
protocol = pgsql
accept = 0.0.0.0:3255
connect = localhost:5433
retry = yes
cert = /etc/stunnel/stunnel.crt
delay = no
sslVersion = TLSv1.2
HAProxy:
listen pgsql
mode tcp
option tcplog
bind *:5433
balance leastconn
timeout server 1d
timeout client 1d
option tcp-check
option clitcpka
server qspgsqlsvr1 host.docker.internal:5432 check
Thanks,
Ashok
[View Less]
hello Team,
Anybody knows how to plugin the provider included in the openssl 3.x , to be supported with stunnel , by doing any configuration change or so .
To give you guys a background , I compiled a openssl 3.x version and and then compiled liboqs , and build the ops provider support in the openssl 3.x .following the below link.
https://github.com/open-quantum-safe/oqs-provider
I was under the impression tunnel might support all algorithm which is supported in the openssl version which …
[View More]is used to build the stunnel
So I rebuild the same using the pqc supported openssl , but unfortunately not sure how to consume the provider there and or what to be tweaked in he tunnel source code that multiple providers or algorithms will be supported or not . or is it not possible to achieve this without doing a massive source code change ?
Appreciate any help on this
Regards
Mukesh
[View Less]