Hi there,
When I try to enable zlib compression at the server I get this error when
starting it up...
2006.06.23 15:44:39 LOG3[3426:3086293504]: Failed to add zlib compression method
How do I get zlib to work? Do I need to compile OpenSSL with zlib?
I'm using Fedora Core 3 with stunnel-4.15, and OpenSSL and zlib are from RPM's.
Thanks very much.
---- - Madasafish - Voted Best Heavy Consumer Broadband Provider in the 2006 Internet Industry Awards http://www.madasafish.com/
Michael:
We will give this also a shot. The workaround worked however.
Much thanks
Sekhar
----------------
Message: 4
Date: Tue, 13 Jun 2006 23:44:50 +0200
From: Michal Trojnara <Michal.Trojnara(a)mobi-com.net>
Subject: Re: [stunnel-users] CRLPath not working
To: stunnel-users(a)mirt.net
Message-ID: <200606132344.53413.Michal.Trojnara(a)mobi-com.net>
Content-Type: text/plain; charset="utf-8"
On Tuesday 13 June 2006 02:14, Nagasundaram, Sekhar wrote:
> Here are the …
[View More]configuration and the log files as you requested....
Thank you. Please try the following change:
--- ctx.old 2006-06-13 23:33:29.000000000 +0200
+++ ctx.c 2006-06-13 23:35:33.000000000 +0200
@@ -460,6 +460,7 @@
s_log(LOG_DEBUG, "Loaded CRLs from %s", section->crl_file);
}
if(section->crl_dir) {
+ section->revocation_store->cache=0;
lookup=X509_STORE_add_lookup(section->revocation_store,
X509_LOOKUP_hash_dir());
if(!lookup) {
BTW: Did my workaround work?
Best regards,
Mike
[View Less]
Well, we need about 100+ in our current environment. So how about
increasing it to maybe 256?
-Claus
-----Original Message-----
From: stunnel-users-bounces(a)mirt.net
[mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara
Sent: Wednesday, June 14, 2006 4:23 PM
To: <stunnel-users(a)mirt.net> <stunnel-users(a)mirt.net>
Subject: Re: [stunnel-users] Is there a limit to the number of services
youcanhave defined on a client?
On 2006-06-14, at 22:18, Lund, Claus wrote:
…
[View More]> Any chance the default could be increased? Really, what's 4MB of RAM
> between friends (for the example in your answer)? :-)
Okay. What value do you recommend?
> And maybe implement an error/warning message when the limit is
> exceeded?
Good idea. I'll do it.
Best regards,
Mike
_______________________________________________
stunnel-users mailing list
stunnel-users(a)mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[View Less]
Thanks Mike.
Any chance the default could be increased? Really, what's 4MB of RAM
between friends (for the example in your answer)? :-)
And maybe implement an error/warning message when the limit is exceeded?
-Claus
-----Original Message-----
From: stunnel-users-bounces(a)mirt.net
[mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara
Sent: Wednesday, June 14, 2006 4:11 PM
To: <stunnel-users(a)mirt.net> <stunnel-users(a)mirt.net>
Subject: Re: [stunnel-users] Is …
[View More]there a limit to the number of services
youcan have defined on a client?
On 2006-06-14, at 21:20, Lund, Claus wrote:
> I ran
> some quick tests and it looks like it's impossible to have more than
> 64 services defined?
Here is your answer:
http://stunnel.mirt.net/pipermail/stunnel-users/2006-April/001099.html
Best regards,
Mike
_______________________________________________
stunnel-users mailing list
stunnel-users(a)mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[View Less]
We have a bunch of middle-tier servers for an application and we're
using stunnel to encrypt the traffic between the windows clients and
those middle-tier servers.
The clients have stunnel.conf files with a large number of services
defined and it seems like we're hitting some limit in stunnel. I ran
some quick tests and it looks like it's impossible to have more than 64
services defined?
If I have a config file with about 100 services defined then everything
works fine up until I try to connect …
[View More]to service number 65. When I try to
connect to that service then the client just hangs forever (and there's
no output in the log file on the client).
We are using version 4.14 but I tested this on 4.15 as well and I am
getting the same result there.
Here's a piece of the config file I am using for testing:
"client = yes
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
[blah]
accept = 13806
connect = tax187a:13806
[blah1]
accept = 13807
connect = tax187a:13806"
Then followed by blah2 - blah100. Things work fine when connect to
"blah63" and lower. Anything higher than that cause the stunnel client
to just hang.
Thank you in advance,
Claus
____________________________________________
Claus Lund
Systems Developer
NEW EMAIL ADDRESS: Claus.Lund(a)state.vt.us
Department of Taxes
Information Systems
133 State Street
Montpelier, Vermont 05633-1401
(802) 828-3735
[View Less]
Mike:
Here are the configuration and the log files as you requested....
---------------------------------------------BEGIN CONFIG
---------------------------------
# switch-simulator stunnel configuration file
# Copyright by Michal Trojnara 2002
# Certs and keys
cert = /etc/certs/demoedge2-cert.pem
key = /etc/keys/demoedge2-key.pem
# PID is created inside chroot jail
pid = /var/opt/stunnel/stunnel_server.pid
# Authentication stuff
verify = 2
options = NO_SSLv2
# don't forget about …
[View More]c_rehash CApath
# it is located inside chroot jail:
CApath = /etc/CApath
# CRL path or file (inside chroot jail):
CRLpath = /etc/crl
# Some debugging stuff
debug = local4.5
output = /var/opt/log/pras_test_server.log
# Use it for client mode
#client = no
# Service-level configuration
[APF]
accept = 10.172.86.128:51101
connect = 127.0.0.1:50111
----------------------------------------------END CONFIG
----------------------------------
--------------------------------------------- BEGIN LOG FILE
-------------------------------
2006.06.11 19:27:25 LOG5[8839:7]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.11 19:27:25 LOG4[8839:7]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.11 19:27:25 LOG3[8839:7]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.11 19:27:25 LOG5[8839:7]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 17:41:52 LOG5[8839:8]: APF connected from 10.172.86.96:35225
2006.06.12 17:41:52 LOG5[8839:8]: VERIFY OK: depth=2,
/C=US/O=VISA/OU=Visa International Service Association/CN=TEST Visa Info
Delivery Root CA
2006.06.12 17:41:52 LOG5[8839:8]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, , lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 17:41:52 LOG4[8839:8]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 17:41:52 LOG3[8839:8]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 17:41:52 LOG5[8839:8]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2006.06.12 23:01:08 LOG5[8839:9]: APF connected from 10.172.86.96:35371
2006.06.12 23:01:08 LOG5[8839:9]: VERIFY OK: depth=2, <VISA CA>
2006.06.12 23:01:08 LOG5[8839:9]: CA CRL: Issuer: /C=US/O=VISA CRL
ISSUER>, lastUpdate: Jun 9 07:00:02 2006 GMT, nextUpdate: Jun 10
08:00:02 2006 GMT
2006.06.12 23:01:08 LOG4[8839:9]: Found CRL is expired - revoking all
certificates until you get updated CRL
2006.06.12 23:01:08 LOG3[8839:9]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.12 23:01:08 LOG5[8839:9]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
------------------------------------------- END LOG FILE
--------------------------------------
On 2006-06-12, at 22:17, Nagasundaram, Sekhar wrote:
> We download crls everyday from a CRL server using LDAP and a cronjob.
> These CRLs are stored in the CRLpath directory along with its hash.
> It appears that the stunnel is not refreshing its cache, and it
> still shows "Found CRL is expired - revoking all certificates until
> you get updated CRL" when we try to connect to it even though there is
> a
> New and valid CRL in the CRLPath folder. Is there a special option
> In Stunnel configuration for it to recognize/cache/add the new hash
> file
Just to make sure: the problem disappears after restarting stunnel,
right?
The simple workaround could be disabling all SSL caches:
./configure --with-threads=fork
make clean
make
make install
Can you send your stunnel.conf and debug log?
TIA,
Mike
Sekhar Nagasundaram
<<Nagasundaram, Sekhar.vcf>>
[View Less]
As part of an internal project at work, I'm investigating a Windows
tunneling solution using STunnel. As a requirement of my work, I am
to modify STunnel to use OpenSSL's FIPS APIs. And, with only a couple
of speedbumps, I was able to achieve this.
However I'd like to make my code a little more robust--to provide some
notification to the user if OpenSSL's FIPS mode is active or not. To
this point I've not been able to figure out a way to do this. In my
copy of the STunnel source, I've …
[View More]modified the routine ssl_init() in
ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33
of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf). Below is a
copy of my current copy of ssl_init():
void ssl_init(void) { /* to keep CLI structure for verify callback */
#if defined(OPENSSL_FIPS) && defined(USE_FIPS)
if (!FIPS_mode_set(1))
{
s_log(LOG_CRIT, "Could not set FIPS mdoe!");
}
else
{
s_log(LOG_INFO, "In FIPS mode.");
}
#endif
/* rest of ssl_init() from original source */
}
As I've found out, the s_log calls do nothing because the STunnel
window has not been displayed yet. Ideally, in the case where the
FIPS_mode_set() call fails, I'd like to invoke an error handler to
cause the STunnel service to fail to start. But trying to make a call
to something like sslerror() caused a program crash. Any ideas on how
to make these changes?
[View Less]
Thanks Michal. How do I disable the socket from sending TCP RST and
instead make it send TCP FIN?
It might be a very basic question. Sorry about that.
Thanks
Sri
Srilalitha Muralidhara
Rates IT Report Server
HCL Capital Market Services
( 91.80.4190.6689 + 33/1,The Senate, Ulsoor Road, Bangalore. India.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and …
[View More]destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
-----Original Message-----
From: stunnel-users-bounces(a)mirt.net
[mailto:stunnel-users-bounces@mirt.net] On Behalf Of Michal Trojnara
Sent: Monday, June 12, 2006 11:08 PM
To: stunnel-users(a)mirt.net
Subject: Re: [stunnel-users] socket closed after SSL_write
On Monday 12 June 2006 12:01, Srilalitha Muralidhara wrote:
> 2006.06.12 10:47:45 LOG7[19699:28]: SSL alert (write): warning: close
> notify
Clean SSL shutdown alert was received.
> 2006.06.12 10:47:50 LOG3[19699:28]: SSL_read: Connection reset by peer
> (131)
... and then TCP RST!
Strange. It looks like your application has set SO_LINGER option on its
socket, so it sends TCP RST instead of TCP FIN packet.
Best regards,
Mike
Disclaimer:
***********
The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of HCL Capital Market Services and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of HCL Capital Market Services.
This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and HCL Capital Market Services is not responsible for any loss or damage arising in any way from its use.
[View Less]
All:
We download crls everyday from a CRL server using LDAP and a cronjob.
These CRLs are stored in the CRLpath directory along with its hash.
It appears that the stunnel is not refreshing its cache, and it
still shows "Found CRL is expired - revoking all certificates until
you get updated CRL" when we try to connect to it even though there is a
New and valid CRL in the CRLPath folder. Is there a special option
In Stunnel configuration for it to recognize/cache/add the new hash file
All …
[View More]help is appreciated.
Thanks
Sekhar
[View Less]