Hi Robert, If your only reason to migrate is to mitigate an OpenSSL vuln, you can try to replace the openssl.exe binary and the DLLs used in your currently working Stunnel version. Since there is no compatibility breaking changes in latest OpenSSL releases, Stunnel should be able to load it without complaining. I currently do this with the 1.1.1 branch, and it is working flawlessly so far :) Can't say for sure for the 3.0.0 branch, but it's worth a try. You can find up-to-date pre-built binaries here: http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Binarie... 8required_for_SSL-enabled_components.29 Other options are also listed on the official OpenSSL wiki: https://wiki.openssl.org/index.php/Binaries Best regards, Florian Stosse Information security engineer Safran Electronics & Defense | Safran Data Systems | Space & Communication
-----Message d'origine----- De : robert.croteau--- via stunnel-users <stunnel-users@stunnel.org> Envoyé : vendredi 15 avril 2022 09:21 À : stunnel-users@stunnel.org Objet : [stunnel-users] Windows service won't start. ""The Stunnel TLS wrapper service is marked as an interactive service."
Window 10 LTCS (1089): "The Stunnel TLS wrapper service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
looks like starting with version 5.61, this above error appears in the System Event log. I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of them.
From the release notes, seems that windows services code might have been affected: New features for the Windows platform - Added client mode allowing authenticated users to view logs, reconfigure and terminate running stunnel services. - Added support for multiple GUI and service instances distinguised by the location of stunnel.conf.
On GitHub, I also noticed that in the source code for src/ui_win_gui.c the service is created as follows:
service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path, NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line 1622
the SERVICE_INTERACTIVE_PROCESS flag is set
Is this flag necessary? I guess that would be the culprit.
my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability
anyone has a workaround for this?
Microsoft has fully disabled Interactive Service Detection starting with Windows 10 Build 1803 and Windows Server 2016 and 2019. So, it looks like that that Interactive services are no longer allowed and this can't be circumvented by changing some registry setting like it seems it was possible before.
thank you _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
# " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #