From Michal.Trojnara at mirt.net Wed Sep 1 11:02:51 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Wed, 01 Sep 2010 11:02:51 +0200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> Message-ID: Bucci, David G wrote: > Thanks, guys, good ideas. Wow, subst, that's a blast from the past. Some > deployment sites will have networked homedirs, some won't, Michal. Sure. That's exactly why I wrote "most" and not "all". > Can I confirm, if stunnel is run by the user (whether manually or as part > of a login script), then when the user logs off, the process can be relied > on to be killed? I'm concerned that a leftover tunnel could be used to > masquerade by a subsequent logon-ee). http://msdn.microsoft.com/en-us/library/aa376876%28VS.85%29.aspx > And ... does stunnel for Windows have any inherent way to only allow > localhost access? (host.allow type mechanism). Our clients are not running > firewalls on their PCs, at least not all of them (closed network > situation). Or alternatively, any way to specify what user is allowed > access (like iptables can do in Linux)? Sorry, I'm not a Windows guy, I'm > still reeling from the fact that Windows doesn't have any inherent way to > do transparent proxying (not even on the Server versions). The same mechanism is used on Windows and Unix/Linux. You need to bind the service to the loopback interface instead of all interfaces, e.g.: accept=127.0.0.1:12345 > As a feature request for the Windows version ... some way to tie in to the > system keystore, so that user certificates that are populated there can be > directly used. Implicit in that would be DER (and probably PKCS#12) > support, I suppose. I think this request should rather be addressed to the OpenSSL team. AFAIK Windows Certificate Store was specifically designed to prevent non-Microsoft SSL implementations from using it directly, i.e. without manual key export. Best regards, Mike From sebastian at skayser.de Wed Sep 1 11:15:57 2010 From: sebastian at skayser.de (Sebastian Kayser) Date: Wed, 1 Sep 2010 11:15:57 +0200 Subject: [stunnel-users] Honor --sysconfdir and --localstatedir in stunnel.conf-sample.in In-Reply-To: References: <4C50B364.5000609@skayser.de> Message-ID: <20100901091557.GP31821@sebastiankayser.de> * Michal Trojnara wrote: > Sebastian Kayser wrote: > >I am packaging stunnel for opencsw.org. Would you guys mind merging a > >patch [1] to make use of --sysconfdir and --localstatedir (instead of > >@prefix@/{etc,var}) in the sample configuration file? Currently, if > >--sysconfdir and --localstatedir are passed to ./configure and are > >not a > >directory below prefix, the configuration file doesn't reflect this > >layout. > > Maybe it works for you, but for me this patch results with the > following (obviously incorrect) lines of stunnel.conf-sample file : > > >cert = ${prefix}/etc/stunnel/mail.pem > >;key = ${prefix}/etc/stunnel/mail.pem Thanks for giving it a spin. Is this the verbatim result after running ./configure (in particular ${prefix})? Which options do you pass to ./configure and what does config.log say about sysconfdir? If possible, I would like to try to reproduce this here. Sebastian From Michal.Trojnara at mirt.net Wed Sep 1 12:50:49 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Wed, 01 Sep 2010 12:50:49 +0200 Subject: [stunnel-users] Honor --sysconfdir and --localstatedir in stunnel.conf-sample.in In-Reply-To: <20100901091557.GP31821@sebastiankayser.de> References: <4C50B364.5000609@skayser.de> <20100901091557.GP31821@sebastiankayser.de> Message-ID: Sebastian Kayser wrote: >> >cert = ${prefix}/etc/stunnel/mail.pem >> >;key = ${prefix}/etc/stunnel/mail.pem > > Thanks for giving it a spin. Is this the verbatim result after running > ./configure (in particular ${prefix})? Which options do you pass to > ./configure and what does config.log say about sysconfdir? If possible, > I would like to try to reproduce this here. It's a part of stunnel.conf generated from stunnel.conf.in by ./configure executed without any options. ${prefix} would be fine in Makefile, but it's not acceptable in stunnel.conf. Mike From Jason.Haar at trimble.co.nz Mon Sep 6 05:31:16 2010 From: Jason.Haar at trimble.co.nz (Jason Haar) Date: Mon, 06 Sep 2010 15:31:16 +1200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> Message-ID: <4C846084.7060407@trimble.co.nz> On 09/01/2010 09:02 PM, Michal Trojnara wrote: > I think this request should rather be addressed to the OpenSSL team. > AFAIK Windows Certificate Store was specifically designed to prevent > non-Microsoft SSL implementations from using it directly, i.e. without > manual key export. Hi Mike You should look again - lots of non-M$ products use this API. e.g openvpn for Windows allows you to use the personal cert that other M$ components like MSIE uses - see " cryptoapicert" --cryptoapicert select-string Load the certificate and private key from the Windows Certifi- cate System Store (Windows Only). Use this option instead of --cert and --key. This makes it possible to use any smart card, supported by Win- dows, but also any kind of certificate, residing in the Cert Store, where you have access to the private key. This option has been tested with a couple of different smart cards (GemSAFE, Cryptoflex, and Swedish Post Office eID) on the client side, and also an imported PKCS12 software certificate on the server side. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 From Jason.Haar at trimble.co.nz Mon Sep 6 05:35:35 2010 From: Jason.Haar at trimble.co.nz (Jason Haar) Date: Mon, 06 Sep 2010 15:35:35 +1200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> Message-ID: <4C846187.6000907@trimble.co.nz> On 09/01/2010 09:02 PM, Michal Trojnara wrote: > I think this request should rather be addressed to the OpenSSL team. > AFAIK Windows Certificate Store was specifically designed to prevent > non-Microsoft SSL implementations from using it directly, i.e. without > manual key export. Hi Mike You should look again - lots of non-M$ products use this API. e.g openvpn for Windows allows you to use the personal cert that other M$ components like MSIE uses - see " cryptoapicert" --cryptoapicert select-string Load the certificate and private key from the Windows Certifi- cate System Store (Windows Only). Use this option instead of --cert and --key. This makes it possible to use any smart card, supported by Win- dows, but also any kind of certificate, residing in the Cert Store, where you have access to the private key. This option has been tested with a couple of different smart cards (GemSAFE, Cryptoflex, and Swedish Post Office eID) on the client side, and also an imported PKCS12 software certificate on the server side. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 From delaage.pierre at free.fr Mon Sep 6 21:20:13 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Mon, 06 Sep 2010 21:20:13 +0200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: <4C846187.6000907@trimble.co.nz> References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> <4C846187.6000907@trimble.co.nz> Message-ID: <4C853EED.2030305@free.fr> Hi, Other software using certs still have their own way to store and access them: eg firefox and opera browsers. Even Mozilla Thunderbird and Firefox store SEPARATELY their certs (!). I agree that things could be better but it is the way it is. If M$ cryptoapi was a standard, maybe stunnel could use it to load certs and pass them to openssl, or -preferrably- specify a particular syntax to tell openssl to load them in that "standard manner". But it would add a huge amount of code for that, either in stunnel or openssl. The same effect can be easily obtained by using M$ IE to export useful certs in a USER owned folder, to cer64 (ie pem) format, and then use these files in stunnel as usual. Every ordinary user can do that with a simple instruction. "Subst" does in local the same job as "net use" on the network : mapping location (local for subst, remote for netuse) to a drive, so that -almost- the same startup script can be use to map drives and start stunnel, all this in a user context, not polluting other user context. Of course a script can use subst with something like this : subst z: %HOMEPATH% so that there is no need for a specific script per user. Pierre Le 06/09/2010 05:35, Jason Haar a ?crit : > On 09/01/2010 09:02 PM, Michal Trojnara wrote: > >> I think this request should rather be addressed to the OpenSSL team. >> AFAIK Windows Certificate Store was specifically designed to prevent >> non-Microsoft SSL implementations from using it directly, i.e. without >> manual key export. >> > Hi Mike > > You should look again - lots of non-M$ products use this API. e.g > openvpn for Windows allows you to use the personal cert that other M$ > components like MSIE uses - see " cryptoapicert" > > --cryptoapicert select-string > Load the certificate and private key from the Windows > Certifi- > cate System Store (Windows Only). > > Use this option instead of --cert and --key. > > This makes it possible to use any smart card, supported > by Win- > dows, but also any kind of certificate, residing in > the Cert > Store, where you have access to the private key. This > option > has been tested with a couple of different smart cards > (GemSAFE, > Cryptoflex, and Swedish Post Office eID) on the client > side, and > also an imported PKCS12 software certificate on the server > side. > > > > From Michal.Trojnara at mirt.net Tue Sep 7 10:35:57 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 07 Sep 2010 10:35:57 +0200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: <4C846187.6000907@trimble.co.nz> References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> <4C846187.6000907@trimble.co.nz> Message-ID: <8ca7ad555652db9c06c4fe619b6a4fbe@mirt.net> Jason Haar wrote: > You should look again - lots of non-M$ products use this API. e.g > openvpn for Windows allows you to use the personal cert that other M$ > components like MSIE uses - see " cryptoapicert" > > --cryptoapicert select-string You're right. OpenVPN includes cryptoapi.c code to use Windows Certificate Store. The code is released under 3-clause New BSD License and it should be fairly trivial to use it with stunnel. I've started coding the changes already. 8-) Mike From Michal.Trojnara at mirt.net Tue Sep 7 14:59:51 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 07 Sep 2010 14:59:51 +0200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: <8ca7ad555652db9c06c4fe619b6a4fbe@mirt.net> References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> <4C846187.6000907@trimble.co.nz> <8ca7ad555652db9c06c4fe619b6a4fbe@mirt.net> Message-ID: I wrote: > You're right. OpenVPN includes cryptoapi.c code to use Windows > Certificate Store. It looks like it's more complex than just using OpenVPN code. Peter Runestig has only implemented 1 of 4 functions required for stunnel. You may try: ftp://stunnel.mirt.net/stunnel/stunnel-4.34b7-tar.gz ftp://stunnel.mirt.net/stunnel/stunnel-4.34b7-installer.exe It implements new "cryptoapicert" service-level option that calls SSL_CTX_use_CryptoAPI_certificate() from openvpn-2.1.3. I also discovered that Peter Runestig (original author of the cryptoapi.c code) is unfortunately dead for over 5 years, so he won't help us. 8-( Mike From Michal.Trojnara at mirt.net Tue Sep 7 15:20:13 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 07 Sep 2010 15:20:13 +0200 Subject: [stunnel-users] Individual user certs for each person who uses Windows PC In-Reply-To: References: <581C2F1AB3315145BD64D2022634BF8D01A666E272@HVXMSP4.us.lmco.com> <4C7C9C2E.2010903@free.fr> <581C2F1AB3315145BD64D2022634BF8D01A6CCFEB1@HVXMSP4.us.lmco.com> <4C846187.6000907@trimble.co.nz> <8ca7ad555652db9c06c4fe619b6a4fbe@mirt.net> Message-ID: <2c8438924e44d879c7eeb77de4157964@mirt.net> I wrote: > It looks like it's more complex than just using OpenVPN code. I just found that native CryptoAPI code was added to OpenSSL 0.9.8i in 2008 by Steve Henson. OpenSSL could use some better documentation. 8-) Now I'm looking for a way to use this new code (a.k.a. "capi" engine) in stunnel. Mike From jsprenkle at gmail.com Wed Sep 8 21:37:19 2010 From: jsprenkle at gmail.com (Jay Sprenkle) Date: Wed, 8 Sep 2010 14:37:19 -0500 Subject: [stunnel-users] Hey buddy, can you review a log file? Message-ID: Good afterrnoon, Can anyone review the stunnel log file below and see if there's any indication of a problem? What we're doing with stunnel: We're using stunnel to encrypt a tcp connection between a client and our server. What's happening: A client is reporting the connection fails. I believe it's a timeout issue on the client software. My interpretation of this log is that the session is open about 4 seconds then closed by the client. Is that correct? Thanks in advance Stunnel Log: 2010.09.08 14:34:38 LOG7[1392:2328]: Service exchange started 2010.09.08 14:34:38 LOG7[1392:2328]: FD=200 in non-blocking mode 2010.09.08 14:34:38 LOG5[1392:2328]: Service exchange accepted connection from 127.0.0.1:2340 2010.09.08 14:34:38 LOG7[1392:2328]: FD=224 in non-blocking mode 2010.09.08 14:34:38 LOG6[1392:2328]: connect_blocking: connecting xxx.242.123.150:7443 2010.09.08 14:34:38 LOG7[1392:2328]: connect_blocking: s_poll_wait xxx.242.123.150:7443: waiting 10 seconds 2010.09.08 14:34:38 LOG5[1392:2328]: connect_blocking: connected xxx.242.123.150:7443 2010.09.08 14:34:38 LOG5[1392:2328]: Service exchange connected remote server from 192.168.1.29:2341 2010.09.08 14:34:38 LOG7[1392:2328]: Remote FD=224 initialized 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): before/connect initialization 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): SSLv3 write client hello A 2010.09.08 14:34:38 LOG7[1392:2328]: SSL state (connect): SSLv3 read server hello A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read server certificate A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read server done A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write client key exchange A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write change cipher spec A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 write finished A 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 flush data 2010.09.08 14:34:39 LOG7[1392:2328]: SSL state (connect): SSLv3 read finished A 2010.09.08 14:34:39 LOG7[1392:2328]: 1 items in the session cache 2010.09.08 14:34:39 LOG7[1392:2328]: 1 client connects (SSL_connect()) 2010.09.08 14:34:39 LOG7[1392:2328]: 1 client connects that finished 2010.09.08 14:34:39 LOG7[1392:2328]: 0 client renegotiations requested 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server connects (SSL_accept()) 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server connects that finished 2010.09.08 14:34:39 LOG7[1392:2328]: 0 server renegotiations requested 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache hits 2010.09.08 14:34:39 LOG7[1392:2328]: 0 external session cache hits 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache misses 2010.09.08 14:34:39 LOG7[1392:2328]: 0 session cache timeouts 2010.09.08 14:34:39 LOG6[1392:2328]: SSL connected: new session negotiated 2010.09.08 14:34:39 LOG6[1392:2328]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2010.09.08 14:34:44 LOG7[1392:2328]: SSL socket closed on SSL_read 2010.09.08 14:34:44 LOG7[1392:2328]: Socket write shutdown 2010.09.08 14:34:44 LOG5[1392:2328]: Connection closed: 8 bytes sent to SSL, 48 bytes sent to socket 2010.09.08 14:34:44 LOG7[1392:2328]: Service exchange finished (0 left) -- --- "Is real reporting dead? News at 11!" -------------- next part -------------- An HTML attachment was scrubbed... URL: From apurva.pathak at verizon.com Fri Sep 10 19:51:19 2010 From: apurva.pathak at verizon.com (Pathak, Apurva (Apu)) Date: Fri, 10 Sep 2010 13:51:19 -0400 Subject: [stunnel-users] SMPP Protocol and STunnel Message-ID: <02D02B63F8BEA3449D0AC1D9E151B3D210D2A5476A@FLDP1LUMXC7V62.us.one.verizon.com> Hello, I would like to find out if I can use STunnel as follows: I have a stand alone C# executable program that uses a third party SDK that implements SMPP protocol and sends SMS text messages with wireless carriers. Recently, one of the wireless carriers wants us to implement SSL Client Authentication and wants SMPP messages that are exchanged with them to be encrypted after the client authentication is done. I want to find out if I can use STunnel running so that STunnel can encrypt and decrypt the messages exchanged between my program and the carrier's SMS server. (1) Is this possible with STunnel? (2) What are the steps involved? I am on the Windows Server 2003 platform. I would really appreciate a reply. Thanks, Apu -------------- next part -------------- An HTML attachment was scrubbed... URL: From delaage.pierre at free.fr Sat Sep 11 21:25:23 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Sat, 11 Sep 2010 21:25:23 +0200 Subject: [stunnel-users] SMPP Protocol and STunnel In-Reply-To: <02D02B63F8BEA3449D0AC1D9E151B3D210D2A5476A@FLDP1LUMXC7V62.us.one.verizon.com> References: <02D02B63F8BEA3449D0AC1D9E151B3D210D2A5476A@FLDP1LUMXC7V62.us.one.verizon.com> Message-ID: <4C8BD7A3.8050509@free.fr> Hello, Provided that you are using SMPP over TCP/IP (not over X25), yes you could use stunnel. Next you have to know what port(s) are involved at the server side (ie the "listening" socket(s)): apparently there are two flavors of smpp over tcp: one using two network connections, the other using only one ("tranceiver session"). Things will be more simple if you are using only one connection. If you are using two connections, and provided that ssl is required on both, just duplicate [smpp] section below as [smpp1] and [smpp2], of course changing the "accept" and "connect" ports. Then you have to get a valid CLIENT certificate (crt file) and key file. Stunnel.conf can then look like this : ;------ ; stunnel CLIENT conf [smpps] client = yes accept=127.0.0.1:CHOOSE A LOCAL LISTENING PORT ON THE CLIENT connect=SERVER_IP_ADDR:SERVER_LISTENING_PORT cert=\localLocation\userXXXcert.crt key =\localLocation\userXXXcert.key ;often useful : sslVersion=all ;----------- And of course you have to redirect your smpp client software to the "pseudo smpp over ssl" local server(s) on localhost, (cf "local listening port" above). Hope this may help, Pierre Delaage Le 10/09/2010 19:51, Pathak, Apurva (Apu) a ?crit : > Hello, > I would like to find out if I can use STunnel as follows: > I have a stand alone C# executable program that uses a third party SDK > that implements SMPP protocol and sends SMS text messages with > wireless carriers. Recently, one of the wireless carriers wants us to > implement SSL Client Authentication and wants SMPP messages that are > exchanged with them to be encrypted after the client authentication is > done. > I want to find out if I can use STunnel running so that STunnel can > encrypt and decrypt the messages exchanged between my program and the > carrier's SMS server. > (1) Is this possible with STunnel? > (2) What are the steps involved? > I am on the Windows Server 2003 platform. > I would really appreciate a reply. > Thanks, > Apu > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sunilk at gmail.com Fri Sep 17 03:12:36 2010 From: sunilk at gmail.com (Sunil Karumuri) Date: Thu, 16 Sep 2010 18:12:36 -0700 Subject: [stunnel-users] (no subject) Message-ID: <000c01cb5605$6af00090$40d001b0$@com> Hello- I am new to Stunnel and have a basic architecture question. I have Stunnel installed on box A where it receives http messages from multiple client processes . Stunnel sends them to box B via https (mutual ssl). We are seeing that Stunnel opens one connection for each client processes. Can we configure Stunnel to have only ONE SSL connection (or a pool of connections) between box A and B and have Stunnel use the open connection for all traffic from various clients ? We would like to avoid the overhead of SSL-handshake for each new client process. Thanks for the help. Sunil -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Cliffe at andrew.com Fri Sep 17 08:49:25 2010 From: Stephen.Cliffe at andrew.com (Cliffe, Stephen) Date: Fri, 17 Sep 2010 14:49:25 +0800 Subject: [stunnel-users] Large performance difference: Solaris vs Linux Message-ID: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> Hi, I've just been comparing the performance of stunnel on Solaris 10 & Linux (Centos 5.5) and am seeing a big difference. I'm using stunnel 4.33 compiled with the same options on both platforms and the tcpstress benchmarking tool (http://stunnel.mirt.net/?page=perf). On a Dell 780 running Solaris 10 I got 163.31 connections/second but on an older, slower Dell 620 running Linux I got 408.01 connections/second. Both machines were otherwise idle. Does anyone know why there would be such a big difference between the two OS's? Thanks, Steve. Steve Cliffe Senior Engineer - Development Infrastructure Team Andrew Network Solutions Asia Pacific [ Address : Andrew Corporation Building (39), Northfields Avenue, Wollongong University, NSW, Australia 2500 ] [ Postal Address : PO Box U40, Wollongong University, NSW, Australia 2500 ] [ Tel : +61 2 4221 2991] [ Fax : +61 2 4221 2901 ] [ Email : Stephen.Cliffe at andrew.com] Visit Andrew on the Web at www.andrew.com [cid:image001.gif at 01CB5688.22C2E4D0][cid:image002.gif at 01CB5688.22C2E4D0] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 1851 bytes Desc: image001.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 1610 bytes Desc: image002.gif URL: From lholzheid at bihl-wiedemann.de Fri Sep 17 09:25:26 2010 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Fri, 17 Sep 2010 09:25:26 +0200 Subject: [stunnel-users] (no subject) In-Reply-To: <000c01cb5605$6af00090$40d001b0$@com> References: <000c01cb5605$6af00090$40d001b0$@com> Message-ID: <20100917072525.GA4187@shadow.bihl-wiedemann.de> On Thu, 2010-09-16 18:12:36 -0700, Sunil Karumuri wrote: > [..] > > Can we configure Stunnel to have only ONE SSL connection (or a pool of > connections) between box A and B and have Stunnel use the open connection > for all traffic from various clients ? Sunil, This would add a lot of complexity to stunnel, as it would need to keep track of originator and destination (and sequence) of the 'data items' sent through the tunnel. Also the state of the multiplexed connections have to be known on both ends of the tunnel. (Currently, the TCP/IP stack does this job.) Maybe the multiplexing could be done with other tools (like encapsulate(1) from the netpipes(1) package), still using stunnel for encryption. You may also be looking for a VPN solution. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From Michal.Trojnara at mirt.net Fri Sep 17 09:49:31 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Fri, 17 Sep 2010 09:49:31 +0200 Subject: [stunnel-users] (no subject) In-Reply-To: <20100917072525.GA4187@shadow.bihl-wiedemann.de> References: <000c01cb5605$6af00090$40d001b0$@com> <20100917072525.GA4187@shadow.bihl-wiedemann.de> Message-ID: Ludolf Holzheid wrote: > Sunil Karumuri wrote: >> Can we configure Stunnel to have only ONE SSL connection (or a pool of >> connections) between box A and B and have Stunnel use the open connection >> for all traffic from various clients ? > > You may also be looking for a VPN solution. ... or just use SSH tunnels instead of SSL encapsulation. It's not really the matter of specific software (e.g. stunnel), but the SSL protocol itself. SSL/TLS is based on 1:1 encapsulation of a data stream in an SSL connection. In most cases it's a good idea, e.g. traffic shapers (in OS kernels or network devices) can see separate data streams preventing starvation of low-throughput interactive connections. It's possible to add a multiplexing layer between data streams and SSL. That's what so-called "SSL VPNs" do. Please note such an extension would be proprietary and thus incompatible with any other product. IMHO interoperability is a huge advantage of stunnel over various proprietary products. Mike From Michal.Trojnara at mirt.net Fri Sep 17 10:15:55 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Fri, 17 Sep 2010 10:15:55 +0200 Subject: [stunnel-users] Large performance difference: Solaris vs Linux In-Reply-To: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> References: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> Message-ID: <2de948fad0946774a3925ca7a2c5499e@mirt.net> Cliffe, Stephen wrote: > Does anyone know why there would be such a big difference between the two > OS's? Linux kernel performed a huge rewrite and significant performance optimization of major subsystems (scheduler, networking) in 2.6 kernels. AFAIK Slowlaris was never really optimized for systems with less then 16 CPUs. You may find this article interesting: http://www.ibm.com/developerworks/linux/library/l-web26/index.html Mike From jeremie at le-hen.org Fri Sep 17 11:45:35 2010 From: jeremie at le-hen.org (Jeremie Le Hen) Date: Fri, 17 Sep 2010 11:45:35 +0200 Subject: [stunnel-users] Large performance difference: Solaris vs Linux In-Reply-To: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> References: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> Message-ID: <20100917094535.GA6864@felucia.tataz.chchile.org> On Fri, Sep 17, 2010 at 02:49:25PM +0800, Cliffe, Stephen wrote: > Hi, > > I've just been comparing the performance of stunnel on Solaris 10 & > Linux (Centos 5.5) and am seeing a big difference. I'm using stunnel > 4.33 compiled with the same options on both platforms and the > tcpstress benchmarking tool (http://stunnel.mirt.net/?page=perf). > > On a Dell 780 running Solaris 10 I got 163.31 connections/second but > on an older, slower Dell 620 running Linux I got 408.01 > connections/second. Both machines were otherwise idle. How is your CPU usage? Can you post the output of the following commands: % psrinfo | wc -l % vmstat 1 10 (during the stress test) % netstat -s (before and after the test) -- Jeremie Le Hen Humans are born free and equal. But some are more equal than others. Coluche From Michal.Trojnara at mirt.net Sun Sep 19 23:15:58 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Sun, 19 Sep 2010 23:15:58 +0200 Subject: [stunnel-users] Stunnel 4.34 released In-Reply-To: <201004052054.41327.Michal.Trojnara@mirt.net> References: <201004052054.41327.Michal.Trojnara@mirt.net> Message-ID: <2C1826A6-F5B5-47DD-8ABD-E0AD9AB5555B@mirt.net> Dear Users, The ChangeLog entry: Version 4.34, 2010.09.19, urgency: LOW: * New features - Updated Win32 DLLs for OpenSSL 1.0.0a. - Updated Win32 DLLs for zlib 1.2.5. - Updated automake to version 1.11.1 - Updated libtool to version 2.2.6b - Added ECC support with a new service-level "curve" option. - DH support is now enabled by default. - Added support for OpenSSL builds with some algorithms disabled. - ./configure modified to support cross-compilation. - Sample stunnel.init updated based on Debian init script. * Bugfixes - Implemented fixes in user interface to enter engine PIN. - Fixed a transfer() loop issue on socket errors. - Fixed missing WIN32 taskbar icon while displaying a global option error. SHA-1 value for stunnel-4.34.tar.gz: 367bb46aedd1d84654853feef7e702738e4a65da Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara From Stephen.Cliffe at andrew.com Mon Sep 20 01:57:12 2010 From: Stephen.Cliffe at andrew.com (Cliffe, Stephen) Date: Mon, 20 Sep 2010 07:57:12 +0800 Subject: [stunnel-users] Large performance difference: Solaris vs Linux In-Reply-To: <20100917094535.GA6864@felucia.tataz.chchile.org> References: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> <20100917094535.GA6864@felucia.tataz.chchile.org> Message-ID: <242F1C57D225834BA3ED1B0BF810712033E46D30C0@SISPE7MB2.commscope.com> CPU is around 95% idle during the test on Solaris, 35% on Linux. Solaris Performance (Core 2 Duo 3.3GHz): Benchmarking 10000 connection(s) by 1 thread(s) Bechmark done: success 66.02 seconds, 151.47 connections/second Linux Performance (Pentium 4 CPU 3.4GHz dual-core): Benchmarking 10000 connection(s) by 1 thread(s) Bechmark done: success 22.59 seconds, 442.72 connections/second I've attached the vmstat and before & after netstat outputs. Steve. -----Original Message----- From: Jeremie Le Hen [mailto:jeremie at le-hen.org] Sent: Friday, 17 September 2010 7:46 PM To: Cliffe, Stephen Cc: stunnel-users at mirt.net Subject: Re: [stunnel-users] Large performance difference: Solaris vs Linux On Fri, Sep 17, 2010 at 02:49:25PM +0800, Cliffe, Stephen wrote: > Hi, > > I've just been comparing the performance of stunnel on Solaris 10 & > Linux (Centos 5.5) and am seeing a big difference. I'm using stunnel > 4.33 compiled with the same options on both platforms and the > tcpstress benchmarking tool (http://stunnel.mirt.net/?page=perf). > > On a Dell 780 running Solaris 10 I got 163.31 connections/second but > on an older, slower Dell 620 running Linux I got 408.01 > connections/second. Both machines were otherwise idle. How is your CPU usage? Can you post the output of the following commands: % psrinfo | wc -l % vmstat 1 10 (during the stress test) % netstat -s (before and after the test) -- Jeremie Le Hen Humans are born free and equal. But some are more equal than others. Coluche -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Solaris.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Linux.txt URL: From elk at elk.ru Mon Sep 20 03:29:27 2010 From: elk at elk.ru (Denis Solovyov) Date: Mon, 20 Sep 2010 10:29:27 +0900 Subject: [stunnel-users] Stunnel 4.34 released In-Reply-To: <2C1826A6-F5B5-47DD-8ABD-E0AD9AB5555B@mirt.net> References: <201004052054.41327.Michal.Trojnara@mirt.net> <2C1826A6-F5B5-47DD-8ABD-E0AD9AB5555B@mirt.net> Message-ID: <296811236.20100920102927@elk.ru> MT> The ChangeLog entry: MT> Version 4.34, 2010.09.19, urgency: LOW: MT> * New features MT> - Updated Win32 DLLs for OpenSSL 1.0.0a. MT> - Updated Win32 DLLs for zlib 1.2.5. MT> - Updated automake to version 1.11.1 MT> - Updated libtool to version 2.2.6b MT> - Added ECC support with a new service-level "curve" option. MT> - DH support is now enabled by default. MT> - Added support for OpenSSL builds with some algorithms disabled. MT> - ./configure modified to support cross-compilation. On a quite an old Linux (2.4) I caught a compilation error: cc1: error: unrecognized option `-Wextra' When I remove "-Wextra" from 'configure' script, I get another one: options.c: In function `parse_service_option': options.c:757: error: `NID_sect163r2' undeclared (first use in this function) options.c:757: error: (Each undeclared identifier is reported only once options.c:757: error: for each function it appears in.) Is it now time for me to upgrade (I don't actually want though), or is there a fix/legal workaround? P.S. Everything is OK with 4.33, of course. Thank you. With the best regards, Denis Solovyov From david.g.bucci at lmco.com Mon Sep 20 09:11:52 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Mon, 20 Sep 2010 03:11:52 -0400 Subject: [stunnel-users] Accept connections only from local processes? Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A992260D@HVXMSP4.us.lmco.com> Hi - I'm looking to configure Stunnel in client mode to accept connections only from the PC it's running on. Would the config option "socket = a:SO_BINDTODEVICE=lo" accomplish that? And would this work on Windows? (is there a "lo" interface on Windows?) I'm going to do some testing, but thought I'd ask in case someone already knows I'll be pounding sand. And before anyone asks, turning on a firewall isn't an option - we don't have control of all the PCs involved. ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com From Michal.Trojnara at mirt.net Mon Sep 20 10:26:16 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Mon, 20 Sep 2010 10:26:16 +0200 Subject: [stunnel-users] =?utf-8?q?Accept_connections_only_from_local_proc?= =?utf-8?q?esses=3F?= In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A992260D@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A992260D@HVXMSP4.us.lmco.com> Message-ID: Bucci, David G wrote: > Hi - I'm looking to configure Stunnel in client mode to accept connections > only from the PC it's running on. Would the config option "socket = > a:SO_BINDTODEVICE=lo" accomplish that? And would this work on Windows? > (is there a "lo" interface on Windows?) accept=127.0.0.1: Mike From Michal.Trojnara at mirt.net Mon Sep 20 10:34:16 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Mon, 20 Sep 2010 10:34:16 +0200 Subject: [stunnel-users] Stunnel 4.34 released In-Reply-To: <296811236.20100920102927@elk.ru> References: <201004052054.41327.Michal.Trojnara@mirt.net> <2C1826A6-F5B5-47DD-8ABD-E0AD9AB5555B@mirt.net> <296811236.20100920102927@elk.ru> Message-ID: <697ad619ad30e296f9b53c4da02398d4@mirt.net> Denis Solovyov: > cc1: error: unrecognized option `-Wextra' > options.c:757: error: `NID_sect163r2' undeclared (first use in this function) Please check your software versions with: openssl version gcc --version Running an outdated version of OpenSSL may be risky... Mike From Michal.Trojnara at mirt.net Mon Sep 20 10:39:37 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Mon, 20 Sep 2010 10:39:37 +0200 Subject: [stunnel-users] Large performance difference: Solaris vs Linux In-Reply-To: <242F1C57D225834BA3ED1B0BF810712033E46D30C0@SISPE7MB2.commscope.com> References: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> <20100917094535.GA6864@felucia.tataz.chchile.org> <242F1C57D225834BA3ED1B0BF810712033E46D30C0@SISPE7MB2.commscope.com> Message-ID: Cliffe, Stephen wrote: > Benchmarking 10000 connection(s) by 1 thread(s) Are you sure benchmarking with one thread (= single connection at a time) reflects your environment? Mike From david.g.bucci at lmco.com Mon Sep 20 12:33:34 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Mon, 20 Sep 2010 06:33:34 -0400 Subject: [stunnel-users] Generically referencing file locations in stunnel.conf Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9922632@HVXMSP4.us.lmco.com> Hi - I'm back to trying to run Stunnel with a different user certificate for each user. So far, the best technique I've found is to have a separate stunnel.conf for each user (in their home directory, which is referenced by envvar %USERPROFILE%), and run stunnel using that configuration file. As part of that, I'm trying to generically reference file locations (log, user certificates) in the .conf. But I haven't found a way short of fully pathing the locations in the .conf e.g. "output=c:\users\dbucci\stunnel\stunnel.log". That's undesirable, because it means I have to make every user's .conf unique. So ... is there a generic way to accomplish this? I've tried setting the "Start In" location in the Windows shortcut to that location (via envvar %USERPROFILE%, which allows me to make every user's shortcut generic), then saying "output=.\stunnel.log", but without success - it seems to always be using c:\program files\stunnel as it's starting point for reference. Likewise, the envvar isn't usable in the .conf Note that I thought about creating a subdir per user in C:\program files\stunnel (with appropriate perms for that user), but can't, because in many of our deployment locations, users aren't permitted to write to c:\program files. Btw, this is why I'm asking about the commandline parms in Windows - I don't seem to be able to get them to work, but if I could, I could say e.g. "-o %USERPROFILE%\stunnel\stunnel.log", and that would work generically for every user. Likewise, I could use "-A %USERPROFILE&\stunnel\usercert.pem" and have a generic way of installing user certs. Heck, if I could set ALL the options via command line (-c, -r, etc.) I would love to simply do away with a user-specific .conf file. So ... sorry for rambling a bit, but any help with the intent of what I'm trying to accomplish, make as generic as possible a user-specific config setup? Thx! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com From lholzheid at bihl-wiedemann.de Mon Sep 20 12:45:01 2010 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Mon, 20 Sep 2010 12:45:01 +0200 Subject: [stunnel-users] Generically referencing file locations in stunnel.conf In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9922632@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9922632@HVXMSP4.us.lmco.com> Message-ID: <20100920104500.GB5513@shadow.bihl-wiedemann.de> On Mon, 2010-09-20 06:33:34 -0400, Bucci, David G wrote: > [..] > > Heck, if I could set ALL the options via command line (-c, -r, etc.) > I would love to simply do away with a user-specific .conf file. How about writing a batch (or shell script) that generates a custom configuration file and then starts stunnel? The configuration file syntax is simple, and a batch should have access to all environment variables (and other OS stuff, if needed). HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From david.g.bucci at lmco.com Mon Sep 20 11:55:35 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Mon, 20 Sep 2010 05:55:35 -0400 Subject: [stunnel-users] Command line args available on Windows version 4.33? Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9922614@HVXMSP4.us.lmco.com> Hi - are all the command line arguments documented at http://www.stunnel.org/faq/args.html#ToC1 available in the Windows 4.33 version? When you execute stunnel -V, very few are listed. And if they are available, do they take precedence over a configuration file, if one is used? (Is a .conf mandatory, or can you set all the required options via command line in the Windows version?) Thx! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com From Michal.Trojnara at mirt.net Mon Sep 20 14:31:12 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Mon, 20 Sep 2010 14:31:12 +0200 Subject: [stunnel-users] =?utf-8?q?Command_line_args_available_on_Windows_?= =?utf-8?q?version_4=2E33=3F?= In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9922614@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9922614@HVXMSP4.us.lmco.com> Message-ID: Bucci, David G wrote: > Hi - are all the command line arguments documented at > http://www.stunnel.org/faq/args.html#ToC1 available in the Windows 4.33 > version? The homepage of stunnel is http://stunnel.mirt.net/ Mike From david.g.bucci at lmco.com Mon Sep 20 16:43:52 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Mon, 20 Sep 2010 10:43:52 -0400 Subject: [stunnel-users] EXTERNAL: Re: Generically referencing file locations in stunnel.conf In-Reply-To: <20100920104500.GB5513@shadow.bihl-wiedemann.de> References: <581C2F1AB3315145BD64D2022634BF8D01A9922632@HVXMSP4.us.lmco.com> <20100920104500.GB5513@shadow.bihl-wiedemann.de> Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9E1EC81@HVXMSP4.us.lmco.com> Yup, that's what it looks like we'll end up doing - played around with it, and couldn't get any generic form of pathing to the files to work, nor the command line argument driven approach. Thx. -----Original Message----- From: Ludolf Holzheid [mailto:lholzheid at bihl-wiedemann.de] Sent: Monday, September 20, 2010 6:45 AM To: stunnel-users at mirt.net Cc: Bucci, David G Subject: EXTERNAL: Re: [stunnel-users] Generically referencing file locations in stunnel.conf On Mon, 2010-09-20 06:33:34 -0400, Bucci, David G wrote: > [..] > > Heck, if I could set ALL the options via command line (-c, -r, etc.) > I would love to simply do away with a user-specific .conf file. How about writing a batch (or shell script) that generates a custom configuration file and then starts stunnel? The configuration file syntax is simple, and a batch should have access to all environment variables (and other OS stuff, if needed). HTH, Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From david.g.bucci at lmco.com Mon Sep 20 21:40:55 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Mon, 20 Sep 2010 15:40:55 -0400 Subject: [stunnel-users] FIPS compliance Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9E1F395@HVXMSP4.us.lmco.com> The documentation on fips= seems ambiguous to me ... does leaving it at the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate it? Or does it do something else I'm not understanding? Basically, the q. is, what do you have to configure to ensure that you're operating in a FIPS 140-2 compliant manner (at least, as the version of OpenSSL libs bundled understood it)? Do you have to specify ciphers that are validated, etc.? Or just set that config option to "yes" ("no"?)? And how can one tell if the stunnel binary in use was compiled with FIPS support active? (I'm using the Windows 4.33 binary d/l'ed from mirt.net). Tia! ---- David G. Bucci Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com From Stephen.Cliffe at andrew.com Tue Sep 21 01:15:15 2010 From: Stephen.Cliffe at andrew.com (Cliffe, Stephen) Date: Tue, 21 Sep 2010 07:15:15 +0800 Subject: [stunnel-users] Large performance difference: Solaris vs Linux In-Reply-To: References: <242F1C57D225834BA3ED1B0BF810712033E26A3560@SISPE7MB2.commscope.com> <20100917094535.GA6864@felucia.tataz.chchile.org> <242F1C57D225834BA3ED1B0BF810712033E46D30C0@SISPE7MB2.commscope.com> Message-ID: <242F1C57D225834BA3ED1B0BF810712033E46D31F6@SISPE7MB2.commscope.com> Given that both boxes are single CPU, albeit dual-core, and there are 4 processes running for the benchmark (tcpcli, tcpserv, 2 * stunnel) I figured a single thread test would be reasonable. I did repeat the benchmark with 10 threads and the slower Linux box still outperformed the faster Solaris box, although not by as much. Steve. -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara Sent: Monday, 20 September 2010 6:40 PM To: stunnel-users at mirt.net Subject: Re: [stunnel-users] Large performance difference: Solaris vs Linux Cliffe, Stephen wrote: > Benchmarking 10000 connection(s) by 1 thread(s) Are you sure benchmarking with one thread (= single connection at a time) reflects your environment? Mike _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From Michal.Trojnara at mirt.net Tue Sep 21 16:44:24 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Tue, 21 Sep 2010 16:44:24 +0200 Subject: [stunnel-users] FIPS compliance In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9E1F395@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9E1F395@HVXMSP4.us.lmco.com> Message-ID: Bucci, David G wrote: > The documentation on fips= seems ambiguous to me ... does leaving it at > the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate it? > Or does it do something else I'm not understanding? > > Basically, the q. is, what do you have to configure to ensure that you're > operating in a FIPS 140-2 compliant manner (at least, as the version of > OpenSSL libs bundled understood it)? Do you have to specify ciphers that > are validated, etc.? Or just set that config option to "yes" ("no"?)? > > And how can one tell if the stunnel binary in use was compiled with FIPS > support active? (I'm using the Windows 4.33 binary d/l'ed from mirt.net). If detected by ./configure, FIPS is enabled by default. You can disable it with global option. "stunnel -version" will tell you if it's compiled with FIPS support. INSTALL.FIPS file distributed with stunnel should answer your remaining questions: FIPS support status: - Unix platforms are currently supported. - Win32 platform is currently unsupported due to some problems with building and linking FIPS-enabled OpenSSL DLLs. Unix HOWTO: FIPS mode is autodetected if possible. You can force it with: ./configure --enable-fips or disable with: ./configure --disable-fips Preliminary WIN32 HOWTO (does NOT work, now): - Download and install ActivePerl: http://www.activestate.com/Products/activeperl/ - Download and install MinGW-5.1.3.exe: http://www.mingw.org/download.shtml#hdr2 Also select "g++ compiler" for installation - Download and install MSYS-1.0.10.exe: http://www.mingw.org/download.shtml#hdr2 - Download OpenSSL FIPS: http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz - Execute MSYS and unpack OpenSSL: tar -xzf /c/downloads/openssl-fips-1.1.2.tar.gz - Build the OpenSSL: cd openssl-fips-1.1.2 ./config fips make make install cd /usr/local/ssl/lib ar xv `gcc -print-libgcc-file-name` _chkstk.o _udivdi3.o _umoddi3.o mkdir /c/fipscanister/ cp _* fips* /c/fipscanister/ exit - Download and unpack OpenSSL 0.9.7m: http://www.openssl.org/source/openssl-0.9.7m.tar.gz - Download and install Visual C++ 2008 Express Edition: http://www.microsoft.com/express/vc/ - Execute "Open Visual Studio 2008 Command Prompt" and build OpenSSL: perl Configure VC-WIN32 fips --with-fipslibdir=c:\fipscanister ms\do_ms nmake -f ms\ntdll.mak Best regards, Michal Trojnara From david.g.bucci at lmco.com Tue Sep 21 17:26:24 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Tue, 21 Sep 2010 11:26:24 -0400 Subject: [stunnel-users] Server side logging, no connection details logged Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9F5130D@HVXMSP4.us.lmco.com> Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log). On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring. Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this. Thx! ---- David G. Bucci If you can't say anything nice, at least have the decency to be vague. From elk at elk.ru Tue Sep 21 20:44:00 2010 From: elk at elk.ru (Denis Solovyov) Date: Wed, 22 Sep 2010 03:44:00 +0900 Subject: [stunnel-users] Stunnel 4.34 released In-Reply-To: <697ad619ad30e296f9b53c4da02398d4@mirt.net> References: <201004052054.41327.Michal.Trojnara@mirt.net> <2C1826A6-F5B5-47DD-8ABD-E0AD9AB5555B@mirt.net> <296811236.20100920102927@elk.ru> <697ad619ad30e296f9b53c4da02398d4@mirt.net> Message-ID: <179569006.20100922034400@elk.ru> >> cc1: error: unrecognized option `-Wextra' >> options.c:757: error: `NID_sect163r2' undeclared (first use in this >> function) MT> Please check your software versions with: MT> openssl version MT> gcc --version MT> Running an outdated version of OpenSSL may be risky... Yes, you're right, it is quite old running without global updates for ages. I guess for a small home server it might be OK. Anyway Stunnel 4.34 is the first essential software which was not compiled in such conditions. I'll consider upgrading this one day :-) But changes you make for a minor vesion update should not probably be so major... MT> Mike With the best regards, Denis Solovyov From david.g.bucci at lmco.com Wed Sep 22 18:25:11 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Wed, 22 Sep 2010 12:25:11 -0400 Subject: [stunnel-users] Server side logging, no connection details logged In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9F5130D@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9F5130D@HVXMSP4.us.lmco.com> Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9FF1011@HVXMSP4.us.lmco.com> More details, and checking the source code ... messages are being output during engine setup and such (all the msgs that should be logged during verification_init() in verify.c), but none of the messages from verify_callback(). We have verify = 2, debug = 7, and CAfile set (and during startup we see a msg that the CAfile is successfully read. The verification is in fact working correctly - when we pass in a self-signed cert, the connection is denied (and we see a "certificate bad" message in the client's log), but when we pass in a valid cert, it's accepted. In neither case do we see any msgs in the server's log. The exact msgs we want are there in verify.c/verify_callback() -- the subject name listed for rejected and accepted certs, it looks like LOG_INFO should be enough, but we're simply not seeing any msgs. -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Bucci, David G Sent: Tuesday, September 21, 2010 11:26 AM To: stunnel-users at mirt.net Subject: [stunnel-users] Server side logging, no connection details logged Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log). On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring. Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this. Thx! ---- David G. Bucci If you can't say anything nice, at least have the decency to be vague. _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From david.g.bucci at lmco.com Wed Sep 22 18:39:44 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Wed, 22 Sep 2010 12:39:44 -0400 Subject: [stunnel-users] Server side logging, no connection details logged In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9FF1011@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9F5130D@HVXMSP4.us.lmco.com> <581C2F1AB3315145BD64D2022634BF8D01A9FF1011@HVXMSP4.us.lmco.com> Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9FF105F@HVXMSP4.us.lmco.com> Further followup - in the note immediately below, I was looking at the 4.34 source, but we were testing with 4.33 yesterday. Diffing, msgs were added to 4.34 for failed certificates (thank you -- you're very prescient :-). We're upgrading to 4.34 and retesting today, and I'll let everyone know. That said -- 4.33 code has a msg that we should have seen when a certificate is accepted, at the end of verify_callback(), and we weren't seeing it. -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Bucci, David G Sent: Wednesday, September 22, 2010 12:25 PM To: stunnel-users at mirt.net Subject: EXTERNAL: Re: [stunnel-users] Server side logging, no connection details logged More details, and checking the source code ... messages are being output during engine setup and such (all the msgs that should be logged during verification_init() in verify.c), but none of the messages from verify_callback(). We have verify = 2, debug = 7, and CAfile set (and during startup we see a msg that the CAfile is successfully read. The verification is in fact working correctly - when we pass in a self-signed cert, the connection is denied (and we see a "certificate bad" message in the client's log), but when we pass in a valid cert, it's accepted. In neither case do we see any msgs in the server's log. The exact msgs we want are there in verify.c/verify_callback() -- the subject name listed for rejected and accepted certs, it looks like LOG_INFO should be enough, but we're simply not seeing any msgs. -----Original Message----- From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Bucci, David G Sent: Tuesday, September 21, 2010 11:26 AM To: stunnel-users at mirt.net Subject: [stunnel-users] Server side logging, no connection details logged Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log). On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring. Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this. Thx! ---- David G. Bucci If you can't say anything nice, at least have the decency to be vague. _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From david.g.bucci at lmco.com Wed Sep 22 18:57:35 2010 From: david.g.bucci at lmco.com (Bucci, David G) Date: Wed, 22 Sep 2010 12:57:35 -0400 Subject: [stunnel-users] Target version/timeframe for drawing identity certs from Windows cert store? Message-ID: <581C2F1AB3315145BD64D2022634BF8D01A9FF10CB@HVXMSP4.us.lmco.com> Hi - in an exchange last week, Michal, it sounded like you might be planning on adding the capability/option to the Windows version to select an identity certificate from the Windows certificate store (because it turns out OpenSSL added some supporting infrastructure for doing so, if I understood correctly). For planning purposes, do you have any sense yet of whether that's really going to happen, and in what timeframe or what target version? I think that'd be a change of high interest to a lot of people ... one suggestion, it would help integrators if there was a way to configure a msg into whatever selection dialog that comes up, asking the user to select a certificate from their identity store. Thinking out loud -- probably also, in the case where multiple client tunnels are being set up, a way to make it either a global selection (for all client services), or a service specific selection -- hmm, though global only is probably fine, thinking about, since an integrator could always create a 2nd config, if a 2nd tunnel is needed Thinking further, you would probably want to be careful that it would work early on during login, since I imagine like us, integrators would want to start it from a user's Startup folder, or from a login script. I don't know Windows well enough to know if that constrains you (if the window mgr is up during login script exec, etc.). Thx! ---- David G. Bucci If you can't think of anything kind to say, could you at least have the decency to be vague? From Michal.Trojnara at mirt.net Wed Sep 22 19:32:30 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Wed, 22 Sep 2010 19:32:30 +0200 Subject: [stunnel-users] Target version/timeframe for drawing identity certs from Windows cert store? In-Reply-To: <581C2F1AB3315145BD64D2022634BF8D01A9FF10CB@HVXMSP4.us.lmco.com> References: <581C2F1AB3315145BD64D2022634BF8D01A9FF10CB@HVXMSP4.us.lmco.com> Message-ID: <8a93a4fe-14d7-4ac9-b4ab-f1d95e1122da@email.android.com> Hi David, Yes, OpenSSL has recently added a functionality called "capi engine" that should allow to use Windows Certificate Store in stunnel. Unfortunately it currently only seems to work with OpenSSL compiled with MSVC and not gcc. My options are: 1. Wait for OpenSSL to fix this issue or for someone to find a workaround. I tried to get it working and I failed. 2. Switch to OpenSSL compiled with MSVC. That's inconvenient, but since your company makes money on stunnel it could probably use some of them to convince me to implement such a change. I agree selection of certificate should be implemented as service-level option. As you probably know each service-level option can also be specified in global section as a default for all service sections. Starting stunnel from login script is not a problem. Best regards, Mike "Bucci, David G" napisa?: >Hi - in an exchange last week, Michal, it sounded like you might be planning on adding the capability/option to the Windows version to select an identity certificate from the Windows certificate store (because it turns out OpenSSL added some supporting infrastructure for doing so, if I understood correctly). > >For planning purposes, do you have any sense yet of whether that's really going to happen, and in what timeframe or what target version? > >I think that'd be a change of high interest to a lot of people ... one suggestion, it would help integrators if there was a way to configure a msg into whatever selection dialog that comes up, asking the user to select a certificate from their identity store. Thinking out loud -- probably also, in the case where multiple client tunnels are being set up, a way to make it either a global selection (for all client services), or a service specific selection -- hmm, though global only is probably fine, thinking about, since an integrator could always create a 2nd config, if a 2nd tunnel is needed > >Thinking further, you would probably want to be careful that it would work early on during login, since I imagine like us, integrators would want to start it from a user's Startup folder, or from a login script. I don't know Windows well enough to know if that constrains you (if the window mgr is up during login script exec, etc.). > >Thx! > >---- >David G. Bucci > >If you can't think of anything kind to say, >could you at least have the decency to be vague? > >_______________________________________________ >stunnel-users mailing list >stunnel-users at mirt.net >http://stunnel.mirt.net/mailman/listinfo/stunnel-users -- Wys?ane z Androida za pomoc? K-9 Mail. Prosze wybaczy? lakoniczno??. From doomvox at gmail.com Fri Sep 24 21:53:24 2010 From: doomvox at gmail.com (Joseph Brenner) Date: Fri, 24 Sep 2010 12:53:24 -0700 Subject: [stunnel-users] pop3 stunnel nmh to gmail Message-ID: I'm an nmh user running ubuntu jaunty, and I want to get my local email working over SSL connections to a gmail account (POP3/SMTP). So I'm trying to get some form of mh to talk over SSL using stunnel4. I'm looking for suggestions on what I might be doing wrong, and hints on how to go about isolating the problems. I've succeeded in using slypheed to get mail from gmail, so I know the gmail account is working and is set-up for pop3 and so on. When I run mh's inc command, though, it just reports: "inc: no servers available" I can see that I've got stunnel running by doing a: ps ax | egrep stun | egrep -v egrep 5937 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5938 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5939 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5940 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5941 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5942 ? SNs 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf Google has some instructions up about servers and port numbers (but no examples specific to stunnel): http://mail.google.com/support/bin/answer.py?hl=en&answer=13287 Here's a summary of the kind of configurations I've been trying: /etc/default/stunnel4: ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" PPP_RESTART=0 /etc/stunnel/stunnel.conf: sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [pop3s] accept = 127.0.0.1:995 connect = pop.gmail.com:110 [smtps] accept = 127.0.0.1:465 connect = smtp.gmail.com:25 /etc/nmh/mts.conf: mts: smtp hostable: /etc/nmh/hosts localname: smtp.gmail.com # localname: gmail.com masquerade: mmdfldir: /var/mail mmdflfil: # pophost: localhost # pophost: pop.gmail.com:995 pophost: pop.gmail.com:110 # pophost: pop.gmail.com # servers: localhost servers: smtp.gmail.com /var/log/stunnel4/stunnel.log 2010.09.21 11:11:41 LOG7[6528:140533218399984]: Snagged 64 random bytes from /dev/urandom 2010.09.21 11:11:41 LOG7[6528:140533218399984]: RAND_status claims sufficient entropy for the PRNG 2010.09.21 11:11:41 LOG7[6528:140533218399984]: PRNG seeded successfully 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service pop3s 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service imaps 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service smtps 2010.09.21 11:11:41 LOG5[6528:140533218399984]: stunnel 4.22 on x86_64-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2010.09.21 11:11:41 LOG5[6528:140533218399984]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2010.09.21 11:11:41 LOG6[6528:140533218399984]: file ulimit = 1024 (can be changed with 'ulimit -n') 2010.09.21 11:11:41 LOG6[6528:140533218399984]: poll() used - no FD_SETSIZE limit for file descriptors 2010.09.21 11:11:41 LOG5[6528:140533218399984]: 500 clients allowed 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 10 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 11 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 12 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: pop3s bound to 127.0.0.1:1109 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 13 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: imaps bound to 0.0.0.0:993 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 14 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: smtps bound to 127.0.0.1:259 2010.09.21 11:11:41 LOG7[6534:140533218399984]: Created pid file /stunnel4.pid /var/log/mail.log Sep 21 13:40:32 fineline gnu-pop3d[15484]: Incoming connection opened Sep 21 13:40:32 fineline gnu-pop3d[15484]: connect from 127.0.0.1 Sep 21 13:40:32 fineline gnu-pop3d[15484]: User `doomvox at gmail.com': nonexistent Sep 21 13:40:32 fineline gnu-pop3d[15484]: Session ended for no user I'm using the "stunnel4" package for ubuntu jaunty: /usr/bin/stunnel4 -version stunnel 4.22 on x86_64-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none uname -a Linux fineline 2.6.24-16-generic #1 SMP Thu Apr 10 12:47:45 UTC 2008 x86_64 GNU/Linux gcc -v Using built-in specs. Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.3.3-5ubuntu4' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4) openssl version OpenSSL 0.9.8g 19 Oct 2007 From cherryn at gmail.com Sat Sep 25 02:26:37 2010 From: cherryn at gmail.com (Cherry Ngai) Date: Fri, 24 Sep 2010 17:26:37 -0700 Subject: [stunnel-users] stunnel v4.32 & mac v10.6.3 Message-ID: Hello, I am new to stunnel. My stunnel v4.32 is installed to my mac v10.6.3 using MacPort. I am trying to setup active directory, but there is no process start when i run sudo /opt/local/bin/stunnel /opt/local/etc/stunnel/stunnel.conf There is no error msg after i run the command. I believe it could have something to do with my configuration? Having it running in debug mode, I can't find the created output file. Could someone help me? Or tell me where i can find the output file? Thanks! Stunnel seems successfully installed, as it has returned the following with the command "sudo stunnel -version" stunnel 4.32 on i686-apple-darwin10.3.0 with OpenSSL 1.0.0a 1 Jun 2010 Threading:PTHREAD SSL:ENGINE Sockets:SELECT,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /opt/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /opt/local/etc/stunnel/stunnel.pem ciphers = ALL:!aNULL:!eNULL:!SSLv2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none Here is my config: cert = /opt/local/etc/stunnel/stunnel.pem key = /opt/local/etc/stunnel/stunnel.pem sslVersion = SSLv3 chroot = /opt/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = stunnel.log client = yes [ActiveDirectory1] accept = 391 connect = SOME_IP:636 Cheers, Cherry -------------- next part -------------- An HTML attachment was scrubbed... URL: From delaage.pierre at free.fr Sat Sep 25 23:05:53 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Sat, 25 Sep 2010 23:05:53 +0200 Subject: [stunnel-users] Critical error on stunnel 434 for WinCE/Windows Mobile: no service at all, because of failure in thread creation Message-ID: <4C9E6431.9020102@free.fr> Hello Michal, Maybe you remember me, I am the man that refreshed stunnel for winCE up to 4.27 version. Thank you for having included my code to your mainstream at that time. As a win32 regular programmer I always check that my code is as close as possible as that of the main win32 stream for PC. I am writing you today to point out a critical bug that prevent stunnel 4.34 from servicing any service at all . I have fixed that bug and will send you a refresh of all the sources (that needed some after some win32 PC version updates) soon. SO DO NOT DO ANYTHING. the bug is in sthread.c: the wince _beginthread port has been modified (by someone else but me) as this : v434: handle=CreateThread(NULL, stack_size, (LPTHREAD_START_ROUTINE)start_address, arglist, STACK_SIZE_PARAM_IS_A_RESERVATION, &thread_id); the "STACK_SIZE_PARAM_IS_A_RESERVATION" flag is the novelty from 4.27. The problem is that beginthread is being called from gui.c with stacksize=0 SO THAT a stack of 0 size "TRIES to be RESERVED" and then CreateThread FAILS to return a valid handle. That is to say that no thread is created, and thus NO TUNNELING SERVICE at all can be delivered. So stunnel cannot work at all. Solution : the proper call is : handle=CreateThread(NULL, stack_size, (LPTHREAD_START_ROUTINE)start_address, arglist, (stack_size > 0) ? STACK_SIZE_PARAM_IS_A_RESERVATION:0, &thread_id); I repeat and insist : please DO NOT DO anything to the code, as I will send soon a refresh with various other updates (because apart from that critical bug, the code needs other refresh to compile properly), and as I am also working on a refresh of openssl up to 1.0.0a (those gentlemen at openssl never included any wce patch to their mainstream, which is really a pity, but another story). See you soon, Thank you again for all the work you do for the community of people, Pierre -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michal.Trojnara at mirt.net Sun Sep 26 19:25:11 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Sun, 26 Sep 2010 19:25:11 +0200 Subject: [stunnel-users] Critical error on stunnel 434 for WinCE/Windows Mobile: no service at all, because of failure in thread creation In-Reply-To: <4C9E6431.9020102@free.fr> References: <4C9E6431.9020102@free.fr> Message-ID: <3051BF1E-3FF6-48A3-9A5A-20B7324D72F0@mirt.net> Pierre DELAAGE wrote: > Maybe you remember me, I am the man that refreshed stunnel for winCE > up to 4.27 version. > Thank you for having included my code to your mainstream at that time. Thank you. I appreciate your public domain patch sent 10 Jan 2009. > the bug is in sthread.c: > the wince _beginthread port has been modified You're right. I obviously made a mistake here. Thank you. In gui.c: _beginthread(ThreadFunc, 0, NULL); should be: _beginthread(ThreadFunc, DEFAULT_STACK_SIZE, NULL); > I repeat and insist : please DO NOT DO anything to the code, as I > will send soon a refresh with various other updates (because apart > from that critical bug, > the code needs other refresh to compile properly), I prefer individual patches for separate issues rather than a single, large patch. I also tend to rewrite code anyway rather than simply apply patches. It might be better if you just describe problems instead of sending the code. > and as I am also working on a refresh of openssl up to 1.0.0a (those > gentlemen at openssl never included any wce patch to their mainstream, > which is really a pity, but another story). It would be great to have a patch to build OpenSSL with arm-cegcc. 8-) Best regards, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From delaage.pierre at free.fr Sun Sep 26 20:34:07 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Sun, 26 Sep 2010 20:34:07 +0200 Subject: [stunnel-users] Critical error on stunnel 434 for WinCE/Windows Mobile: no service at all, because of failure in thread creation In-Reply-To: <3051BF1E-3FF6-48A3-9A5A-20B7324D72F0@mirt.net> References: <4C9E6431.9020102@free.fr> <3051BF1E-3FF6-48A3-9A5A-20B7324D72F0@mirt.net> Message-ID: <4C9F921F.1040803@free.fr> Hello Michal, Your fix and mine are cumulative : it is allowed to specify "0" for stacksize in _beginthread, in which case the spec says that the actual stacksize will default to that of the calling thread. Presently such a 0 will lead CreateThread and _begithread to fail. My patch will lead to have as "default" the /STACK option value of the linker, ie 1MB with wce compiler if /STACK unspecified. It would be uselessly luxuous to modify _beginthread to "really" get the calling thread stack size as default. Then, gui.c, or anyother caller, will be "free" to call _beginthread with 0 as stacksize or not. This is the subject of your patch. Apart from that my soon global patch will only fix "compilation issues", not execution issues. In general, after the 4.27 refresh and the unicode bug last year I will stay focused on unicode/ascii support and compilation issues on WCE, and I will deal with "operational" code only when encountering a bug. My present aim being to offer a port of stunnel for WCE, without touching the core cryptographic code, something I prefer to let to ssl specialists See you soon with my patch, Pierre Le 26/09/2010 19:25, Michal Trojnara a ?crit : > Pierre DELAAGE wrote: >> Maybe you remember me, I am the man that refreshed stunnel for winCE >> up to 4.27 version. >> Thank you for having included my code to your mainstream at that time. > > Thank you. I appreciate your public domain patch sent 10 Jan 2009. > >> the bug is in sthread.c: >> the wince _beginthread port has been modified > > You're right. I obviously made a mistake here. Thank you. > > In gui.c: > _beginthread(ThreadFunc, 0, NULL); > should be: > _beginthread(ThreadFunc, DEFAULT_STACK_SIZE, NULL); > >> I repeat and insist : please DO NOT DO anything to the code, as I >> will send soon a refresh with various other updates (because apart >> from that critical bug, >> the code needs other refresh to compile properly), > > I prefer individual patches for separate issues rather than a single, > large patch. > > I also tend to rewrite code anyway rather than simply apply patches. > It might be better if you just describe problems instead of sending > the code. > >> and as I am also working on a refresh of openssl up to 1.0.0a (those >> gentlemen at openssl never included any wce patch to their mainstream, >> which is really a pity, but another story). > > It would be great to have a patch to build OpenSSL with arm-cegcc. 8-) > > Best regards, > Mike > > > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michal.Trojnara at mirt.net Sun Sep 26 21:53:16 2010 From: Michal.Trojnara at mirt.net (Michal Trojnara) Date: Sun, 26 Sep 2010 21:53:16 +0200 Subject: [stunnel-users] Critical error on stunnel 434 for WinCE/Windows Mobile: no service at all, because of failure in thread creation In-Reply-To: <4C9F921F.1040803@free.fr> References: <4C9E6431.9020102@free.fr> <3051BF1E-3FF6-48A3-9A5A-20B7324D72F0@mirt.net> <4C9F921F.1040803@free.fr> Message-ID: Pierre DELAAGE wrote: > My patch will lead to have as "default" the /STACK option value of > the linker, ie 1MB with wce compiler if /STACK unspecified. Such a large virtual memory reserved for each stack thread is a very bad idea on 32-bit CPUs. WCE makes it even worse, since each process is contained (unless some special tricks are used) within a 32MB slot: http://msdn.microsoft.com/en-us/library/aa450572.aspx That's why I recently received a report that stunnel is not able to create more than 32 threads on WCE. > It would be uselessly luxuous to modify _beginthread to "really" get > the calling thread stack size as default. I don't remember stunnel using calling stack size for any purpose... > In general, after the 4.27 refresh and the unicode bug last year I > will stay focused on unicode/ascii support and > compilation issues on WCE, and I will deal with "operational" code > only when encountering a bug. I'd appreciate some help with testing as I currently don't have an eVC configured. Mike From delaage.pierre at free.fr Sun Sep 26 23:07:13 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Sun, 26 Sep 2010 23:07:13 +0200 Subject: [stunnel-users] Critical error on stunnel 434 for WinCE/Windows Mobile: no service at all, because of failure in thread creation In-Reply-To: References: <4C9E6431.9020102@free.fr> <3051BF1E-3FF6-48A3-9A5A-20B7324D72F0@mirt.net> <4C9F921F.1040803@free.fr> Message-ID: <4C9FB601.2000306@free.fr> Le 26/09/2010 21:53, Michal Trojnara a ?crit : > Pierre DELAAGE wrote: >> My patch will lead to have as "default" the /STACK option value of >> the linker, ie 1MB with wce compiler if /STACK unspecified. > > Such a large virtual memory reserved for each stack thread is a very > bad idea on 32-bit CPUs. WCE makes it even worse, since each process > is contained (unless some special tricks are used) within a 32MB slot: > http://msdn.microsoft.com/en-us/library/aa450572.aspx > That's why I recently received a report that stunnel is not able to > create more than 32 threads on WCE. > Sure, this is where YOUR patch is entering in action, by explicitely specifying a 65K stack for each thread, at _beginthread calling time. This is what I meant by "cumulative" effect of our both patch. Mine is more related to "proper" functionality of _beginthread. With your permission, I will include your gui.c trick on my next patch, so that we have a complete consistent solution to that problem. >> It would be uselessly luxuous to modify _beginthread to "really" get >> the calling thread stack size as default. > > I don't remember stunnel using calling stack size for any purpose... Sure. > >> In general, after the 4.27 refresh and the unicode bug last year I >> will stay focused on unicode/ascii support and >> compilation issues on WCE, and I will deal with "operational" code >> only when encountering a bug. > > I'd appreciate some help with testing as I currently don't have an eVC > configured. This is exactly what I basically offer to the project. Pierre > _______________________________________________ > stunnel-users mailing list > stunnel-users at mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users From delaage.pierre at free.fr Mon Sep 27 00:40:39 2010 From: delaage.pierre at free.fr (Pierre DELAAGE) Date: Mon, 27 Sep 2010 00:40:39 +0200 Subject: [stunnel-users] public domain [PATCH] to stunnel 4.34 for Windows CE / Windows Mobile, "no service" CRITICAL bug and unicode bugs fixed Message-ID: <4C9FCBE7.8060900@free.fr> Dear All, Please find enclosed a patch in "diff -cr orig patched" format, applying to stunnel4.34 as found here ftp://stunnel.mirt.net/stunnel/. This patch mainly addresses compilation and unicode issues for Windows CE targets + ONE critical issue preventing stunnel to service anything (!). I use MS EVC 4sp2 compiler with WCE 420 SDK, on a vista host platform. Once debugged the code works fine on WM6 HTC smartphones. Should work on WM5. It needs a windows CE openssl lib (I recompiled MY patched version of openssl 1.0.0a successfully: I will have to log a patch to those gentlemen, hoping that they are open to integrate it, something not so obvious in the past). I will later post here a link to my patch for openssl 100a pointing to the openssl mailing list. THIS OPENSSL PATCH IS ESSENTIAL : with my older version of openssl 098pre_j for wce, stunnel does not work anymore (it crashes after first cnx). The present stunnel patch addresses the following issues : ************* I] COMPILATION FAILURES 1/ on common.h "EINVAL redefinition" : in fact the compile options WX (see evc.mak) does not tolerate any warning : The MS evc420 compiler ALWAYS issues a warning on this symbol redefinition. Michal and I are dealing with it since month... But, considering that NEITHER Exxx error codes are used in stunnel, I suggest that in fact ALL these redef should be suppressed. TODO: In the future a proper rewrite of code in log.c, where hardcoded values of WSA error codes are used instead of symbolic constant, will have to be done. 2/ client.c CreateProcess is a UNICODE function: code was ascii only. Code has been adapted to work in unicode. 3/ evc.mak path to new openssl lib has been redefined. proper location for the libs in openssl tree has been set in the make-install block (although this block is presently USELESS and needs a complete rewrite). 4/ gui.c All code using hmainmenu is OFF under winCE. So some new lines involving it were not compiling. 5/ options.c linger_val.l_linger and linger_val.l_onoff require ushort values. Strict type checking of the compiler required a proper cast to ushort of the r-values. stralloc uses "strdup": on Win32 and winCE strdup is _strdup (!). 6/ prototypes.h : _beginthread was defined as returning an int, an a long in sthread.c. After some checking in various documentations, long is the correct type, in particular because _beginthread can return the special error value "-1L". So that unsigned types are illogical. This simplifies the code in some locations, by saving some -now useless- casts. 7/ sthread.c create_client: suppressed some useless cast to (long) for beginthread. ************* II] OPERATIONAL ERRORS (at run-time) This is a reminder of previous notification to the mailing list : due to beginthread improper code and/or use, It is presently IMPOSSIBLE for stunnel 434 to be used in production on WCE: it is just unable to service any...service. Nothing happens if, for example, you use it to connect to an https server. No log either ! I corrected the code with both Michal patch to gui.c and mine to sthread.c: gui.c (Michal patch) : _beginthread was called with 0 as stacksize which, cumulated to an improper coding of sthread/beginthread, led to FAILURE of service thread creation. sthread.c: _beginthread : now supports "0" stacksize value, leading to default linker stack size (1MB by default unless specified differently on the linker command line, something we do not yet perform but could). ************* III] MINOR IMPROVMENT _beginthread: added a log on critical event of "failure" to create a service thread. because I think it is a critical event, isn't it? I hope you will find this patch useful. Thank you for your excellent work, Yours sincerely, Pierre Delaage Note : I use stunnel to establish a simple "vpn" between smartphones and a corporate linux server mainly for HTTPS/POPS/SMTPS support. Stunnel is very relevant in that matter, over solutions based on SSH (although we use also ssh), from a communication cost point of view : ssh establishes permanent socket between client and server, so that the communication is charged by the mobile network provider : and these charges are very expensive. On the contrary stunnel only establishes ssl sockets on demand so that financial charges are limited to strict necessary. Please note that stunnel brings "client based certificate authentication" to POP/SMTP mobile mail user agents which only BASICALLY supports SSL with server authentication, but NO client authentication, such as M$ Outlook for Mobile (unless you pay for an exchange server and exchange client licence). Here again stunnel is very relevant. Note 2 : the strdup and unicode bug fixes should benefit also to the win32 (for PC) stunnel version for PC. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: stunnel_patchTo_434.txt URL: From leandro.avila at ymail.com Mon Sep 27 16:32:25 2010 From: leandro.avila at ymail.com (Leandro Avila) Date: Mon, 27 Sep 2010 07:32:25 -0700 (PDT) Subject: [stunnel-users] pop3 stunnel nmh to gmail In-Reply-To: References: Message-ID: <502070.64543.qm@web111016.mail.gq1.yahoo.com> Mr. Brenner, Looks like your configuration is a little backwards. The stunnel configuration should be something like this: [pop3s] accept = 127.0.0.1:110 connect = pop.gmail.com:995 [smtps] accept = 127.0.0.1:25 connect = smtp.gmail.com:465 Notice the ports and where you are connecting. Stunnel runs in local host and takes care of connecting you to the remote machine using SSL. Same logic applies for your mail client. Your SMTP an POP connections should be to the stunnel process running in localhost. Hope this helps. ----------------- Leandro Avila ----- Original Message ---- From: Joseph Brenner To: stunnel-users at mirt.net Sent: Fri, September 24, 2010 2:53:24 PM Subject: [stunnel-users] pop3 stunnel nmh to gmail I'm an nmh user running ubuntu jaunty, and I want to get my local email working over SSL connections to a gmail account (POP3/SMTP). So I'm trying to get some form of mh to talk over SSL using stunnel4. I'm looking for suggestions on what I might be doing wrong, and hints on how to go about isolating the problems. I've succeeded in using slypheed to get mail from gmail, so I know the gmail account is working and is set-up for pop3 and so on. When I run mh's inc command, though, it just reports: "inc: no servers available" I can see that I've got stunnel running by doing a: ps ax | egrep stun | egrep -v egrep 5937 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5938 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5939 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5940 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5941 ? SN 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf 5942 ? SNs 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf Google has some instructions up about servers and port numbers (but no examples specific to stunnel): http://mail.google.com/support/bin/answer.py?hl=en&answer=13287 Here's a summary of the kind of configurations I've been trying: /etc/default/stunnel4: ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" PPP_RESTART=0 /etc/stunnel/stunnel.conf: sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [pop3s] accept = 127.0.0.1:995 connect = pop.gmail.com:110 [smtps] accept = 127.0.0.1:465 connect = smtp.gmail.com:25 /etc/nmh/mts.conf: mts: smtp hostable: /etc/nmh/hosts localname: smtp.gmail.com # localname: gmail.com masquerade: mmdfldir: /var/mail mmdflfil: # pophost: localhost # pophost: pop.gmail.com:995 pophost: pop.gmail.com:110 # pophost: pop.gmail.com # servers: localhost servers: smtp.gmail.com /var/log/stunnel4/stunnel.log 2010.09.21 11:11:41 LOG7[6528:140533218399984]: Snagged 64 random bytes from /dev/urandom 2010.09.21 11:11:41 LOG7[6528:140533218399984]: RAND_status claims sufficient entropy for the PRNG 2010.09.21 11:11:41 LOG7[6528:140533218399984]: PRNG seeded successfully 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service pop3s 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service imaps 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SSL context initialized for service smtps 2010.09.21 11:11:41 LOG5[6528:140533218399984]: stunnel 4.22 on x86_64-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2010.09.21 11:11:41 LOG5[6528:140533218399984]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2010.09.21 11:11:41 LOG6[6528:140533218399984]: file ulimit = 1024 (can be changed with 'ulimit -n') 2010.09.21 11:11:41 LOG6[6528:140533218399984]: poll() used - no FD_SETSIZE limit for file descriptors 2010.09.21 11:11:41 LOG5[6528:140533218399984]: 500 clients allowed 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 10 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 11 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 12 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: pop3s bound to 127.0.0.1:1109 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 13 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: imaps bound to 0.0.0.0:993 2010.09.21 11:11:41 LOG7[6528:140533218399984]: FD 14 in non-blocking mode 2010.09.21 11:11:41 LOG7[6528:140533218399984]: SO_REUSEADDR option set on accept socket 2010.09.21 11:11:41 LOG7[6528:140533218399984]: smtps bound to 127.0.0.1:259 2010.09.21 11:11:41 LOG7[6534:140533218399984]: Created pid file /stunnel4.pid /var/log/mail.log Sep 21 13:40:32 fineline gnu-pop3d[15484]: Incoming connection opened Sep 21 13:40:32 fineline gnu-pop3d[15484]: connect from 127.0.0.1 Sep 21 13:40:32 fineline gnu-pop3d[15484]: User `doomvox at gmail.com': nonexistent Sep 21 13:40:32 fineline gnu-pop3d[15484]: Session ended for no user I'm using the "stunnel4" package for ubuntu jaunty: /usr/bin/stunnel4 -version stunnel 4.22 on x86_64-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none uname -a Linux fineline 2.6.24-16-generic #1 SMP Thu Apr 10 12:47:45 UTC 2008 x86_64 GNU/Linux gcc -v Using built-in specs. Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.3.3-5ubuntu4' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4) openssl version OpenSSL 0.9.8g 19 Oct 2007 _______________________________________________ stunnel-users mailing list stunnel-users at mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users From ntserafica at gmail.com Thu Sep 30 10:27:53 2010 From: ntserafica at gmail.com (Nelson) Date: Thu, 30 Sep 2010 16:27:53 +0800 Subject: [stunnel-users] fingerprint does not match Message-ID: I have a running machine with stunnel installed for HTTPS services. Now, I want to setup another machine using the same configuration and key from my 1ST machine. I have installed stunnel patch with x-forwarded-for. However, everytime I try to start it up, it shows: Starting universal SSL tunnel: stunnelReading configuration from file /usr/local/etc/stunnel/stunnel.conf FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match failed. I'm using the same key and cert that my 1ST machine is using. Would there be a problem? I've no problem starting stunnel yesterday. I just encountered this error when I change my ip address. I make sure that my config also listen to this ip address. Would anyone know how to fix this problem? Tried to Google but to no avail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbrowne at cbcs-usa.com Thu Sep 30 15:33:18 2010 From: cbrowne at cbcs-usa.com (Carter Browne) Date: Thu, 30 Sep 2010 09:33:18 -0400 Subject: [stunnel-users] Stunnel and DLL Hell In-Reply-To: References: Message-ID: <4CA4919E.1070506@cbcs-usa.com> I just had an upgrade issue going from stunnel 4.32 (using the openssl 0.9.8x libraries) and stunnel 4.34 (using the openssl 1.0.0x libraries). I'm using the CAPATH option and verify = 2 to verify connections. The openssl group changed the hash algorithm between 0.9.8 and 1.0.0 so that the certificates have to have a different name (this is a Windows installation, so no linked names). When I initially converted I has two copies of the names, one using the old hash and one using the new hash and everything worked perfectly. However, after cleaned up the directories and removed the old hash names, things began to fail. Eventually I could not make any connections to the system running stunnel 4.34. Eventually, it occurred to me to check for multiple versions of the SSLEAY32.DLL and the system and there were a number of copies. For whatever reason, the 0.9.8x version got loaded first and so the 1.0.0x hash names were not recognized. This explanation is a long winded request for having the option of having a statically linked version of stunnel for Windows. I have about 10 systems running stunnel 4.34 and all but this one worked properly. However, having the vagaries of which version of SSLEAY32 gets loaded by Windows first determining the correct operation of the system is an uncertainty that it would be very good to live without. Thanks for the consideration. Carter Carter Browne CBCS cbrowne at cbcs-usa.com 781-721-2890