[stunnel-users] stunnel 5.59 released
Dear Users, I have released version 5.59 of stunnel. ### Version 5.59, 2021.04.05, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.1.1k. * New features - Client-side "protocol = ldap" support (thx to Bart Dopheide and Seth Grover). * Bugfixes - The test suite fixed not to require external connectivity. - Fixed paths in generated manuals (thx to Tatsuki Makino). - Fixed configuration reload when compression is used. - Fixed compilation with early releases of OpenSSL 1.1.1. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 137776df6be8f1701f1cd590b7779932e123479fb91e5192171c16798815ce9f stunnel-5.59.tar.gz c45fa3f70ecf0628d1f5985f2c11fedfc989bbc64db857def82ca7ee602fd8e0 stunnel-5.59-win64-installer.exe b56d91493631ff2b18e3e596fbb491892847f5671335c3f5e2307e174742ae44 stunnel-5.59-android.zip Best regards, Mike ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 60 released
Dear Users, I have released version 5.60 of stunnel. ### Version 5.60, 2021.08.16, urgency: LOW * New features - New 'sessionResume' service-level option to allow or disallow session resumption - Added support for the new SSL_set_options() values. - Download fresh ca-certs.pem for each new release. * Bugfixes - Fixed 'redirect' with 'protocol'. This combination is not supported by 'smtp', 'pop3' and 'imap' protocols. - Enforced minimum WIN32 log window size. - Fixed support for password-protected private keys with OpenSSL 3.0 (thx to Dmitry Belyavskiy). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c45d765b1521861fea9b03b425b9dd7d48b3055128c0aec673bba5ef9b8f787d stunnel-5.60.tar.gz 190b79cb94a4f70f362e44c32d150edf8ae660734d3fa0cbd990c3821e8f3083 stunnel-5.60-win64-installer.exe bac9bb4503cc5091d78c9deb6aa013fc07e39d67db0dfcc073b098db52f54427 stunnel-5.60-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.61 released
Dear Users, I have released version 5.61 of stunnel. ### Version 5.61, 2021.12.22, urgency: LOW * New features sponsored by the University of Maryland - Added new "protocol = capwin" and "protocol = capwinctrl" configuration file options. * New features for the Windows platform - Added client mode allowing authenticated users to view logs, reconfigure and terminate running stunnel services. - Added support for multiple GUI and service instances distinguised by the location of stunnel.conf. - Improved log window scrolling. - Added a new 'Pause auto-scroll' GUI checkbox. - Double click on the icon tray replaced with single click. - OpenSSL DLLs updated to version 3.0.1. * Other new features - Rewritten the testing framework in python (thx to Peter Pentchev for inspiration and initial framework). - Added support for missing SSL_set_options() values. - Updated stunnel.spec to support RHEL8. * Bugfixes - Fixed OpenSSL 3.0 build. - Fixed reloading configuration with "systemctl reload stunnel.service". - Fixed incorrect messages logged for OpenSSL errors. - Fixed printing IPv6 socket option defaults on FreeBSD. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 91ea0ca6482d8f7e7d971ee64ab4f86a2817d038a372f0893e28315ef2015d7a stunnel-5.61.tar.gz 19c5ff1f4101af1e69585328303c14249db2ec9063542101ca31edb6f6cc502f stunnel-5.61-win64-installer.exe 928ec94690564498bf523228946b2cdc90c7e346d6f0baf1f71b76cbe769b96c stunnel-5.61-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: stunnel 5.61transfer() loop executes not transferring any data Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket inetd mode
Hi Roberto, Thank you for testing. I'm going to issue a bugfix release today or tomorrow. Best regards, Mike On 16/01/2022 22:27, Roberto CORRADO wrote: Hi Mike, Good job! Stunnel 5.62 beta 1 work fine! """ 2022.01.16 22:08:47 LOG6[ui]: Initializing inetd mode configuration 2022.01.16 22:08:47 LOG5[ui]: stunnel 5.62 on i586-slackware-linux-gnu platform 2022.01.16 22:08:47 LOG5[ui]: Compiled/running with OpenSSL 1.1.1m 14 Dec 2021 2022.01.16 22:08:47 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP 2022.01.16 22:08:47 LOG6[ui]: Initializing inetd mode configuration 2022.01.16 22:08:47 LOG5[ui]: Reading configuration from file /etc/stunnel/imaps.conf 2022.01.16 22:08:47 LOG5[ui]: UTF-8 byte order mark not detected 2022.01.16 22:08:47 LOG5[ui]: FIPS mode disabled 2022.01.16 22:08:47 LOG6[ui]: Compression enabled: 0 methods 2022.01.16 22:08:47 LOG6[ui]: stunnel default security level set: 2 2022.01.16 22:08:47 LOG6[ui]: Session resumption enabled 2022.01.16 22:08:47 LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem 2022.01.16 22:08:47 LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem 2022.01.16 22:08:47 LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem 2022.01.16 22:08:47 LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem 2022.01.16 22:08:47 LOG6[ui]: DH initialization needed for DHE-RSA-AES256-GCM-SHA384 2022.01.16 22:08:47 LOG6[ui]: 4096-bit DH parameters loaded 2022.01.16 22:08:47 LOG5[ui]: Configuration successful 2022.01.16 22:08:47 LOG5[0]: Service [stunnel] accepted connection from 10.19.79.235:41136 2022.01.16 22:08:47 LOG6[0]: Peer certificate not required 2022.01.16 22:08:47 LOG6[0]: No peer certificate received 2022.01.16 22:08:47 LOG6[0]: Session id: 65640462303D0DA1CD16CAB4977F22B04FFB74693150104FC69AB9FBDC48AED9 2022.01.16 22:08:47 LOG6[0]: No peer certificate received 2022.01.16 22:08:47 LOG6[0]: Session id: B9505D917FA6F2E9C8A0EF14D6E4B01C3ED54599271D93E325ED7412CA2AC5F3 2022.01.16 22:08:47 LOG6[0]: TLS accepted: new session negotiated 2022.01.16 22:08:47 LOG6[0]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption) 2022.01.16 22:08:47 LOG6[0]: Peer temporary key: X25519, 253 bits 2022.01.16 22:08:47 LOG6[0]: Local mode child started (PID=16984) 2022.01.16 22:08:47 LOG6[0]: TLS closed (SSL_read) 2022.01.16 22:08:47 LOG6[0]: Read socket closed (readsocket) 2022.01.16 22:08:47 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2022.01.16 22:08:47 LOG5[0]: Connection closed: 979 byte(s) sent to TLS, 128 byte(s) sent to socket """ Thanks a lot! -Roberto > > > - Original Message - > Sent: Sunday, January 16, 2022 9:52 PM > Michał Trojnara wrote: > > >> Hi Roberto, >> >> Could you try https://www.stunnel.org/downloads/beta/stunnel-5.62b1.tar.gz ? >> >> Best regards, >> Mike > ___ > stunnel-users mailing list -- stunnel-users@stunnel.org > To unsubscribe send an email to stunnel-users-le...@stunnel.org OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.62 released
Dear Users, I have released version 5.62 of stunnel. ### Version 5.62, 2022.01.17, urgency: MEDIUM * New features - Added a bash completion script. * Bugfixes - Fixed a transfer() loop bug. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 9cf5bb949022aa66c736c1326554cca27d0641605a6370274edc4951eb5bd339 stunnel-5.62.tar.gz fbfcc5759344bcafff9ff3bc6cf56c7fb75cb1244b76d4934c5d9a3eb7eee32d stunnel-5.62-win64-installer.exe 4b52ed6e4bb8293fdefb10ee8c271400a8c1749254a11b674ff690eae00b3c5e stunnel-5.62-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.63 released
Dear Users, I have released version 5.63 of stunnel. ### Version 5.63, 2022.03.15, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.2. * New features - Updated stunnel.spec to support bash completion. * Bugfixes - Fixed a PRNG initialization crash (thx to Gleydson Soares). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c74c4e15144a3ae34b8b890bb31c909207301490bd1e51bfaaa5ffeb0a994617 stunnel-5.63.tar.gz 723f54c28073f17b1ac095a2ab9922735c69f73fba6144a5c68cc160dc673b10 stunnel-5.63-win64-installer.exe c77850c39dfb42f95d26d4f5830a261a95c3785d8c39bdd9f28764ba43ee1d7d stunnel-5.63-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.71 released
Dear Users, I have released version 5.71 of stunnel. ### Version 5.71, 2023.09.19, urgency: MEDIUM * Security bugfixes - OpenSSL DLLs updated to version 3.1.3. * Bugfixes - Fixed the console output of tstunnel.exe. * Features sponsored by SAE IT-systems - OCSP stapling is requested and verified in the client mode. - Using "verifyChain" automatically enables OCSP stapling in the client mode. - OCSP stapling is always available in the server mode. - An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". - Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. * Features - Added support for Red Hat OpenSSL 3.x patches. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: f023aae837c2d32deb920831a5ee1081e11c78a5d57340f8e6f0829f031017f5 stunnel-5.71.tar.gz 945df5118473bcbf1ecdc5561fd6f26743c5dd1fd82e1a25199d0fd5c39a9373 stunnel-5.71-win64-installer.exe d511df533bb89464a324b2439e7e04b24b6ce26ecc0e03b67ada307725343d40 stunnel-5.71-android.zip Best regards, Mike OpenPGP_0xB1048932DD33.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: stunnel cmvp number
On 10/9/23 14:39, Seray Tokadli wrote: Hi, for our company i need to find the cvmp number for stunnel however I am not able to find it. Is there anyone who can help me with that? https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all I could not find stunnel here. No surprise here. As mentioned on https://www.stunnel.org/, stunnel uses a cryptographic module for OpenSSL, which is a separate product. You can use one of the following validated modules: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic=openssl=Active=0 The one I distribute with my Windows build is https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 Best regards, Mike ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: Is stunnel really compliant with RFC 2487 / RFC 3207 ?
Hi Javier, stunnel is an encryption tool, and *not* a MUA/MTA, so it is not expected to be RFC compliant. stunnel only had a very basic understanding of some application protocols to negotiate TLS. While encryption may be an optional feature in other applications, stunnel is specifically designed to ensure encryption for users who want their data encrypted. Have you considered using an email relay server instead? Best regards, Mike 12 May 2022 00:17:10 Javier : > Hi, > > first of all, I still use a 32-bit release (the latest, I think), so > maybe things have changed on Stunnel since. > > But the statement that the protocol smtp option for a service is > compliant with RFC 2487, should be 3207 (it is from 2002!), has been > in the docs for ages, even in the latest version, 5.64: > > *** > smtp > > Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS > *** > > > Long ago I tested the protocol=smtp options as both, clients and > server service, and I noticed that, and I think I told here to the > list confirming it (maybe for some user using it on client mode), the > option implied STARTTLS. > > Back then I didn't pay much attention to it. > > > BUT the other day I was re-testing for a server service (own mail > server sometimes I run) and... I said to my self that this shouldn't > be like it was and well, I read the RFC and what tells is the > following: > > *** > A publicly-referenced SMTP server MUST NOT require use of the > STARTTLS extension in order to deliver mail locally. This rule > prevents the STARTTLS extension from damaging the interoperability of > the Internet's SMTP infrastructure. A publicly-referenced SMTP server > is an SMTP server which runs on port 25 of an Internet host listed in > the MX record (or A record if an MX record is not present) for the > domain name on the right hand side of an Internet mail address. > *** > https://datatracker.ietf.org/doc/html/rfc3207#section-4 > > So, if we use Stunnel to provide THE OPTION of secure TLS connections > to other MTAs (MTA to MTA, or server to server) we are against the > RFC itself as every connection to port 25 must be encrypted, or > nothing, because, as Stunnel is the door to the port and only accepts > the STARTTLS command, without redirecting any data to the mail > server, no traffic on plain text reaches the server. > > Acting as a MSA (users - servers) there is no problem because, even > if it hadn't/hasn't been widely supported, there are two ports 587 > for plain text and 465 for TLS. So Stunnel could be set up to listen > on 465 port only, directly accepting TLS sessions or after STARTTLS > command (rejecting, in this case, those that don't want a secure > channel). > > We have told several times, specially to newcomers (asking for http > proxy, basically), that Stunnel isn't proxy, and it isn't, but in the > case of a mail server it should act as is if we use it for a MTA mail > server. > > It acts as is sending the welcome message from the mail server to the > other MTA, but once the other MTA doesn't send a STARTTLS command, > it closes the connection when, actually, what should do is pass all > the dialog between MTAs. > > I think that is what Stunnel should do. And when just passing > messages from mail server to the other MTA, just disable the logging > for that connection. After all, the mail severs have already their own > logs and there is no reason to log it on Stunnel, nor on the log > screen/Stunnel window. Maybe just a line like "redirecting connection > to the mail server". > > > Said all the above, do latest versions behave differently? > > Do you think is a change that should be made to Stunnel to comply > with the RFC, if on latest versions don't do yet, or am I wrong > somewhere in my statement? > > Regards. > > P.S.: > MTA: Mail Transfer Agent > MSA: Mail Submission Agent > MUA: Mail User Agent > > > > ___ > stunnel-users mailing list -- stunnel-users@stunnel.org > To unsubscribe send an email to stunnel-users-le...@stunnel.org ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.65 released
Dear Users, I have released version 5.65 of stunnel. On Windows, this release fixes a high severity OpenSSL vulnerability: https://www.openssl.org/news/secadv/20220705.txt ### Version 5.65, 2022.07.17, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.5. * Bugfixes - Fixed handling globally enabled FIPS. - Fixed openssl.cnf processing in WIN32 GUI. - Fixed a number of compiler warnings. - Fixed tests on older versions of OpenSSL. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 60c500063bd1feff2877f5726e38278c086f96c178f03f09d264a2012d6bf7fc stunnel-5.65.tar.gz ca88e65888102f7526cab4edad7b30e8d1e82d428c34d5b5f00513dff9ed2288 stunnel-5.65-win64-installer.exe 9dadaa8622e1c1955728cbd8d49e1a6b5eae77bfa5340f7a1f82451121aee740 stunnel-5.65-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.64 released
Dear Users, I have released version 5.64 of stunnel. This release only includes Windows fixes and improvements. ### Version 5.64, 2022.05.06, urgency: MEDIUM * Security bugfixes - OpenSSL DLLs updated to version 3.0.3. * New features - Updated the pkcs11 engine for Windows. * Bugfixes - Removed the SERVICE_INTERACTIVE_PROCESS flag in "stunnel -install". Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: eebe53ed116ba43b2e786762b0c2b91511e7b74857ad4765824e7199e6faf883 stunnel-5.64.tar.gz 600e76b52a86b21f97a1af13734fdd2226c26646bb77f5f9f074ba3d5755f024 stunnel-5.64-win64-installer.exe 391db6166b22a6648fd1f1df584c13ade61c93f620e46b12ebb30b643e61d2d3 stunnel-5.64-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: Certificate Request's "Distinguished Names" list is empty when using CAPath (but not when using CAFile)
Hi David, On 8/26/22 13:51, david.rundqv...@gmail.com wrote: > If I hash the client certificates and put them in a folder (with file names > .0), and use the CAPath parameter on the server, together with > verify=3, the server's Certificate Request message contains an empty list of > "Distinguished Names". > However, if I put the client certificates concatenated in a .pem file, and > use the CAFile parameter on the server, the Certificate Request message does > contain the Distinguished Names. > > Is this the correct behavior? I thought CAFile and CAPath worked more or less > in the same way, but perhaps the Certificate Request message is implemented > differently, depending on if you use CAFile or CAPath? > My preferred way is to use CAPath: Is there some way I can get the > Distinguished Names not to be empty, when using CAPath? TL;DR: Yes, this is the correct behavior. Also, you probably misuse X.509 by adding and removing individual client certificates instead of using its hierarchical trust model: https://en.wikipedia.org/wiki/X.509 The main difference between CAfile and CApath is that CAfile reads all the certificates with the stunnel's configuration file, while CApath only reads a certificate during certification path validation. https://en.wikipedia.org/wiki/Certification_path_validation_algorithm Using CApath saves startup time and memory usage with large number of trusted certificates, but it does not allow for building a list of trusted Distinguished Names. Consequently, there is no way for stunnel to use CApath with automatic client certificate selection. https://textslashplain.com/2020/05/04/client-certificate-authentication/ The proper way to configure automatic client certificate selection is to provide the CA certificate used for signing your client certificates with CAfile and the list of revoked certificates with CRLfile. Best regards, Mike ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: "make cert" get "Error configuring OpenSSL modules"
On 27/10/2022 18:08, decatu...@163.com wrote: Hi, all. I have done "make && make install" under "sudo", then I got this when "make cert" --- ... 139784943940928:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(libproviders.so): libproviders.so: cannot open shared object file: No such file or directory Good point. I just noticed it today. "make cert" indeed stopped working with OpenSSL older with 3.0. A workaround is to comment out (or remove) the "providers = provider_sect" line in tools/openssl.cnf. I need to find a way to fix it. Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.66 released
Dear Users, I have released version 5.66 of stunnel. ### Version 5.66, 2022.09.11, urgency: MEDIUM * New features - OpenSSL 3.0 FIPS Provider support for Windows. * Bugfixes - Fixed building on machines without pkg-config. - Added the missing "environ" declaration for BSD-based operating systems. - Fixed the passphrase dialog with OpenSSL 3.0. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 558178704d1aa5f6883aac6cc5d6bbf2a5714c8a0d2e91da0392468cee9f579c stunnel-5.66.tar.gz 5fccb2e4db0d2e3c1adb26c3906585ac545baf88226f4f539b2dc43fe418a3ef stunnel-5.66-win64-installer.exe 3b1e30e060e16f6aa9a8ad1b1a6ba1210c165bf76bd01e4734cb4537e0717c09 stunnel-5.66-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: Enter-passphrase dialog broken
Hi Johann, I investigated this issue it and I found out that encrypted private keys were never working with OpenSSL 3.0 (regardless of stunnel version). Thank you very much for reporting this bug! Please try building https://www.stunnel.org/downloads/beta/stunnel-5.66b1.tar.gz from source. It works fine in my tests. Also, https://www.stunnel.org/downloads/beta/stunnel-5.66b1-win64-installer.exe should fix it on Windows. Best regards, Mike On 15/08/2022 16:26, Johann Hörmann via stunnel-users wrote: Hi, since stunnel 5.62 it does not take the passphrase for a client key anymore, instead it gives a 'bad decrypt' log at once. It is the same behaviour at Debian/sid Distro as well as with Windows10. Up to stunnel 5.61 the same stunnel.conf is accepted and the key gets loaded. Here is the top of our stunnel.conf: cert = /home/regula/cert.pem key = /home/regula/cert.key client = yes [-- snip --] Calling stunnel at the bash: $ stunnel stunnel.conf [-- snip --] [ ] Loading certificate from file: /home/regula/cert.pem [ ] Certificate loaded from file: /home/regula/cert.pem [ ] Loading private key from file: /home/regula/cert.key [!] error queue: ../ssl/ssl_rsa.c:384: error:0A080009:SSL routines::PEM lib [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] error queue: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] SSL_CTX_use_PrivateKey_file: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] Service [guacamole]: Failed to initialize TLS context [!] Configuration failed [-- snip --] $ ls -lh *pem *key -r 1 regula regula 3,4K 22. Jun 16:52 cert.key -r 1 regula regula 2,2K 22. Jun 16:45 cert.pem openssl does show the enter passphrase dialog and displays the private key: $ $ openssl rsa -in cert.key Enter pass phrase for cert.key: writing RSA key -BEGIN PRIVATE KEY- [-- snip --] -END PRIVATE KEY- ~$ dpkg -l|grep openssl ii openssl 3.0.4-2 amd64 Secure Sockets Layer toolkit - cryptographic utility ~$ dpkg -l|grep stunnel ii stunnel4 3:5.63-1+b1 amd64 Universal SSL tunnel for network daemons Why is there a different behaviour between openssl and stunnel > 5.61 in loading a private key file? Regards, Johann OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.67 released
Dear Users, I have released version 5.67 of stunnel. ### Version 5.67, 2022.11.01, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.7. * New features - Provided a logging callback to custom engines. * Bugfixes - Fixed "make cert" with OpenSSL older than 3.0. - Fixed the code and the documentation to use conscious language for SNI servers (thx to Clemens Lang). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 3086939ee6407516c59b0ba3fbf555338f9d52f459bcab6337c0f00e91ea8456 stunnel-5.67.tar.gz a6bdc2a735eb34465d10e3c7e61f32d679ba29a68de8ea8034db79c0c8b328a3 stunnel-5.67-win64-installer.exe 893f53d6647900eb34041be8f21a21c052a31de3fb393a97627021a1ef2752f5 stunnel-5.67-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: STunnel not passing traffic
On 13/01/2023 20:05, Gary Jackson wrote: 2023.01.13 14:03:42 LOG6[16572]: TLS accepted: new session negotiated 2023.01.13 14:03:42 LOG6[16572]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2023.01.13 14:03:42 LOG6[16572]: SSL_read: Socket is closed 2023.01.13 14:03:42 LOG6[16572]: TLS socket closed (SSL_read) The log says that your stunnel server has successfully negotiated TLS 1.2, and then your TLS client has closed the underlying socket without sending any alert required by RFC 5246. https://www.rfc-editor.org/rfc/rfc5246#section-7.2 It's hard to guess *why* your client has closed the socket. For example, a prematurely terminated (possibly crashed) client could cause such behavior. Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: tstunnel.exe fails to start after updating from 5.67 to 5.68
Hi Kimura-san, On 20/02/2023 10:58, Yasuhiro Kimura wrote: [!] No trusted certificates found The latest release of stunnel started using an OpenSSL function that doesn't work on Windows. We submitted a pull request to the OpenSSL project and published a beta installer that includes a patched OpenSSL. Please give it a try: https://www.stunnel.org/downloads/beta/stunnel-5.69b1-win64-installer.exe Our pull request: https://github.com/openssl/openssl/pull/20312 Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.69 released
Dear Users, I have released version 5.69 of stunnel. ### Version 5.69, 2023.03.04, urgency: MEDIUM * New features - Improved logging performance with the "output" option. - Improved file read performance on the WIN32 platform. - DH and kDHEPSK ciphersuites removed from FIPS defaults. - Set the LimitNOFILE ulimit in stunnel.service to allow for up to 10,000 concurrent clients. * Bugfixes - Fixed the "CApath" option on the WIN32 platform by applying https://github.com/openssl/openssl/pull/20312. - Fixed stunnel.spec used for building rpm packages. - Fixed tests on some OSes and architectures by merging Debian 07-tests-errmsg.patch (thx to Peter Pentchev). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81 stunnel-5.69.tar.gz 66c4f3bbb94c4a274f2e8e98e3d44e74c0460d6494986f0a94b9b8becdc63cc3 stunnel-5.69-win64-installer.exe 74813a0be13270b5348fc4bc7c16ada668d151773be19f404db1176b7e22aafc stunnel-5.69-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: Is there installing instructions for Stunnel on Debian ?
On 26/04/2023 11:20, Peter Pentchev wrote: Um. Yeah. One thing that may have tripped you up is that due to historical reasons, the stunnel package in Debian is called "stunnel4". I have had plans for fixing that, renaming it back to "stunnel", but it is a bit complicated (especially if one wants to preserve the users' configuration settings, which most users may be kind of attached to), so I keep putting it off year after year... Couldn't you simply leave the original name (/usr/bin/stunnel) as it is, and also create a symbolic link (/usr/bin/stunnel4) to retain compatibility with previous Debian releases? Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] stunnel 5.68 released
Dear Users, I have released version 5.68 of stunnel. ### Version 5.68, 2023.02.07, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.8. * New features - Added the new 'CAengine' service-level option to load a trusted CA certificate from an engine. - Added requesting client certificates in server mode with 'CApath' besides 'CAfile'. * Bugfixes - Fixed EWOULDBLOCK errors in protocol negotiation. - Fixed handling TLS errors in protocol negotiation. - Prevented following fatal TLS alerts with TCP resets. - Improved OpenSSL initialization on WIN32. - Improved testing suite stability. - Improved file read performance. - Improved logging performance. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: dcd895ab088b043d4e0bafa8b934e7ab3e697293828dbe9fce46cb7609a7dacf stunnel-5.68.tar.gz 62807f6233c8a5693104c09b44ebde6cc395877d948651c3ff0767e07ccdd316 stunnel-5.68-win64-installer.exe 93291060fdfc889431e8bce5cfe875b23be2bac11e2338f8f8f84d509f1b33fa stunnel-5.68-android.zip Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: stunnel 5.57 crashed while trying to write logs
Hi Phan Anh, Can you please execute "stunnel -version" on that system (the command "stunnel" with the "-version" parameter")? Yes, updating both stunnel *and* OpenSSL to their latest stable versions (5.69 and 3.1.1 respectively) is a good idea. What exactly is this "mbient-linux"? Which version of libc and OpenSSL does it use? Are there any public documentation for that project? I've seen similar errors caused by 3rd party modifications of OpenSSL or recently by a bug in musl that is used instead of glibc on Alpine Linux. Best regards, Mike On 7/6/23 16:54, phananh.ngu...@dxc.com wrote: Hi Mike, thanks for the quick reply. It's not easy to reproduce the crash on the production system and also it's not possible to run valgrind on the production system as well. However I have tried to collect some more information as following: stunnel-version: LOG5[ui]: stunnel 5.57 on aarch64-mbient-linux-gnu platform stunnel.conf [proxy-r] ; local endpoint accept = 1 ; remote endpoint connect = some-server-name:443 verifyChain = yes checkHost = some-server-name sslVersion = TLSv1.3 system log around the crash point: 593805 2023/06/16 01:36:59.284173 133.4751 105 LNX SYS JOUR 927 log debug verbose 5 2023/06/16 01:36:58.878789 133.074348 stunnel[4346]: Debug: LOG7[ui]: Service [proxy-r] accepted (FD=16) from 127.0.0.1:38392 593807 2023/06/16 01:36:59.284181 133.4751 107 LNX SYS JOUR 927 log warn verbose 5 2023/06/16 01:36:58.881544 133.075156 kernel: Warning: CPU: 6 PID: 17279 Comm: stunnel Tainted: PW O 5.4.134-qgki #1 593830 2023/06/16 01:36:59.284839 133.4753 130 LNX SYS JOUR 927 log debug verbose 5 2023/06/16 01:36:59.005061 133.200639 systemd[1]: Debug: Received SIGCHLD from PID 4346 (stunnel). 593831 2023/06/16 01:36:59.284948 133.4753 131 LNX SYS JOUR 927 log debug verbose 5 2023/06/16 01:36:59.005130 133.200828 systemd[1]: Debug: Child 4346 (stunnel) died (code=killed, status=6/ABRT) the logs for the working case should look like this: 2023.04.25 11:03:48 LOG7[ui]: Service [proxy-r] accepted (FD=16) from 127.0.0.1:56650 2023.04.25 11:03:48 LOG7[4]: Service [proxy-r] started I have seen some refactoring regarding stunnel logging for the versions after 5.57, do you think it makes sense to upgrade the stunnel to the later version in the hope to resolve the crash? Many thanks. BR, Phan Anh ___ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-le...@stunnel.org___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: “latest” alias
Hi David, The goal of *not* having the "latest" links was to make it harder for people to just fetch the latest stunnel from my server in their CI/CD pipelines (potentially, on each commit) instead of using their local mirror. I see thousands of automated requests from a single IP address in my logs. I guess I need to implement rate-limiting for those requests instead. Alternatively, maybe I should try using CloudFlare CDN. I'd appreciate your comments and recommendations. Best regards, Mike On 7/14/23 18:13, David Richard (CajunD) wrote: Hi Folks, I have found some older discussions about keeping archives and such, but wanted to ask if you could create an alias that always pointed to the latest version. We were hard-linking to a version in /downloads/ and when version 5.69 was removed a few days ago, some automation on our end broke and (as a result of circumstance) caused an outage while we were trying to fix another problem with a remote dependency. We have altered our script to point to the archive version and added checking to ensure any future problems are handled properly. That being said, we will always want the latest version of your software when we build our machine images. And while you do send an announcement, we have to take additional action on our end to get that new version. A “latest” link would allow us to get the latest version automatically when we perform security updates. Thanks for considering this request. David. --- David Richard caj...@gmail.com ___ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-le...@stunnel.org___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: stunnel 5.57 crashed while trying to write logs
Hi Phan Anh, The "corrupted double-linked list" error in malloc_consolidate() means that the heap data structures were already corrupted before executing this operation. Running stunnel with valgrind should identify the root cause. See https://valgrind.org/ for details. Please also include your stunnel.conf and the output of "stunnel -version". Best regards, Mike On 7/4/23 20:52, phananh.ngu...@dxc.com wrote: it crashed at the function log_raw. here is the backtrace == Backtrace #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 0x007f82ed54b4 in __GI_abort () at abort.c:79 #2 0x007f82f1f984 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f82fdc660 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x007f82f273dc in malloc_printerr (str=str@entry=0x7f82fd7bc8 "corrupted double-linked list") at malloc.c:5389 #4 0x007f82f27cc8 in unlink_chunk (p=p@entry=0x7f64012260, av=0x7f6420) at malloc.c:1472 #5 0x007f82f27e48 in malloc_consolidate (av=av@entry=0x7f6420) at malloc.c:4539 #6 0x007f82f29df0 in _int_malloc (av=av@entry=0x7f6420, bytes=bytes@entry=8192) at malloc.c:3727 #7 0x007f82f2c5b0 in __libc_calloc (n=, elem_size=) at malloc.c:3448 #8 0x007f82f1e41c in __GI___open_memstream (bufloc=bufloc@entry=0x7f72ffc3f8, sizeloc=sizeloc@entry=0x7f72ffc400) at memstream.c:83 #9 0x007f82f7d274 in __vsyslog_internal (pri=31, pri@entry=7, fmt=fmt@entry=0x5584b5f930 "%s: %s", ap=..., mode_flags=mode_flags@entry=2) at ../misc/syslog.c:181 #10 0x007f82f7d810 in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1, fmt=fmt@entry=0x5584b5f930 "%s: %s") at ../misc/syslog.c:136 #11 0x005584b45884 in syslog (__fmt=0x5584b5f930 "%s: %s", __pri=7) at /usr/include/bits/syslog.h:31 #12 log_raw (level=level@entry=7, stamp=stamp@entry=0x7f64003420 "2023.06.16 01:36:58", id=id@entry=0x7f64001120 "LOG7[19]", text=text@entry=0x7f6401b060 "Service [proxy-r] started", opt=, opt=) at ../../stunnel-5.57/src/log.c:263 #13 0x005584b45b88 in s_log (level=level@entry=7, format=format@entry=0x5584b5a780 "Service [%s] started") at ../../stunnel-5.57/src/log.c:192 #14 0x005584b454e8 in client_main (c=c@entry=0x7f82e30060) at ../../stunnel-5.57/src/client.c:178 #15 0x005584b45658 in client_thread (arg=0x7f82e30060) at ../../stunnel-5.57/src/client.c:130 #16 0x007f83026e64 in start_thread (arg=0x7fc21e457f) at pthread_create.c:463 #17 0x007f82f815dc in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 == Thread apply all backtrace full ___ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-le...@stunnel.org___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: stunnel not starting
Hi,
[!] /etc/stunnel/stunnel.conf:24: "output = /tmp/stunnel.log": Specified
option name is not valid here
The error says that you tried to put a global configuration file option
("output") in a service section.
See https://www.stunnel.org/static/stunnel.html for details.
Best regards,
Mike
OpenPGP_signature
Description: OpenPGP digital signature
___
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org
[stunnel-users] Re: Update newest version
On 05/05/2023 01:14, sportm...@netzero.com wrote: Thought I'd try adding more details. Again, a Stunnel user for many years. Just do not understand what needs to be done for me to deliver this newest version of Stunnel to a client that is running my software. I currently have all Stunnel files stored on the local C drive for each user. The app code references that folder. In the past, I simply copied the new downloaded files (.DLL. .EXE, etc.) to this folder. This does not work now. Is there some preparation that needs done to these files? Do I need to create a private key after the download or will the new downloaded .PEM file work as is? Really appreciate any and all advice on this. Just copy the entire stunnel folder (with all of its subfolders) to your application. Don't forget to include the stunnel's license when you distribute your application to your customers. If it doesn't work, first read https://www.chiark.greenend.org.uk/~sgtatham/bugs.html, and then describe your problem accordingly. Best regards, Mike OpenPGP_signature Description: OpenPGP digital signature ___ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
