Hi WATANABE, Takeo,
I've heard that El Capitan no longer installs OpenSSL headers. You may need to
install OpenSSL (either directly from source, or using a package manager).
Mike
Original message
Subject:[stunnel-users] Do Not Make Stunnel on El Capitan
From:WATANABE Takeo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 12.02.2016 23:39, Philippe Anctil wrote:
> Well, that's because the situation is happening when the program
> loops somewhere else, most likely in daemon_loop.
This is not how BSD sockets work. The interface between applications
and the kernel r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 18.02.2016 10:47, Shay Cohen wrote:
> But in this case it does not get the certificate (for some reason).
>
I forgot to ask the obvious question:
Which version of stunnel do you use?
At least for the private key, you may specify its name with
"k
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11.03.2016 07:12, Jim Howland wrote:
> I am running a windows instance of stunnel as a client and A
> Linux version as the server
>
> When I set this on the Windows side :
>
> engine = capi
>
> and this in my section:
>
> engineId = capi
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 28.03.2016 16:27, Jon Bogaty wrote:
> The issue is when I setup everything on the server and try to
> connect with a client I either get for "verify 2" warnings about
> MiTM authentication problems, or for "verify 3" or "verify 4",
> which should
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 31.03.2016 22:28, Fritz Gschwendner wrote:
> we have a memory leak with stunnel 5.31 in server mode on Windows
> Server 2012. Page File Bytes of the stunnel process keep growing.
[cut]
> I suspect it has something to do with clients not closing th
On 28.04.2016 16:27, BOXI31 TEST wrote:
> To make "Stunnel 5.31" work with Gmail, I have to go in security
> settings of Gmail and "allow less secure apps to access my account".
>
> Is it mandatory ?
As far as I understand:
https://support.google.com/accounts/answer/6010255?hl=en
this confusing e
Dear Users,
I have released version 5.32 of stunnel.
The ChangeLog entry:
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to onl
On 12.05.2016 02:59, Brandon Jackson wrote:
> [httpsmain]
> accept = 443
> accept = :::443
> connect = 10.0.1.1:9443
IPv6 also accepts IPv4 connections by default.
Your solution is:
[httpsmain]
accept = :::443
connect = 10.0.1.1:9443
Best regards,
Mike
signature.asc
Description: Open
On 12.05.2016 15:57, Brugman, Matt wrote:
> I’ve compiled stunnel for Windows CE 5.0 and 6.0, and am running it on
> an ARM device.
Which version of stunnel have you compiled?
Make sure to use stunnel 5.32, as it contains an important WCE fix.
Best regards,
Mike
signature.asc
Descripti
On 16.05.2016 09:42, Adrian Irimescu wrote:
> Instead of this the stunnel allocates about 28K for any new session
> which does not have a stored session in cache and does not free this
> anymore.
Please try:
https://www.stunnel.org/downloads/beta/stunnel-5.33b2.tar.gz
In my tests this fixes the me
On 31.05.2016 00:42, Konstantin Belousov wrote:
> I have a following configuration for the outgoing connection
> [XXX-1]
> client = yes
> accept = 127.0.0.1:1564
> connect = some-server:
> local = some-other-address
[cut]
> The socket was created with INET6 address family, but bind was done for
I'm pretty sure the use of ExpandEnvironmentStringsA() will break WCE
builds. Please correct me if I'm wrong.
Best regards,
Mike
On 23.05.2016 14:24, Dmitry Bakshaev wrote:
> the problem frequently occurs on the client side: admin need to
> configure stunnel for multiple users.
> every u
Dear Users,
I have released version 5.33 of stunnel.
This release fixes a memory leak. Upgrade is highly recommended.
The ChangeLog entry:
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the curr
Dear Users,
I have released version 5.34 of stunnel.
This release includes a major security bugfix.
The ChangeLog entry:
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added
Dear Users,
I have released version 5.35 of stunnel.
The ChangeLog entry:
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file re
On 08/22/2016 01:11 PM, John Fisherman wrote:
> I am currently trying to make stunnel work for an Android x86
> architecture.
> The android binary found on the stunnel official website is not
> supported on x86 architecture, so I'd like to cross-compile it myself
> using the 'configure' options. I
On 13.09.2016 20:35, Ulli Horlacher wrote:
>> It is impossible to say anything without analysis of the executed fexsrv
>> program.
>
> The problem cannot be in fexsrv, because it works with stunnel 4.27
What is the point of sending an email to the mailing list when you
ignore our effort to help
On 13.09.2016 20:56, Mark Hannig wrote:
> I am trying to enable sslv3 by adding the following line to config:
>
> SSL_VERSION = SSLv3
>
> but I keep getting this error:
>
> stunnel.conf:78: "SSL_VERSION = SSLv3": Specified option name is not
> valid here
>
> Am I doing something wrong?
Yes. S
Dear Users,
I have released version 5.36 of stunnel.
Version 5.36, 2016.09.22, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2i.
https://www.openssl.org/news/secadv_20160922.txt
* New features
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
- Remo
Dear Users,
I have released version 5.37 of stunnel.
Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- The default SNI target (not handled by any slave service)
is handled by the master service rather than rejected.
- Remove
On 18.11.2016 21:42, Michael Weiser wrote:
> But couldn't stunnel just continue with the next IP if s_socket() failed
> with EAFNOSUPPORT?
I just changed the code to continue with the next IP for all the errors.
It also fixes some local bind issues I struggled with. 8-)
Please try:
https://www.s
Dear Users,
I have released version 5.38 of stunnel.
Version 5.38, 2016.11.26, urgency: MEDIUM
* New features
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx Peter Pentchev).
* Bugfixes
27.11.2016 02:29, Peter Pentchev wrote:
> On Sat, Nov 26, 2016 at 11:26:04PM +0100, Michał Trojnara wrote:
>> Dear Users,
>>
>> I have released version 5.38 of stunnel.
>
> Hi,
>
> Thanks for your continuing work on stunnel!
>
> Unfortunately, 5.38 doesn
On 10.12.2016 00:39, Bruce Guenter wrote:
> 2016.12.09 18:34:34 LOG5[ui]: Service [smtps] accepted connection from
> 174.2.75.223:39746
Your configuration file and the log sample helped a lot. Thank you!
I fixed logId to also work in the inetd mode:
https://www.stunnel.org/downloads/beta/stunne
Dear Users,
I have released version 5.39 of stunnel.
Version 5.39, 2017.01.01, urgency: LOW
* New features
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
- Per-destination TLS session cache added for the client mode.
- The new "logId" parameter "process" added to log PID values.
On 06.01.2017 16:50, John BYaka wrote:
> Is it possible to forward real ip in special header? I know about
> 'protocol=proxy' but for using this i need to implement HAProxy protocol
> in app.
No, stunnel does not implement HTTP.
I guess by "a special header" you mean an HTTP header.
Best regards,
Dear Users,
I have released version 5.40 of stunnel.
Version 5.40, 2017.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
https://www.openssl.org/news/secadv/20170126.txt
* New features
- DH ciphersuites are now disabled by default.
- The daily server DH
On 21.02.2017 16:04, Melzer, Jacob wrote:
> 2017.02.21 09:31:25 LOG5[ui]: stunnel 5.40 on powerpc-ibm-aix6.1.0.0
> platform
> 2017.02.21 09:31:25 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j 26
> Sep 2016
[cut]
> INTERNAL ERROR: Bad magic at OpenSSL, line 0
This is the way stunnel detects heap
On 23.02.2017 17:41, Andrew Culver wrote:
> I'm running stunnel 5.40 and I'm having the same problem on 2 different
> servers running openssl 1.1.0d and 1.1.0e.
Apparently, sessions are no longer expected to be explicitly released
with OpenSSL 1.1.x. Peter Pentchev is currently investigating this
On 23.02.2017 23:33, Andrew Culver wrote:
> Tried 5.41b3 and it's no longer segfaulting. I'll keep an eye out for
> 5.41 stable. Here's the debug log if it should help Peter with his
> workaround:
I think the proper course of action would be to check whether this
change of OpenSSL's behavior was i
Dear Users,
I have released version 5.41 of stunnel.
Version 5.41, 2017.04.01, urgency: MEDIUM
* New features
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance
Hi Guys,
Windows services are started *before* a user logon. This feature is
incompatible with passphrase-protected private keys. You either need to
start stunnel as a user application (and not a Windows service), or to
remove the passphrase from your private key. An empty password should
do th
Dear Users,
I have released version 5.42 of stunnel.
Version 5.42, 2017.07.16, urgency: HIGH
* New features
- "redirect" also supports "exec" and not only "connect".
- PKCS#11 engine DLL updated to version 0.4.7.
* Bugfixes
- Fixed premature cron thread initialization causing hangs.
- Fix
On 09/22/2017 10:52 AM, Reschke, Sven (VWIF G-TS/P) wrote:
> configure.ac:4: error: possibly undefined macro: AC_MSG_NOTICE
You need to install the autoconf-archive package on your system.
The autoconf error is not very helpful indeed...
Best regards,
Mike
___
Dear Users,
I have released version 5.43 of stunnel.
Version 5.43, 2017.11.05, urgency: LOW
* New features
- OpenSSL DLLs updated to version 1.0.2m.
- Android build updated to OpenSSL 1.1.0g.
- Allow for multiple "accept" ports per section.
- Self-test framework (make check).
- Added co
On 11/14/2017 01:33 PM, Bezspam wrote:
> Is this a bug or expected behaviour?
>
> Best regards,
> Bez Spam
Dear Bez,
I confirm this is a bug. A patch that fixes it is:
ftp://ftp.stunnel.org/stunnel/accept.patch
There will be a bugfix release of stunnel later this week.
Best regard
Dear Users,
I have released version 5.44 of stunnel.
It is a bugfix release. I recommend updating to this version.
Version 5.44, 2017.11.26, urgency: MEDIUM
* New features
- Signed Win32 executables, libraries, and installer.
* Bugfixes
- Default accept address restored to INADDR_ANY.
- Fi
On 06.02.2018 11:00, Christian Kujau wrote:
[!] bind: Address already in use (98)
[!] Error binding service [test] to 127.0.0.1:12345
Please try:
https://www.stunnel.org/downloads/beta/stunnel-5.45b1.tar.gz
It should fix your scenario without changing the default hostname for
"accept".
I se
On 08.02.2018 12:31, Christian Kujau wrote:
But even with the error, it's still running (in forground) it is able to
bind to the port, but answers only to the IPv4 version of it:
Apparently adding support for multiple "accept" ports per section in
version 5.43 introduced more bugs than I expec
On 04/03/2018 01:19 PM, Mark Brookes wrote:
> Hi all, we have noticed that when reloading (note reloading not
> restarting) stunnel it appears to be leaking
> between 12 and 32 bytes of memory (ish) per reload.
This is a well-known issue. Several memory structures are leaked on each
configuration
Hi Jakob,
Do you observe the same effect in version 5.53b1?
https://www.stunnel.org/downloads.html
Best regards,
Mike
On 4/10/19 1:50 PM, Jakob Hirsch wrote:
> Hi!
>
> On 2019-04-08 21:38, Michal Trojnara wrote:
>> Version 5.52, 2019.04.08, urgency: HIGH
>> * Bugfixes
>> - Fixed a transfe
On 4/10/19 1:38 PM, Jakob Hirsch wrote:
> i.e., everything that contains only hex characters ([0-9a-f]+) will be
> considered a a hex key? I really like that, but that's a breaking change
> for people using a key that consists of hex chars (and don't keep
> client/server version in sync).
For a ran
Dear Users,
I have released version 5.55 of stunnel.
This release addresses a number of important Windows issues, including
security vulnerabilities.
Version 5.55, 2019.06.10, urgency: HIGH
* Security bugfixes
- Fixed a Windows local privilege escalation vulnerability
caused insecure OpenSS
Dear Users,
I have released version 5.56 of stunnel.
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support fo
Hi Michael,
No, there is no portable way of implementing this feature. In fact, the
OS kernel only notifies server applications (including stunnel) about a
new incoming connection *after* the three-way TCP handshake has completed.
Some more details:
https://groups.google.com/forum/#!topic/comp.p
Dear Users,
I have released version 5.57 of stunnel.
This is a security release. Make sure to upgrade if you use the "redirect"
option.
### Version 5.57, 2020.10.11, urgency: HIGH
* Security bugfixes
- The "redirect" option was fixed to properly
handle "verifyChain = yes" (thx to Rob Hoe
On 10/14/2020 3:54 PM, Bob Bob wrote:
> I am using the same certificate which is called stunnel.pem and is generated
> using the "Build a Self-signed stunnel.pem" on the server. Since "nsCertType
> = server" in openssl.cnf, it is a server type certificate.
> That file is copied on both the client
Dear Users,
I have released version 5.58 of stunnel.
This release fixes another security bug in the "redirect" option.
### Version 5.58, 2021.02.20, urgency: HIGH
* Security bugfixes
- The "redirect" option was fixed to properly handle
unauthenticated requests (thx to Martin Stein).
- F
Dear Users,
I have released version 5.59 of stunnel.
### Version 5.59, 2021.04.05, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.1.1k.
* New features
- Client-side "protocol = ldap" support (thx to Bart
Dopheide and Seth Grover).
* Bugfixes
- The test suite fixe
Dear Users,
I have released version 5.60 of stunnel.
### Version 5.60, 2021.08.16, urgency: LOW
* New features
- New 'sessionResume' service-level option to allow
or disallow session resumption
- Added support for the new SSL_set_options() values.
- Download fresh ca-certs.pem for each
Dear Users,
I have released version 5.61 of stunnel.
### Version 5.61, 2021.12.22, urgency: LOW
* New features sponsored by the University of Maryland
- Added new "protocol = capwin" and "protocol = capwinctrl"
configuration file options.
* New features for the Windows platform
- Added c
- Original Message -
> Sent: Sunday, January 16, 2022 9:52 PM
> Michał Trojnara wrote:
>
>
>> Hi Roberto,
>>
>> Could you try https://www.stunnel.org/downloads/beta/stunnel-5.62b1.tar.gz ?
>>
>> Best regards,
>> Mike
> ___
Dear Users,
I have released version 5.62 of stunnel.
### Version 5.62, 2022.01.17, urgency: MEDIUM
* New features
- Added a bash completion script.
* Bugfixes
- Fixed a transfer() loop bug.
Home page: https://www.stunnel.org/
Download: https://www.stunnel.org/downloads.html
SHA-256 hashes:
Dear Users,
I have released version 5.63 of stunnel.
### Version 5.63, 2022.03.15, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.2.
* New features
- Updated stunnel.spec to support bash completion.
* Bugfixes
- Fixed a PRNG initialization crash (thx to Gleydson So
Dear Users,
I have released version 5.64 of stunnel. This release only includes Windows
fixes and improvements.
### Version 5.64, 2022.05.06, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.3.
* New features
- Updated the pkcs11 engine for Windows.
* Bugfixes
- R
Hi Javier,
stunnel is an encryption tool, and *not* a MUA/MTA, so it is not expected to be
RFC compliant. stunnel only had a very basic understanding of some
application protocols to negotiate TLS.
While encryption may be an optional feature in other applications, stunnel is
specifically des
Dear Users,
I have released version 5.65 of stunnel.
On Windows, this release fixes a high severity OpenSSL vulnerability:
https://www.openssl.org/news/secadv/20220705.txt
### Version 5.65, 2022.07.17, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.5.
* Bugfixes
- F
Hi Johann,
I investigated this issue it and I found out that encrypted private keys were
never working with OpenSSL 3.0 (regardless of stunnel version).
Thank you very much for reporting this bug!
Please try building
https://www.stunnel.org/downloads/beta/stunnel-5.66b1.tar.gz from source. I
Hi David,
On 8/26/22 13:51, david.rundqv...@gmail.com wrote:
> If I hash the client certificates and put them in a folder (with file names
> .0), and use the CAPath parameter on the server, together with
> verify=3, the server's Certificate Request message contains an empty list of
> "Distingui
Dear Users,
I have released version 5.66 of stunnel.
### Version 5.66, 2022.09.11, urgency: MEDIUM
* New features
- OpenSSL 3.0 FIPS Provider support for Windows.
* Bugfixes
- Fixed building on machines without pkg-config.
- Added the missing "environ" declaration for
BSD-based operati
On 27/10/2022 18:08, decatu...@163.com wrote:
Hi, all.
I have done "make && make install" under "sudo", then I got this when "make
cert"
---
...
139784943940928:error:25066067:DSO support routines:dlfcn_load:could not load
the share
Dear Users,
I have released version 5.67 of stunnel.
### Version 5.67, 2022.11.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.7.
* New features
- Provided a logging callback to custom engines.
* Bugfixes
- Fixed "make cert" with OpenSSL older than 3.0.
- Fixe
On 13/01/2023 20:05, Gary Jackson wrote:
2023.01.13 14:03:42 LOG6[16572]: TLS accepted: new session negotiated
2023.01.13 14:03:42 LOG6[16572]: TLSv1.2 ciphersuite:
ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2023.01.13 14:03:42 LOG6[16572]: SSL_read: Socket is closed
2023.01.13 14:03:42 L
Dear Users,
I have released version 5.68 of stunnel.
### Version 5.68, 2023.02.07, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
* New features
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesti
Hi Kimura-san,
On 20/02/2023 10:58, Yasuhiro Kimura wrote:
[!] No trusted certificates found
The latest release of stunnel started using an OpenSSL function that doesn't
work on Windows.
We submitted a pull request to the OpenSSL project and published a beta
installer that includes a patche
Dear Users,
I have released version 5.69 of stunnel.
### Version 5.69, 2023.03.04, urgency: MEDIUM
* New features
- Improved logging performance with the "output" option.
- Improved file read performance on the WIN32 platform.
- DH and kDHEPSK ciphersuites removed from FIPS defaults.
- S
On 26/04/2023 11:20, Peter Pentchev wrote:
Um. Yeah. One thing that may have tripped you up is that due to
historical reasons, the stunnel package in Debian is called "stunnel4".
I have had plans for fixing that, renaming it back to "stunnel", but
it is a bit complicated (especially if one wants
On 05/05/2023 01:14, sportm...@netzero.com wrote:
Thought I'd try adding more details. Again, a Stunnel user for many years. Just
do not understand what needs to be done for me to deliver this newest version
of Stunnel to a client that is running my software. I currently have all
Stunnel file
Hi,
[!] /etc/stunnel/stunnel.conf:24: "output = /tmp/stunnel.log": Specified
option name is not valid here
The error says that you tried to put a global configuration file option
("output") in a service section.
See https://www.stunnel.org/static/stunnel.html for details.
Best regards,
Hi Phan Anh,
The "corrupted double-linked list" error in malloc_consolidate() means
that the heap data structures were already corrupted before executing
this operation. Running stunnel with valgrind should identify the root
cause. See https://valgrind.org/ for details.
Please also include
Hi Phan Anh,
Can you please execute "stunnel -version" on that system (the command
"stunnel" with the "-version" parameter")?
Yes, updating both stunnel *and* OpenSSL to their latest stable versions
(5.69 and 3.1.1 respectively) is a good idea.
What exactly is this "mbient-linux"? Which ve
Hi David,
The goal of *not* having the "latest" links was to make it harder for
people to just fetch the latest stunnel from my server in their CI/CD
pipelines (potentially, on each commit) instead of using their local
mirror. I see thousands of automated requests from a single IP address
in
Dear Users,
I have released version 5.71 of stunnel.
### Version 5.71, 2023.09.19, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 3.1.3.
* Bugfixes
- Fixed the console output of tstunnel.exe.
* Features sponsored by SAE IT-systems
- OCSP stapling is requested and ver
On 10/9/23 14:39, Seray Tokadli wrote:
Hi, for our company i need to find the cvmp number for stunnel however
I am not able to find it.
Is there anyone who can help me with that?
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
I could not find
75 matches
Mail list logo