Linux – STunnel Not Reading Configuration File

linuxsslstunnel

I generated an SSL certificate as specified on the answer to stunnel: SSL-to-SSL? (for smtp/imap)
And have the following configuation file:

cert = /home/marshall/stunnels/certs/umistunnel.keys

; protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

pid = ./stunnel4.pid

[https]
accept  = 4433
connect = 3000

When I run

> stunnel config.conf

the error I get is:

Reading configuration from descriptor 3
Snagged 64 random bytes from /home/marshall/.rnd
Wrote 1024 new random bytes to /home/marshall/.rnd
PRNG seeded successfully
Line 1: End of section stunnel: SSL server needs a certificate

If I instead run:

> stunnel filethatdoesnotexist.asdf

I get the same result. And, if I run stunnel without any parameters, the only change is that the error states Line 0. What am I doing wrong here?

Best Answer

You may have both stunnel3 & stunnel4 installed on your system.

The default for "stunnel" is to softlink it to stunnel3:

root@sibelius:/usr/bin# ls -l stunnel*
lrwxrwxrwx 1 root root      8 Oct 18  2011 stunnel -> stunnel3
-rwxr-xr-x 1 root root   2797 Oct 18  2011 stunnel3
-rwxr-xr-x 1 root root 109904 Oct 18  2011 stunnel4

The syntax of the stunnel.conf for stunnel3 is not compatible with the one for stunnel4.

Hence the error. Try removing stunnel3.

Related Solutions

Ssl – Multiple SSL certs with Stunnel

You need to use TLS SNI to be able to present two different certificates on the same listening port. Be aware that some clients, notably most browsers running under Windows XP, do not support SNI.

See the sni option in the documentation. Split your certificates into different files (the same private key is used for both public certificates):

[https]
cert = /etc/ssl/domain.com.pem
accept  = 443
connect = 80

[domain]
sni = https:domain.com
sni = https:www.domain.com
cert = /etc/ssl/domain.com.pem
connect = 80

[manager]
sni = https:manager.domain.com
cert = /etc/ssl/manager.domain.com.pem
connect = 80

Stunnel and FIX

I finally managed to make it work. I now have the following stunnel.conf file:

; Certificate
cert = stunnel.pem
;FIPS
fips=no
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some performance tunings  
socket = l:TCP_NODELAY=1  
socket = r:TCP_NODELAY=1  

; Some debugging stuff useful for troubleshooting  
debug = 7  
output = stunnel.log  

; Use it for client mode  
client = yes

; Service-level configuration
[FIX]  
accept = 127.0.0.1:port
connect = proxy:80
protocol=connect
protocolHost= target-server:443
TIMEOUTconnect  = 5

Basically I want to connect to a FIX server through a proxy. The connection is now made but it seems their server is not accepting my connection. I see this in the stunnel logs :

2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): before/connect initialization
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv2/v3 write client hello A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 read server hello A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 read server certificate A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 read server done A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 write client key exchange A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 write change cipher spec A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 write finished A
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 flush data
2013.04.26 14:05:06 LOG7[12312:13560]: SSL state (connect): SSLv3 read finished A
2013.04.26 14:05:06 LOG7[12312:13560]:    1 items in the session cache
2013.04.26 14:05:06 LOG7[12312:13560]:    1 client connects (SSL_connect())

2013.04.26 14:05:06 LOG7[12312:13560]:    1 client connects that finished

2013.04.26 14:05:06 LOG7[12312:13560]:    0 client renegotiations requested

2013.04.26 14:05:06 LOG7[12312:13560]:    0 server connects (SSL_accept())

2013.04.26 14:05:06 LOG7[12312:13560]:    0 server connects that finished
2013.04.26 14:05:06 LOG7[12312:13560]:    0 server renegotiations requested
2013.04.26 14:05:06 LOG7[12312:13560]:    0 session cache hits
2013.04.26 14:05:06 LOG7[12312:13560]:    0 external session cache hits
2013.04.26 14:05:06 LOG7[12312:13560]:    0 session cache misses
2013.04.26 14:05:06 LOG7[12312:13560]:    0 session cache timeouts

I think I might need to input a login and password. Someone knows how to do this with stunnel? I tried protocolCredentials but it does not work.

Best Answer

Related Solutions

Ssl – Multiple SSL certs with Stunnel

Stunnel and FIX

Related Topic