Ping a Specific Port

Question

Wayne

Asked: 2012-06-14 09:21:32 +0800 CST2012-06-14 09:21:32 +0800 CST 2012-06-14 09:21:32 +0800 CST

stunnel version 4.53 says SSL server needs a certificate on Windows 7

772

I have been using stunnel previous versions just fine. It didn't apparently have the feature of a certificate in SSL server mode. That's alright but not necessary for us as we're simply running a localhost server to tunnel to the remote server.

Anyway, I have read the FAQ tutorial and such related to this and tried everything. No mater what I do with the cert or key settings it still gives this same error here's the complete output....

No limit detected for the number of clients
stunnel 4.53 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
Reading configuration from file stunnel.conf
FIPS mode is enabled
Compression not enabled
Snagged 64 random bytes from C:/.rnd
Wrote 0 new random bytes to C:/.rnd
PRNG seeded successfully
Initializing service section [FIX]
Section FIX: SSL server needs a certificate

Server is down

And here is the stunnel.conf file contents:

; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

[FIX]
accept  = 127.0.0.1:5679
connect = 216.52.236.112:5680
TIMEOUTconnect = 5

[FIXLIVE]
accept  = 127.0.0.1:5680
connect = 216.52.236.185:51581
TIMEOUTconnect = 5

Please not that stunnel came installed with an stunnel.pem file. I tried uncommenting the config line for the key. Also regenerated the key using openssh per instructions.

I tried using absolute path to the cert file.

Nothing makes any difference. Is this a defect in stunnel? Or am I doing something wrong?

2 Answers

Voted

Mark Lodato · Answer 1 · 2015-03-02T12:02:51+08:00

Mark Lodato

2015-03-02T12:02:51+08:002015-03-02T12:02:51+08:00

Add client = yes to each service to fix that error message.

You also want to set options to set up proper SSL security; see below.

# Enable proper SSL security.  Without this, you are completely insecure!
verify = 2
CAfile = /etc/ssl/certs/ca-certificates.crt
options = NO_SSLv2

[FIX]
client = yes
accept  = 127.0.0.1:5679
connect = 216.52.236.112:5680
TIMEOUTconnect = 5

[FIXLIVE]
client = yes
accept  = 127.0.0.1:5680
connect = 216.52.236.185:51581
TIMEOUTconnect = 5

3

Ram · Answer 2 · 2012-06-15T08:09:05+08:00

Ram

2012-06-15T08:09:05+08:002012-06-15T08:09:05+08:00

Stunnel will always want to verify the server certificate (all SSL clients do) - you can turn off certificate checking if you don't care about man in the middle attacks (ISP, bad guy, bad ISP, ...). Otherwise you will have to configure 'trust' in stunnel by either giving it a copy of the server certificate or something else in the chain you trust (ie an intermediate CA or a root CA that are superior to the server certificate the server is using to identify itself). The config variables you need to set are:CAPath, CAFile.

1

stunnel version 4.53 says SSL server needs a certificate on Windows 7

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?