Unable to use stunnel with tin...

Prev: Ubuntu linux www.ubuntu.com and www.kubuntu.com are the best and open source google earth
Next: Which distro?

From: Trevor Hemsley on 15 Jun 2008 15:25

---

On Sun, 15 Jun 2008 19:16:41 UTC in comp.os.linux.questions, Ant
<ANTant(a)zimage.com> wrote:

> Is your sample/example same as this one (didn't change anything in it) I
> have?

Pretty much though slightly different. Yours should still be usable though. It
has a chroot line that says that everything is based relative to
/var/lib/stunnel4 so the pid = /stunnel4.pid line in it actualy means it will
try to create the file /var/lib/stunnel4/stunnel.pid and it will run as the user
'stunnel4'. That means that the directory /var/lib/stunnel4 needs to be owned by
the user stunnel4 and group stunnel4 and that the user will need write access to
it to be able to create the files there.

You need to uncomment the line that says
;client = yes
so that it reads
client = yes

For the purpose you want to use this for you also need to add the following
section

[nntps]
accept = 127.0.0.1:119
connect = news.giganews.com:563

Then point your tin to localhost:119 for its connections.

You may also want to remove the sections that are provided for [pop3s], [imaps]
and [ssmtp] (or comment them out anyway).

--
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

From: Ant on 15 Jun 2008 15:51

---

On 6/15/2008 12:25 PM PT, Trevor Hemsley typed:

> Pretty much though slightly different. Yours should still be usable though. It
> has a chroot line that says that everything is based relative to
> /var/lib/stunnel4 so the pid = /stunnel4.pid line in it actualy means it will
> try to create the file /var/lib/stunnel4/stunnel.pid and it will run as the user
> 'stunnel4'. That means that the directory /var/lib/stunnel4 needs to be owned by
> the user stunnel4 and group stunnel4 and that the user will need write access to
> it to be able to create the files there.
>
> You need to uncomment the line that says
> ;client = yes
> so that it reads
> client = yes
>
> For the purpose you want to use this for you also need to add the following
> section
>
> [nntps]
> accept = 127.0.0.1:119
> connect = news.giganews.com:563
>
> Then point your tin to localhost:119 for its connections.
>
> You may also want to remove the sections that are provided for [pop3s], [imaps]
> and [ssmtp] (or comment them out anyway).

Here's what it looks like now (made a bckup copy of the original just in
case):

# cat stunnel.conf
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular
configuration
; Please make sure you understand them (especially the effect of chroot
jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/mail.pem
;key = /etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

[nntps]
accept = 127.0.0.1:119
connect = news.giganews.com:563

; vim:ft=dosini


I still seem to have problems running stunntel with tin:

$ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119
tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
Iain Lea.
Connecting to localhost...
socket or connect problem
Failed to connect to NNTP server localhost. Exiting...

$ stunnel -D 7 -c -d 119 -r news.giganews.com:563 ; tin -g localhost -p 119
tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
Iain Lea.
Connecting to localhost...
socket or connect problem
Failed to connect to NNTP server localhost. Exiting...

$ stunnel tin -r localhost:119
2008.06.15 12:47:57 LOG7[5694:3082544816]: RAND_status claims sufficient
entropy for the PRNG
2008.06.15 12:47:57 LOG7[5694:3082544816]: PRNG seeded successfully
2008.06.15 12:47:57 LOG3[5694:3082544816]: /etc/stunnel/stunnel.pem: No
such file or directory (2)


Maybe I am doing all that wrong. :(
--
"The ants are my friends, they're blowin' in the wind. The ant, sir, is
blowin' in the wind." --the misheard lyrics to Bob Dylan's "Blowin' in
the Wind"
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: philpi(a)earthlink.netANT
( ) or ANTant(a)zimage.com
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!

From: Trevor Hemsley on 15 Jun 2008 16:11

---

On Sun, 15 Jun 2008 19:51:03 UTC in comp.os.linux.questions, Ant
<ANTant(a)zimage.com> wrote:

> $ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119

You need to find out which stunnel you are using and stick with it! This is an
stunnel v3 command line and what you have been tweaking is an stunnel v4
configuration file. I have no idea how Debian installs this for you but if you
have stunnel4 then maybe you have an /etc/init.d/stunnel4 script to start it up?
If so then you'd have to start that as root and it will read the config file and
do what it wants.

Or maybe it is stunnel4 and you're trying to pass it parameters that it's just
silently ignoring! The log output you post shows that it probably is reading
your conf file as it's talking about /etc/stunnel/stunnel.pem being missing -
perhaps you need to create it or point stunnel to one that does exist?


--
Trevor Hemsley, Brighton, UK
Trevor dot Hemsley at ntlworld dot com

From: Ant on 15 Jun 2008 16:20

---

On 6/15/2008 1:11 PM PT, Trevor Hemsley typed:

>> $ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119
>
> You need to find out which stunnel you are using and stick with it! This is an
> stunnel v3 command line and what you have been tweaking is an stunnel v4
> configuration file. I have no idea how Debian installs this for you but if you
> have stunnel4 then maybe you have an /etc/init.d/stunnel4 script to start it up?
> If so then you'd have to start that as root and it will read the config file and
> do what it wants.
>
> Or maybe it is stunnel4 and you're trying to pass it parameters that it's just
> silently ignoring! The log output you post shows that it probably is reading
> your conf file as it's talking about /etc/stunnel/stunnel.pem being missing -
> perhaps you need to create it or point stunnel to one that does exist?

I think I know what happened:

# apt-cache show stunnel
Package: stunnel
Priority: optional
Section: net
Installed-Size: 40
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo(a)debian.org>
Architecture: all
Source: stunnel4
Version: 3:4.22-1.1
Depends: stunnel4 (>= 3:4.20-3)
Filename: pool/main/s/stunnel4/stunnel_4.22-1.1_all.deb
Size: 10166
MD5sum: 9d3162fdeb77a7d4b62fddefc62cdf9f
SHA1: f9b3271905c413176406fef8d30ff111b8b9cc02
SHA256: 616d7c80d6269bbfe5530a20ff5214c8df9e92a054f39cfd9e8f815caa77e5d1
Description: dummy upgrade package
stunnel version 3 has been removed from Debian. This is a dummy package
to ease upgrading to stunnel4.
.
You may safely remove this package after the upgrade.
Homepage: http://www.stunnel.org/
Tag: role::dummy, special::obsolete

Package: stunnel
Priority: optional
Section: net
Installed-Size: 268
Maintainer: Julien Lemoine <speedblue(a)debian.org>
Architecture: i386
Version: 2:3.26-dfsg-1
Replaces: stunnel4
Depends: libc6 (>= 2.3.6-6), libssl0.9.8 (>= 0.9.8c-1), libwrap0,
openssl, netbase
Filename: pool/main/s/stunnel/stunnel_3.26-dfsg-1_i386.deb
Size: 87180
MD5sum: f424defa4b7162280e806a416ea9a882
SHA1: 601017ffdf4daffb1a034a87c11fa1fc6d3f842d
SHA256: 2be87eb6e9cd36ec0ca42e266bfd37261174674a0192c66892619b0d437138cf
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
Tag: interface::daemon, network::client, network::server, protocol::ssl,
role::program, security::cryptography, use::proxying


Debian pulled v3 and replaced it with v4.

--

# locate stunnel
/etc/stunnel
/etc/default/stunnel4
/etc/init.d/stunnel4
/etc/logrotate.d/stunnel4
/etc/ppp/ip-down.d/0stunnel4
/etc/ppp/ip-up.d/0stunnel4
/etc/rc0.d/K20stunnel4
/etc/rc1.d/K20stunnel4
/etc/rc2.d/S20stunnel4
/etc/rc3.d/S20stunnel4
/etc/rc4.d/S20stunnel4
/etc/rc5.d/S20stunnel4
/etc/rc6.d/K20stunnel4
/etc/stunnel/stunnel.conf
/usr/bin/stunnel
/usr/bin/stunnel-dsa
/usr/bin/stunnel3
/usr/bin/stunnel4
/usr/lib/libstunnel.so
/usr/lib/libstunnel.so.3
/usr/lib/stunnel
/usr/lib/stunnel/libstunnel.la
/usr/lib/stunnel/libstunnel.so
/usr/share/doc/stunnel
/usr/share/doc/stunnel4
/usr/share/doc/stunnel/BUGS
/usr/share/doc/stunnel/NEWS.Debian.gz
/usr/share/doc/stunnel/README
/usr/share/doc/stunnel/README.Debian
/usr/share/doc/stunnel/TODO
/usr/share/doc/stunnel/changelog.Debian.gz
/usr/share/doc/stunnel/copyright
/usr/share/doc/stunnel/english
/usr/share/doc/stunnel/examples
/usr/share/doc/stunnel/polish
/usr/share/doc/stunnel/stunnel.html
/usr/share/doc/stunnel/english/VNC_StunnelHOWTO.html
/usr/share/doc/stunnel/english/transproxy.txt
/usr/share/doc/stunnel/examples/ca.html
/usr/share/doc/stunnel/examples/ca.pl
/usr/share/doc/stunnel/examples/importCA.html
/usr/share/doc/stunnel/examples/importCA.sh
/usr/share/doc/stunnel/examples/stunnel.cnf
/usr/share/doc/stunnel/polish/faq.stunnel-2.html
/usr/share/doc/stunnel/polish/tworzenie_certyfikatow.html
/usr/share/doc/stunnel4/BUGS
/usr/share/doc/stunnel4/NEWS.Debian.gz
/usr/share/doc/stunnel4/NEWS.gz
/usr/share/doc/stunnel4/README
/usr/share/doc/stunnel4/README.Debian
/usr/share/doc/stunnel4/TODO
/usr/share/doc/stunnel4/changelog.Debian.gz
/usr/share/doc/stunnel4/changelog.gz
/usr/share/doc/stunnel4/contrib
/usr/share/doc/stunnel4/copyright
/usr/share/doc/stunnel4/examples
/usr/share/doc/stunnel4/stunnel.fr.html
/usr/share/doc/stunnel4/stunnel.html
/usr/share/doc/stunnel4/stunnel.pl.html
/usr/share/doc/stunnel4/transproxy.txt
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
/usr/share/doc/stunnel4/examples/ca.html
/usr/share/doc/stunnel4/examples/ca.pl
/usr/share/doc/stunnel4/examples/importCA.html
/usr/share/doc/stunnel4/examples/importCA.sh
/usr/share/doc/stunnel4/examples/stunnel.cnf
/usr/share/doc/stunnel4/examples/stunnel.conf-sample
/usr/share/doc/stunnel4/examples/stunnel.init
/usr/share/doc-base/stunnel
/usr/share/doc-base/stunnel4
/usr/share/lintian/overrides/stunnel
/usr/share/man/fr/man8/stunnel4.8.gz
/usr/share/man/man1/stunnel-dsa.1.gz
/usr/share/man/man1/stunnel.1.gz
/usr/share/man/man8/stunnel.8.gz
/usr/share/man/man8/stunnel3.8.gz
/usr/share/man/man8/stunnel4.8.gz
/usr/share/man/pl/man8/stunnel4.8.gz
/var/cache/apt/archives/stunnel4_3%3a4.22-1.1_i386.deb
/var/cache/apt/archives/stunnel_3%3a4.22-1.1_all.deb
/var/lib/stunnel4
/var/lib/dpkg/info/stunnel.list
/var/lib/dpkg/info/stunnel.md5sums
/var/lib/dpkg/info/stunnel4.conffiles
/var/lib/dpkg/info/stunnel4.list
/var/lib/dpkg/info/stunnel4.md5sums
/var/lib/dpkg/info/stunnel4.postinst
/var/lib/dpkg/info/stunnel4.postrm
/var/lib/dpkg/info/stunnel4.prerm
/var/log/stunnel4
/var/log/stunnel4/stunnel.log
/var/run/stunnel
/var/run/stunnel4

# locate bin/stunnel
/usr/bin/stunnel
/usr/bin/stunnel-dsa
/usr/bin/stunnel3
/usr/bin/stunnel4

# ls -all /usr/bin/stunnel*
lrwxrwxrwx 1 root root 8 2008-06-15 10:00 /usr/bin/stunnel -> stunnel3
-rwxr-xr-x 1 root root 2797 2008-05-27 09:32 /usr/bin/stunnel3
-rwxr-xr-x 1 root root 89220 2008-05-27 09:32 /usr/bin/stunnel4
-rwxr-xr-x 1 root root 50120 2007-03-31 11:02 /usr/bin/stunnel-dsa


It looks like I have BOTH v3 and v4. I tried the same command as earlier
with stunnel4 (e.g., stunnel4 -D 7 -c -d 119 -r localhost:119 ; tin -g
localhost -p 119), but still get the same errors. :(
--
"Size isn't everything. The whale is endangered, while the ant continues
to do just fine." --Bill Vaughan
/\___/\
/ /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
| |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
\ _ / Remove ANT from e-mail address: philpi(a)earthlink.netANT
( ) or ANTant(a)zimage.com
Ant is currently not listening to any songs on his home computer. Go
Los Angeles/L.A. Lakers!

From: Allen Kistler on 15 Jun 2008 17:36

---

Ant wrote:
> On 6/15/2008 4:06 AM PT, Trevor Hemsley typed:
>
>>> Here is the version in Debian (I apt-get update and upgrade daily):
>>
>> Sorry, I can't help, v3 is too old and I have forgotten all about it.
>> The difference between v3 and v4 is mainly the addition of
>> stunnel.conf and the dropping of all the command line parameters. I
>> have no idea why Debian should continue to ship something that hasn't
>> been updated in about 7 years but all other distros that I've used
>> switched to v4 a long time ago.
>> I do know that stunnel is very fussy about permissions on all its
>> directories though so it's possible that just creating the directory
>> is not enough, you might have to chown/chmod it too. It's also
>> possible that stunnel is running from a chroot jail in which case you
>> might need to be creating /<chroot-jail>/var/run/stunnel
>
> Someone else suggested:
>
> $ stunnel -f -c -d 1119 -r news.giganews.com:563
> 2008.06.15 09:45:06 LOG5[2756:3082602160]: Using 'news.giganews.com.563'
> as tcpwrapper service name
> 2008.06.15 09:45:06 LOG5[2756:3082602160]: stunnel 3.26 on
> i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
> 2008.06.15 09:45:06 LOG3[2756:3082602160]: Argument to -P
> (/var/run/stunnel/) is not valid a directory name
>
> Then, I tried uninstalling and reinstalling stunnel and stunnel4
> packages via apt-get command. I retried and got different results:
>
> $ stunnel -f -c -d 1119 -r news.giganews.com:563
> 2008.06.15 10:02:12 LOG5[3325:3082749616]: stunnel 4.22 on
> i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
> 2008.06.15 10:02:12 LOG5[3325:3082749616]: Threading:PTHREAD SSL:ENGINE
> Sockets:POLL,IPv6 Auth:LIBWRAP
> 2008.06.15 10:02:12 LOG5[3325:3082749616]: 500 clients allowed
> 2008.06.15 10:02:12 LOG3[3325:3082749616]: Cannot create pid file
> /var/run/stunnel4.pid
> 2008.06.15 10:02:12 LOG3[3325:3082749616]: create: Permission denied (13)
>
> [snip]
>
> It seems like it is mentioning the same permission problems you are
> referring to. Do I chown and chmod to my user/accountname or what? I
> don't know what this chroot jail thing is about.

Only root can create pid files in /var/run.

I choose not to run stunnel as root (actually I run it "nobody" using
options in stunnel.conf), so I create a subdir (/var/run/stunnel) owned
by "nobody" and change the pidfile directory using one of the options in
stunnel.conf. The man page describes the options.

 |  Next  |  Last
Pages: 1 2 3 4
Prev: Ubuntu linux www.ubuntu.com and www.kubuntu.com are the best and open source google earth
Next: Which distro?