3

I have been using stunnel previous versions just fine. It didn't apparently have the feature of a certificate in SSL server mode. That's alright but not necessary for us as we're simply running a localhost server to tunnel to the remote server.

Anyway, I have read the FAQ tutorial and such related to this and tried everything. No mater what I do with the cert or key settings it still gives this same error here's the complete output....

No limit detected for the number of clients
stunnel 4.53 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
Reading configuration from file stunnel.conf
FIPS mode is enabled
Compression not enabled
Snagged 64 random bytes from C:/.rnd
Wrote 0 new random bytes to C:/.rnd
PRNG seeded successfully
Initializing service section [FIX]
Section FIX: SSL server needs a certificate

Server is down

And here is the stunnel.conf file contents:

; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

[FIX]
accept  = 127.0.0.1:5679
connect = 216.52.236.112:5680
TIMEOUTconnect = 5

[FIXLIVE]
accept  = 127.0.0.1:5680
connect = 216.52.236.185:51581
TIMEOUTconnect = 5

Please not that stunnel came installed with an stunnel.pem file. I tried uncommenting the config line for the key. Also regenerated the key using openssh per instructions.

I tried using absolute path to the cert file.

Nothing makes any difference. Is this a defect in stunnel? Or am I doing something wrong?

Wayne
  • 428
  • 4
  • 7
  • 15
  • Are you using this to ssl enable a server or a client? – Ram Jun 14 '12 at 00:26
  • What's the remote server running? – Shane Madden Jun 14 '12 at 04:48
  • This ssl enables the client. The remote server is owned and run by a brokerage firm so I don't show what it runs and, well, how is that relevant? – Wayne Jun 14 '12 at 12:40
  • It matters because the requirements for using it as a client are different from using it as a server. For a client you have to configure trust of the server (or disable caring about trust) while for a server you have to give it a key-pair and a certificate. – Ram Jun 14 '12 at 16:10

2 Answers2

3

Add client = yes to each service to fix that error message.

You also want to set options to set up proper SSL security; see below.

# Enable proper SSL security.  Without this, you are completely insecure!
verify = 2
CAfile = /etc/ssl/certs/ca-certificates.crt
options = NO_SSLv2

[FIX]
client = yes
accept  = 127.0.0.1:5679
connect = 216.52.236.112:5680
TIMEOUTconnect = 5

[FIXLIVE]
client = yes
accept  = 127.0.0.1:5680
connect = 216.52.236.185:51581
TIMEOUTconnect = 5
Mark Lodato
  • 191
  • 7
1

Stunnel will always want to verify the server certificate (all SSL clients do) - you can turn off certificate checking if you don't care about man in the middle attacks (ISP, bad guy, bad ISP, ...). Otherwise you will have to configure 'trust' in stunnel by either giving it a copy of the server certificate or something else in the chain you trust (ie an intermediate CA or a root CA that are superior to the server certificate the server is using to identify itself). The config variables you need to set are:CAPath, CAFile.

Ram
  • 612
  • 3
  • 10