Unable to use stunnel with tin... - Setup

This is a discussion on Unable to use stunnel with tin... - Setup ; Hi. I am a newbie with stunnel and news servers that use SSL connections. What am I doing wrong as shown below? I also tried shutting down the firewall via Guarddog program, but it didn't make any differences. $ stunnel ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 29

Thread: Unable to use stunnel with tin...

  1. Unable to use stunnel with tin...

    Hi.

    I am a newbie with stunnel and news servers that use SSL connections.
    What am I doing wrong as shown below? I also tried shutting down the
    firewall via Guarddog program, but it didn't make any differences.

    $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
    tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    Iain Lea.
    Connecting to localhost:1119...
    socket or connect problem
    Failed to connect to NNTP server localhost. Exiting...

    Thank you in advance.
    --
    "The ants are back Ted!" --Dougal from Father Ted TV show.
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Go Los Angeles/L.A. Lakers. Ant is/was listening to a song on his home
    computer: Covenant - Dead Stars (Longer)

  2. Re: Unable to use stunnel with tin...

    ["Followup-To:" header set to comp.os.linux.misc.]
    On 2008-06-15, Ant wrote:

    > $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
    > tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    > Iain Lea.
    > Connecting to localhost:1119...
    > socket or connect problem
    > Failed to connect to NNTP server localhost. Exiting...


    Hmmmm..... do you mean 119 rather than 1119?

    Andrew

    --
    Do you think that's air you're breathing now?

  3. Re: Unable to use stunnel with tin...

    On 6/15/2008 12:30 AM PT, andrew typed:

    >> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
    >> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    >> Iain Lea.
    >> Connecting to localhost:1119...
    >> socket or connect problem
    >> Failed to connect to NNTP server localhost. Exiting...

    >
    > Hmmmm..... do you mean 119 rather than 1119?


    Same error/result:
    $ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
    tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    Iain Lea.
    Connecting to localhost...
    socket or connect problem
    Failed to connect to NNTP server localhost. Exiting...
    --
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  4. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 07:52:06 UTC in comp.os.linux.questions, Ant
    wrote:

    > On 6/15/2008 12:30 AM PT, andrew typed:
    >
    > >> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
    > >> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    > >> Iain Lea.
    > >> Connecting to localhost:1119...
    > >> socket or connect problem
    > >> Failed to connect to NNTP server localhost. Exiting...

    > >
    > > Hmmmm..... do you mean 119 rather than 1119?

    >
    > Same error/result:
    > $ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
    > tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    > Iain Lea.
    > Connecting to localhost...
    > socket or connect problem
    > Failed to connect to NNTP server localhost. Exiting...


    It might help if you were using a slightly less prehistoric version of stunnel -
    v3 was already old about 5 years ago. The newer v4 does everything via
    stunnel.conf and mine looks like this:

    cert = stunnel.pem
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    client = yes
    [nntps]
    accept = 127.0.0.1:119
    connect = news.giganews.com:563

    With this, you might also want the debugging options set on while you get it to
    work.

    debug = 7
    output = stunnel.log

    To listen on a local port < 1024 you will need to run stunnel as root.

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  5. Re: Unable to use stunnel with tin...

    On 6/15/2008 2:39 AM PT, Trevor Hemsley typed:

    >>>> $ stunnel -c -d 1119 -r news.giganews.com:563; tin -g localhost -p 1119
    >>>> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    >>>> Iain Lea.
    >>>> Connecting to localhost:1119...
    >>>> socket or connect problem
    >>>> Failed to connect to NNTP server localhost. Exiting...


    >>> Hmmmm..... do you mean 119 rather than 1119?


    >> Same error/result:
    >> $ stunnel -c -d 119 -r news.giganews.com:563; tin -g localhost -p 119
    >> tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    >> Iain Lea.
    >> Connecting to localhost...
    >> socket or connect problem
    >> Failed to connect to NNTP server localhost. Exiting...

    >
    > It might help if you were using a slightly less prehistoric version of stunnel -
    > v3 was already old about 5 years ago. The newer v4 does everything via
    > stunnel.conf and mine looks like this:


    Here is the version in Debian (I apt-get update and upgrade daily):

    $ stunnel
    2008.06.15 02:55:30 LOG3[29444:3083032240]: Either -r, -l (or -L) option
    must be used


    > cert = stunnel.pem
    > socket = l:TCP_NODELAY=1
    > socket = r:TCP_NODELAY=1
    > client = yes
    > [nntps]
    > accept = 127.0.0.1:119
    > connect = news.giganews.com:563
    >
    > With this, you might also want the debugging options set on while you get it to
    > work.
    >
    > debug = 7
    > output = stunnel.log
    >
    > To listen on a local port < 1024 you will need to run stunnel as root.


    Shouldn't command line parameters be enough? I searched (locate command)
    for stunnel.conf, but it is nowhere found. Your debugging comment gave
    me an idea:

    $ stunnel -o stunnel.log -D 7 -c -d 1119 -r news.giganews.com:563; tin
    -g lalhost -p 1119

    $ more stunnel.log . Exiting...
    2008.06.15 02:59:47 LOG5[29636:3083413168]: Using
    'news.giganews.com.563' as tcpwrapper service name
    2008.06.15 02:59:47 LOG7[29636:3083413168]: RAND_status claims
    sufficient entropy for the PRNG
    2008.06.15 02:59:47 LOG6[29636:3083413168]: PRNG seeded successfully
    2008.06.15 02:59:47 LOG5[29636:3083413168]: stunnel 3.26 on
    i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
    2008.06.15 02:59:47 LOG3[29637:3083413168]: Argument to -P
    (/var/run/stunnel/) is not valid a directory name

    Is it because of /var/run/stunnel/? If so, then how do I fix it? I tried
    making a /var/run/stunnel/, but it didn't make any differences when I
    retried.
    --
    "The ants are back Ted!" --Dougal from Father Ted TV show.
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  6. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 10:04:20 UTC in comp.os.linux.questions, Ant
    wrote:

    > Here is the version in Debian (I apt-get update and upgrade daily):


    Sorry, I can't help, v3 is too old and I have forgotten all about it. The
    difference between v3 and v4 is mainly the addition of stunnel.conf and the
    dropping of all the command line parameters. I have no idea why Debian should
    continue to ship something that hasn't been updated in about 7 years but all
    other distros that I've used switched to v4 a long time ago.

    I do know that stunnel is very fussy about permissions on all its directories
    though so it's possible that just creating the directory is not enough, you
    might have to chown/chmod it too. It's also possible that stunnel is running
    from a chroot jail in which case you might need to be creating
    //var/run/stunnel

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  7. Re: Unable to use stunnel with tin...

    I demand that Trevor Hemsley may or may not have written...

    > On Sun, 15 Jun 2008 10:04:20 UTC in comp.os.linux.questions, Ant
    > wrote:
    >> Here is the version in Debian (I apt-get update and upgrade daily):


    > Sorry, I can't help, v3 is too old and I have forgotten all about it. The
    > difference between v3 and v4 is mainly the addition of stunnel.conf and the
    > dropping of all the command line parameters. I have no idea why Debian
    > should continue to ship something that hasn't been updated in about 7 years
    > but all other distros that I've used switched to v4 a long time ago.


    http://packages.debian.org/search?keywords=stunnel
    http://packages.debian.org/search?keywords=stunnel4

    [snip]
    --
    | Darren Salt | linux or ds at | nr. Ashington, | Toon
    | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
    | + Output less CO2 => avoid massive flooding. TIME IS RUNNING OUT *FAST*.

    Jack the Ripper excused himself on the grounds that it was human nature.

  8. Re: Unable to use stunnel with tin...

    Trevor Hemsley writes:
    > I have no idea why Debian should continue to ship something that hasn't
    > been updated in about 7 years...


    It doesn't:

    Package: stunnel
    ...
    Description: dummy upgrade package
    stunnel version 3 has been removed from Debian. This is a dummy package
    to ease upgrading to stunnel4.
    ...
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  9. Re: Unable to use stunnel with tin...

    On 6/15/2008 4:06 AM PT, Trevor Hemsley typed:

    >> Here is the version in Debian (I apt-get update and upgrade daily):

    >
    > Sorry, I can't help, v3 is too old and I have forgotten all about it. The
    > difference between v3 and v4 is mainly the addition of stunnel.conf and the
    > dropping of all the command line parameters. I have no idea why Debian should
    > continue to ship something that hasn't been updated in about 7 years but all
    > other distros that I've used switched to v4 a long time ago.
    >
    > I do know that stunnel is very fussy about permissions on all its directories
    > though so it's possible that just creating the directory is not enough, you
    > might have to chown/chmod it too. It's also possible that stunnel is running
    > from a chroot jail in which case you might need to be creating
    > //var/run/stunnel


    Someone else suggested:

    $ stunnel -f -c -d 1119 -r news.giganews.com:563
    2008.06.15 09:45:06 LOG5[2756:3082602160]: Using 'news.giganews.com.563'
    as tcpwrapper service name
    2008.06.15 09:45:06 LOG5[2756:3082602160]: stunnel 3.26 on
    i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
    2008.06.15 09:45:06 LOG3[2756:3082602160]: Argument to -P
    (/var/run/stunnel/) is not valid a directory name

    Then, I tried uninstalling and reinstalling stunnel and stunnel4
    packages via apt-get command. I retried and got different results:

    $ stunnel -f -c -d 1119 -r news.giganews.com:563
    2008.06.15 10:02:12 LOG5[3325:3082749616]: stunnel 4.22 on
    i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
    2008.06.15 10:02:12 LOG5[3325:3082749616]: Threading:PTHREAD SSL:ENGINE
    Sockets:POLL,IPv6 Auth:LIBWRAP
    2008.06.15 10:02:12 LOG5[3325:3082749616]: 500 clients allowed
    2008.06.15 10:02:12 LOG3[3325:3082749616]: Cannot create pid file
    /var/run/stunnel4.pid
    2008.06.15 10:02:12 LOG3[3325:3082749616]: create: Permission denied (13)
    $ ls -l stunnel*
    total 0
    $ ls -l
    total 160
    srw-rw-rw- 1 root root 0 2008-05-28 12:52 acpid.socket
    -rw-r--r-- 1 root root 5 2008-06-01 14:56 apcupsd.pid
    -rw-r--r-- 1 root root 6 2008-03-24 11:38 crond.pid
    ---------- 1 root root 0 2008-03-11 20:49 crond.reboot
    drwxr-xr-x 3 root lp 4096 2008-06-15 06:25 cups
    drwxr-xr-x 2 messagebus messagebus 4096 2008-05-07 14:11 dbus
    -rw-r--r-- 1 root root 6 2008-06-15 06:25 denyhosts.pid
    drwxr-xr-x 2 root root 4096 2008-06-15 06:25 dirmngr
    -rw-r--r-- 1 root root 6 2008-06-15 06:25 dirmngr.pid
    drwxr-x--- 2 Debian-exim Debian-exim 4096 2008-04-13 15:17 exim4
    -rw-r--r-- 1 root root 5 2008-03-11 20:49 gpm.pid
    drwxr-xr-x 2 haldaemon haldaemon 4096 2008-06-03 17:21 hal
    drwxr-xr-x 2 hplip root 4096 2007-12-23 14:02 hplip
    drwxr-xr-x 2 identd nogroup 4096 2008-03-12 12:33 identd
    -rw-r--r-- 1 root root 6 2008-05-01 12:23 inetd.pid
    -rw-r--r-- 1 root root 6 2008-06-14 23:36 klogd.pid
    -rw-r--r-- 1 root root 352 2008-03-11 20:49 motd
    drwxr-xr-x 2 root root 4096 2008-03-11 20:49 network
    -rw-r--r-- 1 root root 5 2008-05-20 11:10 ntpd.pid
    drwxr-xr-t 2 root root 4096 2008-06-13 06:30 pcscd
    drwxr-xr-x 3 root root 4096 2008-06-06 06:42 samba
    drwxrwxr-x 5 root utmp 4096 2007-11-15 21:00 screen
    -rw------- 1 root root 5 2008-03-22 12:19 smartd.pid
    drwxr-xr-x 2 root root 4096 2007-07-30 02:24 sshd
    -rw-r--r-- 1 root root 6 2008-06-11 06:39 sshd.pid
    drwxr-xr-x 2 stunnel4 stunnel4 4096 2008-06-15 10:00 stunnel4
    -rw-r--r-- 1 root root 6 2008-06-14 23:36 syslogd.pid
    -r----S--- 1 root root 5 2008-05-07 14:11
    system-tools-backends.pid
    -rw-rw-r-- 1 root utmp 13440 2008-06-15 09:45 utmp
    drwxr-xr-x 2 root root 4096 2008-05-04 22:42 VirtualBox
    srwxr-xr-x 1 root root 0 2008-06-02 20:48 vmnat.356
    -rw-r--r-- 1 root root 4 2008-06-02 20:48
    vmnet-bridge-0.pid
    -rw-r----- 1 root root 4 2008-06-02 20:48
    vmnet-dhcpd-vmnet1.pid
    -rw-r----- 1 root root 4 2008-06-02 20:48
    vmnet-dhcpd-vmnet8.pid
    -rw-r--r-- 1 root root 18 2008-06-02 20:48 vmnet-natd-8.mac
    -rw-r--r-- 1 root root 4 2008-06-02 20:48 vmnet-natd-8.pid
    -rw-r--r-- 1 root root 4 2008-06-02 20:48
    vmnet-netifup-vmnet1.pid
    -rw-r--r-- 1 root root 4 2008-06-02 20:48
    vmnet-netifup-vmnet8.pid
    drwxr-xr-x 3 root root 4096 2008-06-10 21:26 vmware
    drwxr-xr-x 2 root root 4096 2008-04-11 10:54 vsftpd

    It seems like it is mentioning the same permission problems you are
    referring to. Do I chown and chmod to my user/accountname or what? I
    don't know what this chroot jail thing is about.
    --
    "The tiny ant dares to enter the lion's ear." --Armenian
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  10. Re: Unable to use stunnel with tin...

    On 6/15/2008 7:39 AM PT, John Hasler typed:

    > Trevor Hemsley writes:
    >> I have no idea why Debian should continue to ship something that hasn't
    >> been updated in about 7 years...

    >
    > It doesn't:
    >
    > Package: stunnel
    > ...
    > Description: dummy upgrade package
    > stunnel version 3 has been removed from Debian. This is a dummy package
    > to ease upgrading to stunnel4.
    > ...


    Strange. I wonder why mine was still at 3. I uninstalled it and
    reinstalled stunnel and think got the correct one now. I can't seem to
    see what version I have according to "man stunnel" that shows: "-V
    Print stunnel version and compile time defaults":

    $ stunnel -V
    Unknown option: V
    2008.06.15 10:11:11 LOG7[3492:3083327152]: RAND_status claims sufficient
    entropy for the PRNG
    2008.06.15 10:11:11 LOG7[3492:3083327152]: PRNG seeded successfully
    2008.06.15 10:11:11 LOG3[3492:3083327152]: /etc/stunnel/stunnel.pem: No
    such file or directory (2)

    $ ls /etc/stunnel/ -l
    total 2
    -rw-r--r-- 1 root root 1489 2008-05-27 09:31 stunnel.conf
    --
    "An ant's nest could bring down a hill." --Japanese
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  11. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 17:09:52 UTC in comp.os.linux.questions, Ant
    wrote:

    > Do I chown and chmod to my user/accountname or what? I
    > don't know what this chroot jail thing is about.


    Here's a working set up from a Centos 5 system which should give you an idea of
    how it works.

    cert = /etc/stunnel/stunnel.pem
    chroot = /var/run/stunnel/
    setuid = nobody
    setgid = nobody
    ; PID is created inside chroot jail (/var/run/stunnel/stunnel.pid)
    pid = /stunnel.pid
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    client = yes
    output = /stunnel.log

    chroot = points to a directory and all other paths and file names are then
    relative to that - though I just checked my working system and it does not have
    a /var/run/stunnel/etc/stunnel/stunnel.pem so the cert may be different. The
    directory /var/run/stunnel is then owned by the uid/gid named in the
    setuid/setgid lines and the dir has 700 permissions.


    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  12. Re: Unable to use stunnel with tin...

    On 6/15/2008 11:54 AM PT, Trevor Hemsley typed:

    > On Sun, 15 Jun 2008 17:09:52 UTC in comp.os.linux.questions, Ant
    > wrote:
    >
    >> Do I chown and chmod to my user/accountname or what? I
    >> don't know what this chroot jail thing is about.

    >
    > Here's a working set up from a Centos 5 system which should give you an idea of
    > how it works.
    >
    > cert = /etc/stunnel/stunnel.pem
    > chroot = /var/run/stunnel/
    > setuid = nobody
    > setgid = nobody
    > ; PID is created inside chroot jail (/var/run/stunnel/stunnel.pid)
    > pid = /stunnel.pid
    > socket = l:TCP_NODELAY=1
    > socket = r:TCP_NODELAY=1
    > client = yes
    > output = /stunnel.log
    >
    > chroot = points to a directory and all other paths and file names are then
    > relative to that - though I just checked my working system and it does not have
    > a /var/run/stunnel/etc/stunnel/stunnel.pem so the cert may be different. The
    > directory /var/run/stunnel is then owned by the uid/gid named in the
    > setuid/setgid lines and the dir has 700 permissions.


    Is your sample/example same as this one (didn't change anything in it) I
    have?
    # cat /etc/stunnel/stunnel.conf
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular
    configuration
    ; Please make sure you understand them (especially the effect of chroot
    jail)

    ; Certificate/key is needed in server mode and optional in client mode
    cert = /etc/stunnel/mail.pem
    ;key = /etc/stunnel/mail.pem

    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3

    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/lib/stunnel4/
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside chroot jail
    pid = /stunnel4.pid

    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle

    ; Workaround for Eudora bug
    ;options = DONT_INSERT_EMPTY_FRAGMENTS

    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /etc/stunnel/crls.pem

    ; Some debugging stuff useful for troubleshooting
    ;debug = 7
    ;output = /var/log/stunnel4/stunnel.log

    ; Use it for client mode
    ;client = yes

    ; Service-level configuration

    [pop3s]
    accept = 995
    connect = 110

    [imaps]
    accept = 993
    connect = 143

    [ssmtp]
    accept = 465
    connect = 25

    ;[https]
    ;accept = 443
    ;connect = 80
    ;TIMEOUTclose = 0

    ; vim:ft=dosini


    If not, then where would I put this sample/example in and what filename?
    --
    "Now I have you where I want you... where is my jar of Bull ants?" --unknown
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  13. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 19:16:41 UTC in comp.os.linux.questions, Ant
    wrote:

    > Is your sample/example same as this one (didn't change anything in it) I
    > have?


    Pretty much though slightly different. Yours should still be usable though. It
    has a chroot line that says that everything is based relative to
    /var/lib/stunnel4 so the pid = /stunnel4.pid line in it actualy means it will
    try to create the file /var/lib/stunnel4/stunnel.pid and it will run as the user
    'stunnel4'. That means that the directory /var/lib/stunnel4 needs to be owned by
    the user stunnel4 and group stunnel4 and that the user will need write access to
    it to be able to create the files there.

    You need to uncomment the line that says
    ;client = yes
    so that it reads
    client = yes

    For the purpose you want to use this for you also need to add the following
    section

    [nntps]
    accept = 127.0.0.1:119
    connect = news.giganews.com:563

    Then point your tin to localhost:119 for its connections.

    You may also want to remove the sections that are provided for [pop3s], [imaps]
    and [ssmtp] (or comment them out anyway).

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  14. Re: Unable to use stunnel with tin...

    On 6/15/2008 12:25 PM PT, Trevor Hemsley typed:

    > Pretty much though slightly different. Yours should still be usable though. It
    > has a chroot line that says that everything is based relative to
    > /var/lib/stunnel4 so the pid = /stunnel4.pid line in it actualy means it will
    > try to create the file /var/lib/stunnel4/stunnel.pid and it will run as the user
    > 'stunnel4'. That means that the directory /var/lib/stunnel4 needs to be owned by
    > the user stunnel4 and group stunnel4 and that the user will need write access to
    > it to be able to create the files there.
    >
    > You need to uncomment the line that says
    > ;client = yes
    > so that it reads
    > client = yes
    >
    > For the purpose you want to use this for you also need to add the following
    > section
    >
    > [nntps]
    > accept = 127.0.0.1:119
    > connect = news.giganews.com:563
    >
    > Then point your tin to localhost:119 for its connections.
    >
    > You may also want to remove the sections that are provided for [pop3s], [imaps]
    > and [ssmtp] (or comment them out anyway).


    Here's what it looks like now (made a bckup copy of the original just in
    case):

    # cat stunnel.conf
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular
    configuration
    ; Please make sure you understand them (especially the effect of chroot
    jail)

    ; Certificate/key is needed in server mode and optional in client mode
    cert = /etc/stunnel/mail.pem
    ;key = /etc/stunnel/mail.pem

    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3

    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /var/lib/stunnel4/
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside chroot jail
    pid = /stunnel4.pid

    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle

    ; Workaround for Eudora bug
    ;options = DONT_INSERT_EMPTY_FRAGMENTS

    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /etc/stunnel/crls.pem

    ; Some debugging stuff useful for troubleshooting
    ;debug = 7
    ;output = /var/log/stunnel4/stunnel.log

    ; Use it for client mode
    client = yes

    ; Service-level configuration

    ;[pop3s]
    ;accept = 995
    ;connect = 110

    ;[imaps]
    ;accept = 993
    ;connect = 143

    ;[ssmtp]
    ;accept = 465
    ;connect = 25

    ;[https]
    ;accept = 443
    ;connect = 80
    ;TIMEOUTclose = 0

    [nntps]
    accept = 127.0.0.1:119
    connect = news.giganews.com:563

    ; vim:ft=dosini


    I still seem to have problems running stunntel with tin:

    $ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119
    tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    Iain Lea.
    Connecting to localhost...
    socket or connect problem
    Failed to connect to NNTP server localhost. Exiting...

    $ stunnel -D 7 -c -d 119 -r news.giganews.com:563 ; tin -g localhost -p 119
    tin 1.9.3 release 20080506 ("Dalintober") [UNIX] (c) Copyright 1991-2008
    Iain Lea.
    Connecting to localhost...
    socket or connect problem
    Failed to connect to NNTP server localhost. Exiting...

    $ stunnel tin -r localhost:119
    2008.06.15 12:47:57 LOG7[5694:3082544816]: RAND_status claims sufficient
    entropy for the PRNG
    2008.06.15 12:47:57 LOG7[5694:3082544816]: PRNG seeded successfully
    2008.06.15 12:47:57 LOG3[5694:3082544816]: /etc/stunnel/stunnel.pem: No
    such file or directory (2)


    Maybe I am doing all that wrong.
    --
    "The ants are my friends, they're blowin' in the wind. The ant, sir, is
    blowin' in the wind." --the misheard lyrics to Bob Dylan's "Blowin' in
    the Wind"
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

  15. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 19:51:03 UTC in comp.os.linux.questions, Ant
    wrote:

    > $ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119


    You need to find out which stunnel you are using and stick with it! This is an
    stunnel v3 command line and what you have been tweaking is an stunnel v4
    configuration file. I have no idea how Debian installs this for you but if you
    have stunnel4 then maybe you have an /etc/init.d/stunnel4 script to start it up?
    If so then you'd have to start that as root and it will read the config file and
    do what it wants.

    Or maybe it is stunnel4 and you're trying to pass it parameters that it's just
    silently ignoring! The log output you post shows that it probably is reading
    your conf file as it's talking about /etc/stunnel/stunnel.pem being missing -
    perhaps you need to create it or point stunnel to one that does exist?


    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  16. Re: Unable to use stunnel with tin...

    On 6/15/2008 1:11 PM PT, Trevor Hemsley typed:

    >> $ stunnel -D 7 -c -d 119 -r localhost:119 ; tin -g localhost -p 119

    >
    > You need to find out which stunnel you are using and stick with it! This is an
    > stunnel v3 command line and what you have been tweaking is an stunnel v4
    > configuration file. I have no idea how Debian installs this for you but if you
    > have stunnel4 then maybe you have an /etc/init.d/stunnel4 script to start it up?
    > If so then you'd have to start that as root and it will read the config file and
    > do what it wants.
    >
    > Or maybe it is stunnel4 and you're trying to pass it parameters that it's just
    > silently ignoring! The log output you post shows that it probably is reading
    > your conf file as it's talking about /etc/stunnel/stunnel.pem being missing -
    > perhaps you need to create it or point stunnel to one that does exist?


    I think I know what happened:

    # apt-cache show stunnel
    Package: stunnel
    Priority: optional
    Section: net
    Installed-Size: 40
    Maintainer: Luis Rodrigo Gallardo Cruz
    Architecture: all
    Source: stunnel4
    Version: 3:4.22-1.1
    Depends: stunnel4 (>= 3:4.20-3)
    Filename: pool/main/s/stunnel4/stunnel_4.22-1.1_all.deb
    Size: 10166
    MD5sum: 9d3162fdeb77a7d4b62fddefc62cdf9f
    SHA1: f9b3271905c413176406fef8d30ff111b8b9cc02
    SHA256: 616d7c80d6269bbfe5530a20ff5214c8df9e92a054f39cfd9e 8f815caa77e5d1
    Description: dummy upgrade package
    stunnel version 3 has been removed from Debian. This is a dummy package
    to ease upgrading to stunnel4.

  17. Re: Unable to use stunnel with tin...

    Ant wrote:
    > On 6/15/2008 4:06 AM PT, Trevor Hemsley typed:
    >
    >>> Here is the version in Debian (I apt-get update and upgrade daily):

    >>
    >> Sorry, I can't help, v3 is too old and I have forgotten all about it.
    >> The difference between v3 and v4 is mainly the addition of
    >> stunnel.conf and the dropping of all the command line parameters. I
    >> have no idea why Debian should continue to ship something that hasn't
    >> been updated in about 7 years but all other distros that I've used
    >> switched to v4 a long time ago.
    >> I do know that stunnel is very fussy about permissions on all its
    >> directories though so it's possible that just creating the directory
    >> is not enough, you might have to chown/chmod it too. It's also
    >> possible that stunnel is running from a chroot jail in which case you
    >> might need to be creating //var/run/stunnel

    >
    > Someone else suggested:
    >
    > $ stunnel -f -c -d 1119 -r news.giganews.com:563
    > 2008.06.15 09:45:06 LOG5[2756:3082602160]: Using 'news.giganews.com.563'
    > as tcpwrapper service name
    > 2008.06.15 09:45:06 LOG5[2756:3082602160]: stunnel 3.26 on
    > i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8g 19 Oct 2007
    > 2008.06.15 09:45:06 LOG3[2756:3082602160]: Argument to -P
    > (/var/run/stunnel/) is not valid a directory name
    >
    > Then, I tried uninstalling and reinstalling stunnel and stunnel4
    > packages via apt-get command. I retried and got different results:
    >
    > $ stunnel -f -c -d 1119 -r news.giganews.com:563
    > 2008.06.15 10:02:12 LOG5[3325:3082749616]: stunnel 4.22 on
    > i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
    > 2008.06.15 10:02:12 LOG5[3325:3082749616]: Threading:PTHREAD SSL:ENGINE
    > Sockets:POLL,IPv6 Auth:LIBWRAP
    > 2008.06.15 10:02:12 LOG5[3325:3082749616]: 500 clients allowed
    > 2008.06.15 10:02:12 LOG3[3325:3082749616]: Cannot create pid file
    > /var/run/stunnel4.pid
    > 2008.06.15 10:02:12 LOG3[3325:3082749616]: create: Permission denied (13)
    >
    > [snip]
    >
    > It seems like it is mentioning the same permission problems you are
    > referring to. Do I chown and chmod to my user/accountname or what? I
    > don't know what this chroot jail thing is about.


    Only root can create pid files in /var/run.

    I choose not to run stunnel as root (actually I run it "nobody" using
    options in stunnel.conf), so I create a subdir (/var/run/stunnel) owned
    by "nobody" and change the pidfile directory using one of the options in
    stunnel.conf. The man page describes the options.

  18. Re: Unable to use stunnel with tin...

    On Sun, 15 Jun 2008 20:20:04 UTC in comp.os.linux.questions, Ant
    wrote:

    > It looks like I have BOTH v3 and v4. I tried the same command as earlier
    > with stunnel4 (e.g., stunnel4 -D 7 -c -d 119 -r localhost:119 ; tin -g
    > localhost -p 119), but still get the same errors.


    V4 takes none of those parameters - it pretty much just wants the location of
    its config file. All the other stuff you've given it there is either ignored or
    is causing an error (ignored mst likely).

    > # ls -all /usr/bin/stunnel*


    What would be far more interesting is the output from ls -la /var/lib/stunnel4

    --
    Trevor Hemsley, Brighton, UK
    Trevor dot Hemsley at ntlworld dot com

  19. Re: Unable to use stunnel with tin...

    From the stunnel4 package description:

    This package is compatible with stunnel 3.x version (via a wrapper).

    (I don't use stunnel)
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  20. Re: Unable to use stunnel with tin...

    On 6/15/2008 2:51 PM PT, Trevor Hemsley typed:

    > On Sun, 15 Jun 2008 20:20:04 UTC in comp.os.linux.questions, Ant
    > wrote:
    >
    >> It looks like I have BOTH v3 and v4. I tried the same command as earlier
    >> with stunnel4 (e.g., stunnel4 -D 7 -c -d 119 -r localhost:119 ; tin -g
    >> localhost -p 119), but still get the same errors.

    >
    > V4 takes none of those parameters - it pretty much just wants the location of
    > its config file. All the other stuff you've given it there is either ignored or
    > is causing an error (ignored mst likely).


    Ah. And you say my config file should work. Hmm.


    >> # ls -all /usr/bin/stunnel*

    >
    > What would be far more interesting is the output from ls -la /var/lib/stunnel4


    $ ls -la /var/lib/stunnel4
    total 8
    drwxr-xr-x 2 stunnel4 stunnel4 4096 2008-06-15 09:49 .
    drwxr-xr-x 63 root root 4096 2008-06-15 09:49 ..

    Doesn't seem to help (empty)?
    --
    "To conquer the world, we must be as meticulus and calculating as a
    colony of ants on the march." --Julius Caesar
    /\___/\
    / /\ /\ \ Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
    | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net
    \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT
    ( ) or ANTant@zimage.com
    Ant is currently not listening to any songs on his home computer. Go
    Los Angeles/L.A. Lakers!

+ Reply to Thread
Page 1 of 2 1 2 LastLast