2

我从程序管理器安装了 stunnel4。当我尝试在 Ubuntu 14 或 Linux Mint 17 上运行 stunnel 时,我收到以下消息。我在 CentOS6.5 和 MacOS X Mavericks 上工作。不知道接下来要尝试什么。重建 openssl 是一团糟,如果这甚至是问题的话。

idf@idf-ZBOX-ID42-BE ~ $ sudo stunnel
Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running  with OpenSSL 1.0.1f 6 Jan 2014
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from descriptor 3
Compression not enabled
PRNG seeded successfully
Initializing inetd mode configuration
Section stunnel: SSL server needs a certificate
str_stats: 2 block(s), 10 data byte(s), 116 control byte(s)
idf@idf-ZBOX-ID42-BE ~ $

我的 conf 文件如下所示:

idf@idf-ZBOX-ID42-BE ~ $ more /etc/stunnel/stunnel.conf 
;Example stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
;cert = stunnel.pem
;key = stunnel.pem
cert = /home/idf/Downloads/cert.pem
key  = /home/idf/Downloads/key.pem
fips = no
libwrap=no
;
;Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = all
sslVersion = all 
ciphers = ALL

;
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel4/
setuid = stunnel4 
setgid = stunnel4 
; PID is created inside the chroot jail
pid = /home/idf/stunnel.pid


; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = cacerts.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[xxxxxxx-xxx-xxxxx]
client = yes
accept = 127.0.0.1:9099
connect= xx.xx.xx.xx:2506

; vim:ft=dosini
idf@idf-ZBOX-ID42-BE ~ $

如果我卸载存储库中的 stunnel 并用这个替换它:

https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3

即使我禁用压缩,我仍然会得到。我不明白为什么它告诉我“服务 [stunnel]:SSL 服务器需要证书”,因为我试图仅在客户端模式下使用它。此外,另一端不需要证书。

idf@idf-ZBOX-ID42-BE ~/Downloads $ sudo stunnel
[ ] Clients allowed=500
[.] stunnel 5.01 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
[.] Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from descriptor 3
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing inetd mode configuration
[!] Service [stunnel]: SSL server needs a certificate
idf@idf-ZBOX-ID42-BE ~/Downloads $ ps ax | grep stunnel
4

2 回答 2

1

前几天我刚刚通过这个。

你想要 stunnel4_5.01-3_amd64.deb - 你必须下载它 - 还没有在 repos 中。我相信有人使它适用于 4.53,但我没有管理它。

https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3

openssl 1.0.1f 和 libssl.1.0.0 和 libssl.1.0.0:i386 1.0.1f (它们是当前版本)很好。但请从您的开始输出中注意这一点:

使用 OpenSSL 1.0.1e 编译 2013 年 2 月 11 日 使用 OpenSSL 1.0.1f 运行 2014 年 1 月 6 日

我认为如上所述更新 stunnel 将为您排序。

你需要做的另一件事是在你的 stunnel.conf 中关闭压缩 - 我目前尝试的不同类型的压缩都不起作用。希望这是暂时的。

问候,

hth

于 2014-05-31T16:00:55.283 回答
0

(我和上面的用户3694589是同一个人——终于懒得创建一个帐户了。)

仅供参考,我刚刚订阅了这个相关的错误,并在 launchpad.net 上将其标记为影响我:

https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1315844

您可能还想添加自己。几分钟后,我收到了这封邮件:

状态更改为“已确认”,因为该错误会影响多个用户。

** 更改:stunnel4 (Ubuntu) 状态:新 => 确认

-- 您收到此错误通知是因为您订阅了错误报告。https://bugs.launchpad.net/bugs/1315844标题:不会从压缩开始

于 2014-06-01T16:10:57.683 回答