|
Home > Archive > Anonymous Servers > June 2006 > Question About Stunnel
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Question About Stunnel
|
|
| Pilgrim 2006-06-08, 1:13 am |
|
I'm having a little probelm getting Stunnel to work.
I'm trying to get Stunnel (v. 4.15) configured for e-mail and usenet
postings. I downloaded the Stunnel program, along with the two necessary
library files (libeay32.dll and libssl32.dll). I copied the Stunnel
configuration program (Stunnel.conf) out of Dr. Who's Security FAQ (v.
20.6), and activated the Stunnel program.
Stunnel seemed to work fine (no error messages in the program log). So I
closed the program. Then, following Dr. Who's suggestions, I dragged
Stunnel into my Freecap program, to socksify it, and tried to start Stunnel
up again. I immediately got the followingWin32 'not configured' error
message:
2006.06.07 17:35:25 LOG7[3492:1496]: RAND_status claims sufficient entropy
for the PRNG
2006.06.07 17:35:25 LOG6[3492:1496]: PRNG seeded successfully
2006.06.07 17:35:25 LOG3[3492:1496]: Error resolving '0.0.0.0': Neither
nodename nor servname known (EAI_NONAME)
2006.06.07 17:35:25 LOG3[3492:1496]: Server is down
If I read the above correctly, Stunnel can't determine the nodemane or
servname. The "0.0.0.0" seems to suggest the settings in the Freehand
program, but I've checked it, and the server is "127.0.0.1" and the port is
9050 (in accordance with Dr. Who's instructions).
So at this point, I'm stuck! I can't figure out why Stunnel works okay
outside of Freehand, but not from within Freehand. Anybody know the
answer?
Here's the configuration file (Stunnel.conf) I'm currently using. It works
fine outside of Freehand, but not from within Freehand:
#Config for news and Email
debug = 7
output = log.txt
client = yes
options = all
RNDbytes = 1024
RNDfile = random.bfa
RNDoverwrite = yes
#ciphers =
+TLS:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DES-CBC3-SHA
[nntps]
accept = 119
connect = secure.news.easynews.com:563
delay = no
#[BANANA_NNTPS_563]
#accept = 119
#connect = tyrndfbdb2x6g3vg.onion:563
#delay = no
#[BANANA_SPLIT_25]
#accept = 25
#connect = tyrndfbdb2x6g3vg.onion:25
#delay = no
[Panta_TLS_MAIL]
accept = 25
connect = www.panta-rhei.dyndns.org:2507
delay = no
#[nntps_563]
#accept = 119
#connect = 127.0.0.1:563
# end of config
Thanks to anyone who tell me what I'm doing wrong!
Pilgrim
| |
| cwilliams28@cox.net 2006-06-08, 1:13 pm |
| First change random.bfa to bananarand.bin or some other real random number
file (unless of course, you really have a random number file in your local
directory called random.bfa. If so keep that the way you have it). It is
interesting how information persists in the internet. Random.bfa is a file I
created using the Blowfish Advanced Crypto System software. It has made its
way to the internet via requests for help that I have posted over the years
(just like the one I'm responding to) that have required me to include my
config file. Pardom me if I smile at my little contribution to the internet.
:-) Your ciphers line looks an awful lot like one I posted two ro three
months ago :-) I hope it helped.
I don't have time to test your problem right now-- maybe in a day or so. One
thing that pops out at me is the port you are trying to use to connect to
Panta. I've never seen reference to port 2507. Maybe I'm wrong, but you
might want to check that. Also, since stunnel is complaining that it can't
resolve 0.0.0.0, I'd guess you are not picking up the domain name or not
converting the fully qualified domain name to its dotted decimal format
(hence the 0.0.0.0 for the ip address).
Try cleaning up the config file by removing the tor "meet in the middle"
entries. (You can keep a copy elsewhere). Start with a simple config file
and build on it after it is know to work. Does this config work with a
direct (i.e. non socksified connection). Oh, and you are running tor on port
9050, right? And freecap is configured to connect to it.
Just as an added note, I don't use freecap, I use the free version of
sockscap. It does the same thing-- I think you have to work a little harder
to get it on the internet, but it is there.
Hope this helps you. If not post again and I will run some experiments.
In short, you have to run tor. Get the latest version and accept the
defaults. It will listed on port 9050 and make connections throught the tor
network.
Set up freecap to connect to the SOCKS server which listens on port 9050.
Run freecap and drag stunnel into it. start stunnel and everything should
work.
I'll bet you are not running tor. Am I right?
| |
| Pilgrim 2006-06-08, 7:13 pm |
| cwilliams28@cox.net writes:
>First change random.bfa to bananarand.bin or some other real random number
>file (unless of course, you really have a random number file in your local
>directory called random.bfa. If so keep that the way you have it). It is
>interesting how information persists in the internet. Random.bfa is a file I
>created using the Blowfish Advanced Crypto System software. It has made its
>way to the internet via requests for help that I have posted over the years
>(just like the one I'm responding to) that have required me to include my
>config file. Pardom me if I smile at my little contribution to the internet.
>:-) Your ciphers line looks an awful lot like one I posted two ro three
>months ago :-) I hope it helped.
I got it from Dr. Who's Security FAQ (v. 20.6). It was in the
configuration file for Stunnel that he included with his FAQ. I just cut
and pasted the whole thing.
>I don't have time to test your problem right now-- maybe in a day or so. One
>thing that pops out at me is the port you are trying to use to connect to
>Panta. I've never seen reference to port 2507. Maybe I'm wrong, but you
>might want to check that.
The Panta port reference is for encryption of e-mail. Currently I'm just
trying to use Stunnel to encrypt my Agent newsreader, so I've commented out
the Panta section.
>Also, since stunnel is complaining that it can't
>resolve 0.0.0.0, I'd guess you are not picking up the domain name or not
>converting the fully qualified domain name to its dotted decimal format
>(hence the 0.0.0.0 for the ip address).
That's my guess, too. But I'm damned if I can figure out why Stunnel isn't
picking up the domain name.
>Try cleaning up the config file by removing the tor "meet in the middle"
>entries. (You can keep a copy elsewhere). Start with a simple config file
>and build on it after it is know to work. Does this config work with a
>direct (i.e. non socksified connection). Oh, and you are running tor on port
>9050, right? And freecap is configured to connect to it.
Actually Stunnel, and the configuration file I got from Dr. Who, are
working just fine outside of Freecap. It's only when I try to run Stunnel
from inside Freecap (to socksify it), that I get the server error message.
It's driving me nuts!
I'm running tor on port 9050, and Freecap is configured to connect to port
9050.
>Just as an added note, I don't use freecap, I use the free version of
>sockscap. It does the same thing-- I think you have to work a little harder
>to get it on the internet, but it is there.
I downloaded sockscap, and tried to install it. The installer fires up,
then vanishes without a trace, and there is no sign of the sockscap program
anywhere. Another mystery. I'm trying to install the 32 bit version of
sockscap on Windows XP.
>Hope this helps you. If not post again and I will run some experiments.
>
>In short, you have to run tor. Get the latest version and accept the
>defaults. It will listed on port 9050 and make connections throught the tor
>network.
I've done that. Seems to work just fine.
>Set up freecap to connect to the SOCKS server which listens on port 9050.
>
>Run freecap and drag stunnel into it. start stunnel and everything should
>work.
>
>I'll bet you are not running tor. Am I right?
Actually Tor was the first thing I set up, and it seems to work just fine.
I can surf anonymously, using Firefox and Privoxy. In fact, I downloaded
that handy little Tor/Vidalia/Privoxy package from the Tor web site. All
three programs were already configured to work with each other. I even
added that cute little "Torbutton" program for Firefox.
I can even drag my Agent Newsreader program into Freecap (to socksify it),
and it seems to work just fine with Tor. But I would like to use Stunnel
to encrypt the Agent data after it leaves the Tor network, and that's where
I'm running into trouble. Agent works fine in Freecap, and Stunnel works
fine outside of Freecap. It's only when I drag Stunnel inside Freecap that
I get the Stunnel server error.
I've checked everything I know how. I made sure Privoxy was properly
configured with the following line in the Privoxy configuration file:
forward-socks4a/127.0.0.1:9050
I removed everything in the Stunnel configuration file, except for the
following:
[nntps]
accept = 119
connect = secure.news.easynews.com:563
delay = no
This causes to Stunnel to watch for output from my Agent Newsreader on port
119 (the same port that's listed in the Agent.ini file), and then to
connect to the secure server at Easynews on port 563. And Stunnel will
boot up just fine in this configuration, provided it's not inside Freehand.
If it's inside freehand, Stunnel gives me the server error. Actually
Stunnel has worked fine with EVERY configuration file I've ever tried with
it, provided it wasn't being invoked from inside Freecap. That's where
everything falls apart; when I try to start Stunnel from inside Freecap, in
order to socksify Stunnel.
I've checked the configuration in Freecap. The server is 127.0.0.1, and
the port is 9050. I've tried both version 4 and version 5 of socks
protocol, but I keep getting the same Stunnel server error.
I don't know what else to check. I have to believe it's some ridiculous
little switch, somewhere, but I sure can't seem to find it. If anybody can
solve my problem, I'd be most grateful!
Pilgrim
| |
|
| Two additional approaches as ultima ratio:
>X-Newsreader: Forte Agent 1.92/32.572
1. How about upgrading to the latest Agent version, with which at
least implicit SSL works correctly, though there's still a problem
with TLS (fix seems to be on it's way)? But port 563
('secure.news.easynews.com:563') commonly is the nntp port for
implicit SSL, so that wouldn't matter.
2. Do you know of Omnimix? I use this proxy server, which was actually
developed to send anon messages to the mixmaster network, with Agent
for some weeks now. I only had to install Tor in the standard
configuration, point Agent to the Omnimix ports, and let Omnimix know
where the Tor exe stays. As data leakages are possible when using Tor
parallel with different applications, OmniMix now even is able to
launch a Tor client for it's exclusive use and close it afterwards
with one button click each. Very nice. It may not be the solution
you're looking for, as pop3 isn't included (yet?) AFAIK, but trying
this setup might at least point you to the problem in your own
communication chain.
BTW @ the Omnimix developers:
Will there be a header filter for non-anonymous messages as well?
Rob
| |
| Christian Danner 2006-06-09, 1:13 pm |
| Hi Rob!
Anonymous-Remailer@See.Comment.Header (Rob) - 9 Jun 2006 09:54:31
-0000:
>Two additional approaches as ultima ratio:
>
>
>1. How about upgrading to the latest Agent version, with which at
>least implicit SSL works correctly, though there's still a problem
>with TLS (fix seems to be on it's way)? But port 563
>('secure.news.easynews.com:563') commonly is the nntp port for
>implicit SSL, so that wouldn't matter.
Yep, that's a bug we discovered.
>2. Do you know of Omnimix? I use this proxy server, which was actually
>developed to send anon messages to the mixmaster network, with Agent
>for some weeks now. I only had to install Tor in the standard
>configuration, point Agent to the Omnimix ports, and let Omnimix know
>where the Tor exe stays. As data leakages are possible when using Tor
>parallel with different applications, OmniMix now even is able to
>launch a Tor client for it's exclusive use and close it afterwards
>with one button click each.
Some corrections: OmniMix till now doesn't support Tor routing for
'normal' NNTP/SMTP connections, as I thought, that with parallel
connections through Tor you might ease your privacy without being
aware of it. OTOH it seems at least to be a useful option (accompanied
by a big 'DON'T DO ...' disclaimer), as far as Tor will be caused to
change it's routing between different tasks (e.g. by pressing the
'NewNym' button within OmniMix). Any objections? So the next release
will allow Tor routing for _all_ outbound connections.
>Very nice.
Thanks.
>It may not be the solution
>you're looking for, as pop3 isn't included (yet?) AFAIK, but trying
>this setup might at least point you to the problem in your own
>communication chain.
At least mail clients like Agent 3.x, which are able to poll multiple
POP accounts, wouldn't benefit from such a proxy server, as the host
access data can't be transmitted with each request. Those have to be
socksified in order to connect directly via Tor.
>BTW @ the Omnimix developers:
> Will there be a header filter for non-anonymous messages as well?
Noted, as well as the POP3 issue (to be used for a critical single
account or clients which don't allow more than one account).
Christian
--
OmniMix .. protect your privacy
http://www.danner-net.de/om.htm
| |
| Pilgrim 2006-06-09, 7:12 pm |
| Pilgrim writes:
>I downloaded sockscap, and tried to install it. The installer fires up,
>then vanishes without a trace, and there is no sign of the sockscap program
>anywhere. Another mystery. I'm trying to install the 32 bit version of
>sockscap on Windows XP.
Well, here's one mystery I finally managed to solve. I discovered that I
can't have Tor running when I try to install Sockscap. Then installation
starts, then just stops a few seconds later, with no Sockscap installed. I
thought maybe something might be blocking the installation in the System
Tray, so I started turning programs off. As soon as I turned Tor off,
Sockscap promptly installed itself.
Now we'll see if I have better luck running Stunnel under Sockscap than I
did under Freecap. With Freecap, all I got were server error messages.
Don't know why.
Pilgrim
| |
| Pilgrim 2006-06-09, 7:13 pm |
| Pilgrim writes:
>Well, here's one mystery I finally managed to solve. I discovered that I
>can't have Tor running when I try to install Sockscap. Then installation
>starts, then just stops a few seconds later, with no Sockscap installed. I
>thought maybe something might be blocking the installation in the System
>Tray, so I started turning programs off. As soon as I turned Tor off,
>Sockscap promptly installed itself.
>
>Now we'll see if I have better luck running Stunnel under Sockscap than I
>did under Freecap. With Freecap, all I got were server error messages.
>Don't know why.
Ah, sweet success! Sockscap worked beautifully. After turning off Tor,
and successfully installing Sockscap, I dragged the Stunnel icon inside the
Sockscap program, reconfigured Agent, turned Tor back on, and tried
accessing Usenet. Worked perfectly! Sent my first encrypted message
through the Tor network. Now it would seem I have both anonymity AND
privacy for Usenet postings. Sweet!
But I still don't know why I can't get Stunnel to work with Freecap. I
used the exact same version of Stunnel, and the Stunnel configuration file
that works perfectly with Sockscap, but all I still get with Freecap is a
Stunnel server error. Maybe Freecap just don't work with Stunnel in
Windows XP?
I'll have to leave the Freecap mystery for someone else to solve. In the
meantime, Sockscap seems to be working just fine with both Agent and
Stunnel.
Now I can surf the Web anonymously, and post anonymously to Usenet. Now I
just have to figure out how to set up a Nym with Quicksilver, to give me
anonymous e-mail.
| |
| cwilliams28@cox.net 2006-06-10, 7:12 pm |
| I hope I helped by pointing you to sickscap more than I obscured by assuming
you hadn't installed tor :-(
As far as setting up the nym goes, it is pretty straight forward if you
follow the instructions included with quicksilver. The biggest obstacle I
encountered was not using IDEA as the encryption algorithm. I think you have
to use legacy RSA keys and IDEA. Then everything should work smoothly for
you.
| |
| Pilgrim 2006-06-10, 7:12 pm |
| cwilliams28@cox.net writes:
>I hope I helped by pointing you to sickscap more than I obscured by assuming
>you hadn't installed tor :-(
No problem! Once I figured out that all I had to do to get Sockscap to
install, was to turn off Tor, I was home free. Thanks!
Actually I've since discovered several other programs that won't install
unless Tor is turned off.
>As far as setting up the nym goes, it is pretty straight forward if you
>follow the instructions included with quicksilver. The biggest obstacle I
>encountered was not using IDEA as the encryption algorithm. I think you have
>to use legacy RSA keys and IDEA. Then everything should work smoothly for
>you.
Thanks for the tip!
Pilgrim
| |
| George Orwell 2006-06-12, 7:12 am |
| In article <nasj82tii096e9e30n67vms7n5ecdj6onr@4ax.com>
Pilgrim <alanine2002@yahoogroups.com> wrote:
>
>
> Now I can surf the Web anonymously, and post anonymously to Usenet. Now I
> just have to figure out how to set up a Nym with Quicksilver, to give me
> anonymous e-mail.
The beta version of QuickSilver has a bitchin' Nym Wizard.
| |
| Pilgrim 2006-06-12, 1:12 pm |
| George Orwell writes:
[vbcol=seagreen]
>The beta version of QuickSilver has a bitchin' Nym Wizard.
Yeah, but it looks like I'm not going to be able to use it. Darn!
The problem is that I can't seem to find a version of PGP that will work
with Quicksilver AND with Windows XP. I tried the new PGP (v. 9.0), but it
no longer supports Legacy RSA, and the Quicksilver help files specifically
call for Legacy RSA. I tried PGP (v. 9.0) anyway, and got a warning
message from Quicksilver that I need to wait until the nymservers have been
rewritten to work with the new keys.
So I figured I'd just use PGP (v. 8.1). I downloaded it, and installed it,
but whenever I try to run it, it bombs out with the following error
message:
"The procedure entry point PGPGetTotalNumberOfShares could not be located
in the dynamic link library PGPsdk.dll."
I've tried downloading PGP (v. 8.1) from several different sources, but the
end result is always the same, with the above error message.
I have no idea what this error message means, or how to fix it. But until
I get PGP v. 8.1 operational, I can't use the nym feature in Quicksilver.
I really don't understand why PGP (v. 8.1) won't run on my machine, under
Windows XP. Supposedly it's operational under XP.
Looks like I'm going to have to settle for using Tor with Yahoo mail.
Darn!
Pilgrim
| |
| Pilgrim 2006-06-12, 7:12 pm |
| cwilliams28@cox.net writes:
>As far as setting up the nym goes, it is pretty straight forward if you
>follow the instructions included with quicksilver. The biggest obstacle I
>encountered was not using IDEA as the encryption algorithm. I think you have
>to use legacy RSA keys and IDEA. Then everything should work smoothly for
>you.
I'm sure it would, if I could find a version of PGP that would work with
both Quicksilver and XP. I can't use version 9.0 of PGP, because it no
longer supports Legacy RSAs, and Quicksilver still requires Legacy RSAs.
And I can't use PGP version 8.1 (the last version of PGP that supported
Legacy RSAs) because 8.1 won't run under Windows XP on my computer!
Whenever I install 8.1, and try to run it, I get the following error
message:
"The procedure entry point PGPGetTotalNumberOfShares could not be located
in the dynamic link library PGPsdk.dll."
This is very puzzling, because PGP 8.1 is supposed to run just fine under
Windows XP!
I have no idea what this error message means, or how to fix it. But until
I get PGP v. 8.1 operational, I can't use the nym feature in Quicksilver.
(Maybe I'll have to wait until Quicksilver is rewritten to work with PGP
9.0.)
Pilgrim
|
|
|
|
|