I'm having a little probelm getting Stunnel to work.

I'm trying to get Stunnel (v. 4.15) configured for e-mail and usenet
postings.  I downloaded the Stunnel program, along with the two necessary
library files (libeay32.dll and libssl32.dll).  I copied the Stunnel
configuration program (Stunnel.conf) out of Dr. Who's Security FAQ (v.
20.6), and activated the Stunnel program.

Stunnel seemed to work fine (no error messages in the program log).  So I
closed the program.  Then, following Dr. Who's suggestions, I dragged
Stunnel into my Freecap program, to socksify it, and tried to start Stunnel
up again.  I immediately got the followingWin32 'not configured' error
message:

2006.06.07 17:35:25 LOG7[3492:1496]: RAND_status claims sufficient entro
py
for the PRNG
2006.06.07 17:35:25 LOG6[3492:1496]: PRNG seeded successfully
2006.06.07 17:35:25 LOG3[3492:1496]: Error resolving '0.0.0.0': Neither
nodename nor servname known (EAI_NONAME)
2006.06.07 17:35:25 LOG3[3492:1496]: Server is down

If I read the above correctly, Stunnel can't determine the nodemane or
servname.  The "0.0.0.0" seems to suggest the settings in the Freehand
program, but I've checked it, and the server is "127.0.0.1" and the port is
9050 (in accordance with Dr. Who's instructions).

So at this point, I'm stuck!  I can't figure out why Stunnel works okay
outside of Freehand, but not from within Freehand.  Anybody know the
answer?

Here's the configuration file (Stunnel.conf) I'm currently using.  It works
fine outside of Freehand, but not from within Freehand:

#Config for news and Email

debug = 7
output = log.txt
client = yes
options = all
RNDbytes = 1024
RNDfile = random.bfa
RNDoverwrite = yes
#ciphers =
+TLS:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DES-CBC3-SHA

[nntps]
accept = 119
connect = secure.news.easynews.com:563
delay = no

#[BANANA_NNTPS_563]
#accept  = 119
#connect = tyrndfbdb2x6g3vg.onion:563
#delay = no

#[BANANA_SPLIT_25]
#accept = 25
#connect = tyrndfbdb2x6g3vg.onion:25
#delay = no

[Panta_TLS_MAIL]
accept = 25
connect = www.panta-rhei.dyndns.org:2507
delay = no

#[nntps_563]
#accept = 119
#connect = 127.0.0.1:563

# end of config

Thanks to anyone who tell me what I'm doing wrong!

Pilgrim

[ Post a follow-up to this message ]

First change random.bfa to bananarand.bin or some other real random number
file (unless of course, you really have a random number file in your local
directory called random.bfa. If so keep that the way you have it). It is
interesting how information persists in the internet. Random.bfa is a file I
created using the Blowfish Advanced Crypto System software. It has made its
way to the internet via requests for help that I have posted over the years
(just like the one I'm responding to) that have required me to include my
config file. Pardom me if I smile at my little contribution to the internet.
:-) Your ciphers line looks an awful lot like one I posted two ro three
months ago :-) I hope it helped.


I don't have time to test your problem right now-- maybe in a day or so. One
thing that pops out at me is the port you are trying to use to connect to
Panta. I've never seen reference to port 2507. Maybe I'm wrong, but you
might want to check that. Also, since stunnel is complaining that it can't
resolve 0.0.0.0, I'd guess you are not picking up the domain name or not
converting the fully qualified domain name to its dotted decimal format
(hence the 0.0.0.0 for the ip address).

Try cleaning up the config file by removing the tor "meet in the middle"
entries. (You can keep a copy elsewhere). Start with a simple config file
and build on it after it is know to work. Does this config work with a
direct (i.e. non socksified connection). Oh, and you are running tor on port
9050, right? And freecap is configured to connect to it.

Just as an added note, I don't use freecap, I use the free version of
sockscap. It does the same thing-- I think you have to work a little harder
to get it on the internet, but it is there.

Hope this helps you. If not post again and I will run some experiments.

In short, you have to run tor. Get the latest version and accept the
defaults. It will listed on port 9050 and make connections throught the tor
network.

Set up freecap to connect to the SOCKS server which listens on port 9050.

Run freecap and drag stunnel into it. start stunnel and everything should
work.

I'll bet you are not running tor. Am I right?

[ Post a follow-up to this message ]

cwilliams28@cox.net writes:

>First change random.bfa to bananarand.bin or some other real random number
>file (unless of course, you really have a random number file in your local
>directory called random.bfa. If so keep that the way you have it). It is
>interesting how information persists in the internet. Random.bfa is a file 
I
>created using the Blowfish Advanced Crypto System software. It has made its
>way to the internet via requests for help that I have posted over the years
>(just like the one I'm responding to) that have required me to include my
>config file. Pardom me if I smile at my little contribution to the internet
.
>:-) Your ciphers line looks an awful lot like one I posted two ro three
>months ago :-) I hope it helped.

I got it from Dr. Who's Security FAQ (v. 20.6).  It was in the
configuration file for Stunnel that he included with his FAQ.  I just cut
and pasted the whole thing.

>I don't have time to test your problem right now-- maybe in a day or so. On
e
>thing that pops out at me is the port you are trying to use to connect to
>Panta. I've never seen reference to port 2507.  Maybe I'm wrong, but you
>might want to check that.

The Panta port reference is for encryption of e-mail.  Currently I'm just
trying to use Stunnel to encrypt my Agent newsreader, so I've commented out
the Panta section.

>Also, since stunnel is complaining that it can't
>resolve 0.0.0.0, I'd guess you are not picking up the domain name or not
>converting the fully qualified domain name to its dotted decimal format
>(hence the 0.0.0.0 for the ip address).

That's my guess, too.  But I'm damned if I can figure out why Stunnel isn't
picking up the domain name.

>Try cleaning up the config file by removing the tor "meet in the middle"
>entries. (You can keep a copy elsewhere). Start with a simple config file
>and build on it after it is know to work. Does this config work with a
>direct (i.e. non socksified connection). Oh, and you are running tor on por
t
>9050, right? And freecap is configured to connect to it.

Actually Stunnel, and the configuration file I got from Dr. Who, are
working just fine outside of Freecap.  It's only when I try to run Stunnel
from inside Freecap (to socksify it), that I get the server error message.
It's driving me nuts!

I'm running tor on port 9050, and Freecap is configured to connect to port
9050.

>Just as an added note, I don't use freecap, I use the free version of
>sockscap. It does the same thing-- I think you have to work a little harder
>to get it on the internet, but it is there.

I downloaded sockscap, and tried to install it.  The installer fires up,
then vanishes without a trace, and there is no sign of the sockscap program
anywhere.  Another mystery.  I'm trying to install the 32 bit version of
sockscap on Windows XP.

>Hope this helps you. If not post again and I will run some experiments.
>
>In short, you have to run tor. Get the latest version and accept the
>defaults. It will listed on port 9050 and make connections throught the tor
>network.

I've done that.  Seems to work just fine.

>Set up freecap to connect to the SOCKS server which listens on port 9050.
>
>Run freecap and drag stunnel into it. start stunnel and everything should
>work.
>
>I'll bet you are not running tor. Am I right?

Actually Tor was the first thing I set up, and it seems to work just fine.
I can surf anonymously, using Firefox and Privoxy.  In fact, I downloaded
that handy little Tor/Vidalia/Privoxy package from the Tor web site.  All
three programs were already configured to work with each other.  I even
added that cute little "Torbutton" program for Firefox.

I can even drag my Agent Newsreader program into Freecap (to socksify it),
and it seems to work just fine with Tor.  But I would like to use Stunnel
to encrypt the Agent data after it leaves the Tor network, and that's where
I'm running into trouble.  Agent works fine in Freecap, and Stunnel works
fine outside of Freecap.  It's only when I drag Stunnel inside Freecap that
I get the Stunnel server error.

I've checked everything I know how.  I made sure Privoxy was properly
configured with the following line in the Privoxy configuration file:

forward-socks4a/127.0.0.1:9050

I removed everything in the Stunnel configuration file, except for the
following:

[nntps]
accept = 119
connect = secure.news.easynews.com:563
delay = no

This causes to Stunnel to watch for output from my Agent Newsreader on port
119 (the same port that's listed in the Agent.ini file), and then to
connect to the secure server at Easynews on port 563.  And Stunnel will
boot up just fine in this configuration, provided it's not inside Freehand.
If it's inside freehand, Stunnel gives me the server error.  Actually
Stunnel has worked fine with EVERY configuration file I've ever tried with
it, provided it wasn't being invoked from inside Freecap.  That's where
everything falls apart; when I try to start Stunnel from inside Freecap, in
order to socksify Stunnel.

I've checked the configuration in Freecap.  The server is 127.0.0.1, and
the port is 9050.  I've tried both version 4 and version 5 of socks
protocol, but I keep getting the same Stunnel server error.

I don't know what else to check.  I have to believe it's some ridiculous
little switch, somewhere, but I sure can't seem to find it.  If anybody can
solve my problem, I'd be most grateful!

Pilgrim

[ Post a follow-up to this message ]

Two additional approaches as ultima ratio:

>X-Newsreader: Forte Agent 1.92/32.572

1. How about upgrading to the latest Agent version, with which at
least implicit SSL works correctly, though there's still a problem
with TLS (fix seems to be on it's way)? But port 563
('secure.news.easynews.com:563') commonly is the nntp port for
implicit SSL, so that wouldn't matter.

2. Do you know of Omnimix? I use this proxy server, which was actually
developed to send anon messages to the mixmaster network, with Agent
for some weeks now. I only had to install Tor in the standard
configuration, point Agent to the Omnimix ports, and let Omnimix know
where the Tor exe stays. As data leakages are possible when using Tor
parallel with different applications, OmniMix now even is able to
launch a Tor client for it's exclusive use and close it afterwards
with one button click each. Very nice. It may not be the solution
you're looking for, as pop3 isn't included (yet?) AFAIK, but trying
this setup might at least point you to the problem in your own
communication chain.

BTW @ the Omnimix developers:
Will there be a header filter for non-anonymous messages as well?

Rob

Attachment:
This has been downloaded 0 time(s).

[ Post a follow-up to this message ]

Hi Rob!

Anonymous-Remailer@See.Comment.Header (Rob) - 9 Jun 2006 09:54:31
-0000:

>Two additional approaches as ultima ratio:
> 
>
>1. How about upgrading to the latest Agent version, with which at
>least implicit SSL works correctly, though there's still a problem
>with TLS (fix seems to be on it's way)? But port 563
>('secure.news.easynews.com:563') commonly is the nntp port for
>implicit SSL, so that wouldn't matter.

Yep, that's a bug we discovered.

>2. Do you know of Omnimix? I use this proxy server, which was actually
>developed to send anon messages to the mixmaster network, with Agent
>for some weeks now. I only had to install Tor in the standard
>configuration, point Agent to the Omnimix ports, and let Omnimix know
>where the Tor exe stays. As data leakages are possible when using Tor
>parallel with different applications, OmniMix now even is able to
>launch a Tor client for it's exclusive use and close it afterwards
>with one button click each.

Some corrections: OmniMix till now doesn't support Tor routing for
'normal' NNTP/SMTP connections, as I thought, that with parallel
connections through Tor you might ease your privacy without being
aware of it. OTOH it seems at least to be a useful option (accompanied
by a big 'DON'T DO ...' disclaimer), as far as Tor will be caused to
change it's routing between different tasks (e.g. by pressing the
'NewNym' button within OmniMix). Any objections? So the next release
will allow Tor routing for _all_ outbound connections.

>Very nice.

Thanks.

>It may not be the solution
>you're looking for, as pop3 isn't included (yet?) AFAIK, but trying
>this setup might at least point you to the problem in your own
>communication chain.

At least mail clients like Agent 3.x, which are able to poll multiple
POP accounts, wouldn't benefit from such a proxy server, as the host
access data can't be transmitted with each request. Those have to be
socksified in order to connect directly via Tor.

>BTW @ the Omnimix developers:
>  Will there be a header filter for non-anonymous messages as well?

Noted, as well as the POP3 issue (to be used for a critical single
account or clients which don't allow more than one account).

Christian
--
OmniMix .. protect your privacy
http://www.danner-net.de/om.htm

[ Post a follow-up to this message ]

Pilgrim writes:

>I downloaded sockscap, and tried to install it.  The installer fires up,
>then vanishes without a trace, and there is no sign of the sockscap program
>anywhere.  Another mystery.  I'm trying to install the 32 bit version of
>sockscap on Windows XP.

Well, here's one mystery I finally managed to solve.  I discovered that I
can't have Tor running when I try to install Sockscap.  Then installation
starts, then just stops a few seconds later, with no Sockscap installed.  I
thought maybe something might be blocking the installation in the System
Tray, so I started turning programs off.  As soon as I turned Tor off,
Sockscap promptly installed itself.

Now we'll see if I have better luck running Stunnel under Sockscap than I
did under Freecap.  With Freecap, all I got were server error messages.
Don't know why.

Pilgrim

[ Post a follow-up to this message ]

Pilgrim writes:

>Well, here's one mystery I finally managed to solve.  I discovered that I
>can't have Tor running when I try to install Sockscap.  Then installation
>starts, then just stops a few seconds later, with no Sockscap installed.  I
>thought maybe something might be blocking the installation in the System
>Tray, so I started turning programs off.  As soon as I turned Tor off,
>Sockscap promptly installed itself.
>
>Now we'll see if I have better luck running Stunnel under Sockscap than I
>did under Freecap.  With Freecap, all I got were server error messages.
>Don't know why.

Ah, sweet success!  Sockscap worked beautifully.  After turning off Tor,
and successfully installing Sockscap, I dragged the Stunnel icon inside the
Sockscap program, reconfigured Agent, turned Tor back on, and tried
accessing Usenet.  Worked perfectly!  Sent my first encrypted message
through the Tor network.  Now it would seem I have both anonymity AND
privacy for Usenet postings.  Sweet!

But I still don't know why I can't get Stunnel to work with Freecap.  I
used the exact same version of Stunnel, and the Stunnel configuration file
that works perfectly with Sockscap, but all I still get with Freecap is a
Stunnel server error.  Maybe Freecap just don't work with Stunnel in
Windows XP?

I'll have to leave the Freecap mystery for someone else to solve.  In the
meantime, Sockscap seems to be working just fine with both Agent and
Stunnel.

Now I can surf the Web anonymously, and post anonymously to Usenet.  Now I
just have to figure out how to set up a Nym with Quicksilver, to give me
anonymous e-mail.

[ Post a follow-up to this message ]

I hope I helped by pointing you to sickscap more than I obscured by assuming
you hadn't installed tor :-(

As far as setting up the nym goes, it is pretty straight forward if you
follow the instructions included with quicksilver. The biggest obstacle I
encountered was not using IDEA as the encryption algorithm. I think you have
to use legacy RSA keys and IDEA. Then everything should work smoothly for
you.

[ Post a follow-up to this message ]

cwilliams28@cox.net writes:

>I hope I helped by pointing you to sickscap more than I obscured by assumin
g
>you hadn't installed tor :-(

No problem!  Once I figured out that all I had to do to get Sockscap to
install, was to turn off Tor, I was home free.  Thanks!

Actually I've since discovered several other programs that won't install
unless Tor is turned off.

>As far as setting up the nym goes, it is pretty straight forward if you
>follow the instructions included with quicksilver. The biggest obstacle I
>encountered was not using IDEA as the encryption algorithm. I think you hav
e
>to use legacy RSA keys and IDEA. Then everything should work smoothly for
>you.

Thanks for the tip!

Pilgrim

[ Post a follow-up to this message ]

In article <nasj82tii096e9e30n67vms7n5ecdj6onr@4ax.com>
Pilgrim <alanine2002@yahoogroups.com> wrote:
>
>
> Now I can surf the Web anonymously, and post anonymously to Usenet.  Now I
> just have to figure out how to set up a Nym with Quicksilver, to give me
> anonymous e-mail.

The beta version of QuickSilver has a bitchin' Nym Wizard.

[ Post a follow-up to this message ]