Discussion:
Stunnel on Windows 7 64bit
(too old to reply)
Nick Name
2014-05-02 23:19:34 UTC
Permalink
The only way I can get stunnel to work is to comment out the
"verify = " line. If I uncomment it, I get this in my
stunnel.log:

2014.05.02 19:06:00 LOG5[1108]: Reading configuration from
file stunnel.conf
2014.05.02 19:06:00 LOG5[1108]: FIPS mode disabled
2014.05.02 19:06:00 LOG6[1108]: Compression enabled: 2
algorithm(s)
2014.05.02 19:06:00 LOG7[1108]: Snagged 64 random bytes from
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: Wrote 0 new random bytes to
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: PRNG seeded successfully
2014.05.02 19:06:00 LOG6[1108]: Initializing service [nntps]
2014.05.02 19:06:00 LOG7[1108]: No private key specified
2014.05.02 19:06:00 LOG3[1108]: Error loading verify
certificates from certs.pem
2014.05.02 19:06:00 LOG3[1108]: error queue: B084002:
error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
2014.05.02 19:06:00 LOG3[1108]: error queue: 2006D080:
error:2006D080:BIO routines:BIO_new_file:no such file
2014.05.02 19:06:00 LOG3[1108]:
SSL_CTX_load_verify_locations: 2001002:
error:02001002:system library:fopen:No such file or directory
2014.05.02 19:06:00 LOG3[1108]: Service [nntps]: Failed to
initialize SSL context
2014.05.02 19:06:00 LOG3[1108]: Failed to reload the
configuration file
2014.05.02 19:06:00 LOG7[1108]: Signal pipe is empty

I use stunnel in client mode only, not as a server.

Here's what my stunnel.conf looks like when it works:

; Sample stunnel configuration file for Win32 by Michal
Trojnara 2002-2012
; Some options used here may be inadequate for your
particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of
available options

;
**************************************************************************
; * Global options
*
;
**************************************************************************

compression = zlib

; Debugging stuff (may useful for troubleshooting)
debug = 7
output = C:\logs\stunnel\stunnel.log

; Disable FIPS mode to allow non-approved protocols and
algorithms
;fips = no

;
**************************************************************************
; * Service defaults may also be specified in individual
service sections *
;
**************************************************************************

; Certificate/key is needed in server mode and optional in
client mode
;cert = stunnel.pem
;key = stunnel.pem

; Authentication stuff needs to be configured to prevent
MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

; Disable support for insecure SSLv2 protocol
;options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some
performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

;
**************************************************************************
; * Service definitions (at least one service has to be
defined) *
;
**************************************************************************

; Example SSL server mode services

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in
Microsoft SSL
; Microsoft implementations do not use SSL close-notify
alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini

[nntps]
client = yes
accept = 119
connect = secure-us.news.easynews.com:80
pasha19
2014-05-05 15:41:20 UTC
Permalink
Post by Nick Name
The only way I can get stunnel to work is to comment out the
"verify = " line. If I uncomment it, I get this in my
The verify options mostly require a local copy of the certs in question.
Here's my [nntps] section.

[nntps]
client = yes
verify = 3
CAfile = peer-nntps.pem
accept = 127.0.0.1:119
connect = secure.news.eu.easynews.com:563

After connecting to Easynews with verify off (or set to 1) use stunnel's
"Save Peer Certificate" option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file.
Lab Lover
2014-05-05 16:02:13 UTC
Permalink
Post by pasha19
Post by Nick Name
The only way I can get stunnel to work is to comment out the
"verify = " line. If I uncomment it, I get this in my
The verify options mostly require a local copy of the certs in question.
Here's my [nntps] section.
[nntps]
client = yes
verify = 3
CAfile = peer-nntps.pem
accept = 127.0.0.1:119
connect = secure.news.eu.easynews.com:563
After connecting to Easynews with verify off (or set to 1) use stunnel's
"Save Peer Certificate" option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file.
Which of the GoDaddy certs did you download? After you downloaded them, exactly
how did you utilize them?
pasha19
2014-05-05 17:03:51 UTC
Permalink
Post by Lab Lover
Post by pasha19
The verify options mostly require a local copy of the certs in question.
Here's my [nntps] section.
[nntps]
client = yes
verify = 3
CAfile = peer-nntps.pem
accept = 127.0.0.1:119
connect = secure.news.eu.easynews.com:563
After connecting to Easynews with verify off (or set to 1) use stunnel's
"Save Peer Certificate" option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file.
Which of the GoDaddy certs did you download? After you downloaded them, exactly
how did you utilize them?
OK. When stunnel tries to create an SSL conection, the server (Easynews in this case)
presents its certificate to prove it's really Easynews. If you set verify=1 (or greater)
stunnel will verify the certificate's validity and drop the connection if it is invalid.

The stunnel GUI console has an option "Save Peer Certificate" which saves a copy of this
certificate on your hard drive in PEM format. If you set verify=3 and CAfile as the saved
PEM file, stunnel will additionally check that the certificate has not changed (it's the
same as your local copy) since the last time you connected. That's generally all you need.

However, if the server certificate changes legitimately (as many have recently) verify=3
will reject the new one and you have to go through the save process again.

As you know, I recently did this with Easynews and stunnel complained that the new
certificate had "self signed components". Jason, in support, pointed me at this link -
https://certs.godaddy.com/anonymous/repository.pki - where GoDaddy's root certs are
available in various formats.

Sadly PEM is not one of them but, if you have OpenSSL installed, you can convert from other
formats to PEM. I downloaded the DER format file (gd-class2-root.cer) and used this command
to convert it to PEM format.

openssl x509 -in gd-class2-root.cer -inform der -outform pem -out certs.pem

I concatenated this onto the my new peer-nntps.pem file (they are just ASCII files),
reloaded the stunnel configuration, and verify=1/2/3 were all happy again.

I only use stunnel for my NNTP client so putting everything in one PEM file is the easiest
option for me. If you use stunnel for other protocols and clients, look at the
documentation for CApath which lets you keep a set of certs in a directory.
Lab Lover
2014-05-05 19:15:29 UTC
Permalink
Post by pasha19
Post by Lab Lover
Post by pasha19
The verify options mostly require a local copy of the certs in question.
Here's my [nntps] section.
[nntps]
client = yes
verify = 3
CAfile = peer-nntps.pem
accept = 127.0.0.1:119
connect = secure.news.eu.easynews.com:563
After connecting to Easynews with verify off (or set to 1) use stunnel's
"Save Peer Certificate" option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file.
Which of the GoDaddy certs did you download? After you downloaded them, exactly
how did you utilize them?
OK. When stunnel tries to create an SSL conection, the server (Easynews in this case)
presents its certificate to prove it's really Easynews. If you set verify=1 (or greater)
stunnel will verify the certificate's validity and drop the connection if it is invalid.
The stunnel GUI console has an option "Save Peer Certificate" which saves a copy of this
certificate on your hard drive in PEM format. If you set verify=3 and CAfile as the saved
PEM file, stunnel will additionally check that the certificate has not changed (it's the
same as your local copy) since the last time you connected. That's generally all you need.
However, if the server certificate changes legitimately (as many have recently) verify=3
will reject the new one and you have to go through the save process again.
As you know, I recently did this with Easynews and stunnel complained that the new
certificate had "self signed components". Jason, in support, pointed me at this link -
https://certs.godaddy.com/anonymous/repository.pki - where GoDaddy's root certs are
available in various formats.
Sadly PEM is not one of them but, if you have OpenSSL installed, you can convert from other
formats to PEM. I downloaded the DER format file (gd-class2-root.cer) and used this command
to convert it to PEM format.
openssl x509 -in gd-class2-root.cer -inform der -outform pem -out certs.pem
I concatenated this onto the my new peer-nntps.pem file (they are just ASCII files),
reloaded the stunnel configuration, and verify=1/2/3 were all happy again.
I only use stunnel for my NNTP client so putting everything in one PEM file is the easiest
option for me. If you use stunnel for other protocols and clients, look at the
documentation for CApath which lets you keep a set of certs in a directory.
Thanks for your very thorough and knowledgable response, I will take a look at
all this tomorrow! I appreciate your follow-up.
Nick Name
2014-05-05 23:00:54 UTC
Permalink
Post by pasha19
Post by Lab Lover
Post by pasha19
The verify options mostly require a local copy of the certs in question.
Here's my [nntps] section.
[nntps]
client = yes
verify = 3
CAfile = peer-nntps.pem
accept = 127.0.0.1:119
connect = secure.news.eu.easynews.com:563
After connecting to Easynews with verify off (or set to 1) use stunnel's
"Save Peer Certificate" option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file.
Which of the GoDaddy certs did you download? After you downloaded them, exactly
how did you utilize them?
OK. When stunnel tries to create an SSL conection, the server (Easynews in this case)
presents its certificate to prove it's really Easynews. If you set verify=1 (or greater)
stunnel will verify the certificate's validity and drop the connection if it is invalid.
The stunnel GUI console has an option "Save Peer Certificate" which saves a copy of this
certificate on your hard drive in PEM format. If you set verify=3 and CAfile as the saved
PEM file, stunnel will additionally check that the certificate has not changed (it's the
same as your local copy) since the last time you connected. That's generally all you need.
However, if the server certificate changes legitimately (as many have recently) verify=3
will reject the new one and you have to go through the save process again.
As you know, I recently did this with Easynews and stunnel complained that the new
certificate had "self signed components". Jason, in support, pointed me at this link -
https://certs.godaddy.com/anonymous/repository.pki - where GoDaddy's root certs are
available in various formats.
Sadly PEM is not one of them but, if you have OpenSSL installed, you can convert from other
formats to PEM. I downloaded the DER format file (gd-class2-root.cer) and used this command
to convert it to PEM format.
openssl x509 -in gd-class2-root.cer -inform der -outform pem -out certs.pem
I concatenated this onto the my new peer-nntps.pem file (they are just ASCII files),
reloaded the stunnel configuration, and verify=1/2/3 were all happy again.
I only use stunnel for my NNTP client so putting everything in one PEM file is the easiest
option for me. If you use stunnel for other protocols and clients, look at the
documentation for CApath which lets you keep a set of certs in a directory.
I have stunnel installed as a service, configured to connect to two different nntps providers. I
use a different port on the localhost to distinguish between the news providers. When I right-click
on the stunnel icon in the system tray and select "Save peer certificate", there are two lines that
say "peer-nntps.pem", and both are greyed out.
pasha19
2014-05-06 17:55:12 UTC
Permalink
Post by Nick Name
I have stunnel installed as a service, configured to connect to two different nntps providers. I
use a different port on the localhost to distinguish between the news providers. When I right-click
on the stunnel icon in the system tray and select "Save peer certificate", there are two lines that
say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't recommend that) while you go through
the "Save peer certificate" phase. The option will be greyed out if you set verify=3 or 4 as those
levels assume you already have a local certificate copy.
Nick Name
2014-05-07 16:12:08 UTC
Permalink
This post might be inappropriate. Click to display it.
Nick Name
2014-05-07 23:30:22 UTC
Permalink
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost to
distinguish between the news providers. When I right-click on the
stunnel icon in the system tray and select "Save peer certificate",
there are two lines that say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't recommend
that) while you go through the "Save peer certificate" phase. The
option will be greyed out if you set verify=3 or 4 as those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task scheduler
to run stunnel with "highest privileges" at system startup, since
Windows 7 doesn't allow programs running with lesser permissions to
write to any folder under C:\Program Files or C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there were
two available, both named "peer-nntps.pem". I saved them both, which
caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:118
connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are both
apparently using the same file to store their certificates and keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news provider's
ssl server through stunnel, it wouldn't work, even though I made no
changes!

This program is really driving me bonkers. I can't figure out how to get
it to verify the connections, and I can't figure out how to get it to
start automatically at boot time AND display its icon in the system tray!
pasha19
2014-05-08 19:05:32 UTC
Permalink
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost to
distinguish between the news providers. When I right-click on the
stunnel icon in the system tray and select "Save peer certificate",
there are two lines that say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't recommend
that) while you go through the "Save peer certificate" phase. The
option will be greyed out if you set verify=3 or 4 as those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task scheduler
to run stunnel with "highest privileges" at system startup, since
Windows 7 doesn't allow programs running with lesser permissions to
write to any folder under C:\Program Files or C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there were
two available, both named "peer-nntps.pem". I saved them both, which
caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:118
connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are both
apparently using the same file to store their certificates and keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news provider's
ssl server through stunnel, it wouldn't work, even though I made no
changes!
This program is really driving me bonkers. I can't figure out how to get
it to verify the connections, and I can't figure out how to get it to
start automatically at boot time AND display its icon in the system tray!
Hi, I've not run stunnel as a Windows service so I'm not sure if it's problematic or not.

I'm on Windows 7 too, and I just start stunnel when I need it; no special privileges or
anything. Normally stunnel shouldn't need to write to the install directory and when it does
(like editing the config) current versions should use the Windows UAC to ask for the rights to
do so.

Having the certs in a single file shouldn't be a problem; in PEM format they are just ASCII files.

Can you turn on debug logging - debug=7 - and post the log entries from when connection fails?
Nick Name
2014-05-10 22:16:52 UTC
Permalink
Post by pasha19
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost
to distinguish between the news providers. When I right-click on the
stunnel icon in the system tray and select "Save peer certificate",
there are two lines that say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't
recommend that) while you go through the "Save peer certificate"
phase. The option will be greyed out if you set verify=3 or 4 as
those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task scheduler
to run stunnel with "highest privileges" at system startup, since
Windows 7 doesn't allow programs running with lesser permissions to
write to any folder under C:\Program Files or C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there
were two available, both named "peer-nntps.pem". I saved them both,
which caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:118
connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are
both apparently using the same file to store their certificates and
keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news provider's
ssl server through stunnel, it wouldn't work, even though I made no
changes!
This program is really driving me bonkers. I can't figure out how to
get it to verify the connections, and I can't figure out how to get it
to start automatically at boot time AND display its icon in the system
tray!
Hi, I've not run stunnel as a Windows service so I'm not sure if it's problematic or not.
I'm on Windows 7 too, and I just start stunnel when I need it; no
special privileges or anything. Normally stunnel shouldn't need to write
to the install directory and when it does (like editing the config)
current versions should use the Windows UAC to ask for the rights to do
so.
Having the certs in a single file shouldn't be a problem; in PEM format
they are just ASCII files.
Can you turn on debug logging - debug=7 - and post the log entries from
when connection fails?
So a lightbulb went on above my head and I changed the section names so
that my stunnel.conf now looks like this:

[nntps1]
client = yes
CAfile = peer-nntps1.pem
verify = 3
accept = 127.0.0.1:118
connect = ssl-us.REDACTED.com:563

[nntps2]
client = yes
CAfile = peer-nntps2.pem
verify = 3
accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443

I selected "Reload configuration" from the stunnel gui (I uninstalled the
service and set up a scheduled task to start stunnel at logon, so the tray
icon now appears) and the "Save peer certificate option" then showed me
two certificates, one labeled "peer-nntps1.pem" and the other "peer-
nntps2.pem". I saved them both, made the changes to stunnel.conf,
reloaded the configuration, and it seems to be working, for now. Famous
last words! ;)

Lab Lover
2014-05-08 19:21:42 UTC
Permalink
This post might be inappropriate. Click to display it.
Nick Name
2014-05-09 02:56:16 UTC
Permalink
Post by Lab Lover
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost
to distinguish between the news providers. When I right-click on the
stunnel icon in the system tray and select "Save peer certificate",
there are two lines that say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't
recommend that) while you go through the "Save peer certificate"
phase. The option will be greyed out if you set verify=3 or 4 as
those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task scheduler
to run stunnel with "highest privileges" at system startup, since
Windows 7 doesn't allow programs running with lesser permissions to
write to any folder under C:\Program Files or C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there
were two available, both named "peer-nntps.pem". I saved them both,
which caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:118
connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are
both apparently using the same file to store their certificates and
keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news provider's
ssl server through stunnel, it wouldn't work, even though I made no
changes!
This program is really driving me bonkers. I can't figure out how to
get it to verify the connections, and I can't figure out how to get it
to start automatically at boot time AND display its icon in the system
tray!
In the Stunnel start menu folder (not the install folder) there should
be an entry that says "stunnel service install". Right click that entry
and select run as administrator.
Reboot the system and see if Stunnel is running as a service with the
icon in your system tray. If the icon is not present, open your
services control panel (elevated command prompt, services.msc). Find
the stunnel service, open it and on the log on tab, selected should be
Local account and allow service to interact with desktop.
Save the above and reboot again, the icon should be present in the tray.
I am suggesting the reboots just to be on the safe side.
Followed the above procedure, and the icon was not in the system tray
after the first reboot. I opened the service properties, and on the logon
tab it was set to "Local System Account", and "Allow service to interact
with desktop" was already selected.
Lab Lover
2014-05-09 14:05:26 UTC
Permalink
Post by Nick Name
Post by Lab Lover
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost
to distinguish between the news providers. When I right-click on the
stunnel icon in the system tray and select "Save peer certificate",
there are two lines that say "peer-nntps.pem", and both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't
recommend that) while you go through the "Save peer certificate"
phase. The option will be greyed out if you set verify=3 or 4 as
those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task scheduler
to run stunnel with "highest privileges" at system startup, since
Windows 7 doesn't allow programs running with lesser permissions to
write to any folder under C:\Program Files or C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there
were two available, both named "peer-nntps.pem". I saved them both,
which caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:118
connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept = 127.0.0.1:119
connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are
both apparently using the same file to store their certificates and
keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news provider's
ssl server through stunnel, it wouldn't work, even though I made no
changes!
This program is really driving me bonkers. I can't figure out how to
get it to verify the connections, and I can't figure out how to get it
to start automatically at boot time AND display its icon in the system
tray!
In the Stunnel start menu folder (not the install folder) there should
be an entry that says "stunnel service install". Right click that entry
and select run as administrator.
Reboot the system and see if Stunnel is running as a service with the
icon in your system tray. If the icon is not present, open your
services control panel (elevated command prompt, services.msc). Find
the stunnel service, open it and on the log on tab, selected should be
Local account and allow service to interact with desktop.
Save the above and reboot again, the icon should be present in the tray.
I am suggesting the reboots just to be on the safe side.
Followed the above procedure, and the icon was not in the system tray
after the first reboot. I opened the service properties, and on the logon
tab it was set to "Local System Account", and "Allow service to interact
with desktop" was already selected.
Do you have your Windows 7 system configured to display all system tray icons?

see:

http://windows.microsoft.com/en-us/windows-vista/show-all-icons-in-the-notification-area-system-tray
Nick Name
2014-05-09 14:43:01 UTC
Permalink
Post by Lab Lover
Post by Nick Name
On Wed, 07 May 2014 23:30:22 GMT, Nick Name
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost
to distinguish between the news providers. When I right-click on
the stunnel icon in the system tray and select "Save peer
certificate", there are two lines that say "peer-nntps.pem", and
both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't
recommend that) while you go through the "Save peer certificate"
phase. The option will be greyed out if you set verify=3 or 4 as
those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task
scheduler to run stunnel with "highest privileges" at system
startup, since Windows 7 doesn't allow programs running with lesser
permissions to write to any folder under C:\Program Files or
C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there
were two available, both named "peer-nntps.pem". I saved them both,
which caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept =
127.0.0.1:118 connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept =
127.0.0.1:119 connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are
both apparently using the same file to store their certificates and
keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news
provider's ssl server through stunnel, it wouldn't work, even though I
made no changes!
This program is really driving me bonkers. I can't figure out how to
get it to verify the connections, and I can't figure out how to get it
to start automatically at boot time AND display its icon in the system
tray!
In the Stunnel start menu folder (not the install folder) there should
be an entry that says "stunnel service install". Right click that
entry and select run as administrator.
Reboot the system and see if Stunnel is running as a service with the
icon in your system tray. If the icon is not present, open your
services control panel (elevated command prompt, services.msc). Find
the stunnel service, open it and on the log on tab, selected should be
Local account and allow service to interact with desktop.
Save the above and reboot again, the icon should be present in the tray.
I am suggesting the reboots just to be on the safe side.
Followed the above procedure, and the icon was not in the system tray
after the first reboot. I opened the service properties, and on the
logon tab it was set to "Local System Account", and "Allow service to
interact with desktop" was already selected.
Do you have your Windows 7 system configured to display all system tray icons?
http://windows.microsoft.com/en-us/windows-vista/show-all-icons-in-the-
notification-area-system-tray

No, but I have it set to display the icons I want it to display, including
Stunnel's. I have given up for now on running Stunnel as a service or
getting it to verify the certificates. There is obviously something about
my installation that is different from yours, and I think at this point it
would be close to a miracle if we were to figure out what that is and get
stunnel to work on my machine the way it does on yours. Hell, I have two
machines on the same desk and I can't get Firefox to look the same on both
of them, even though they're both running the same version of FF AND I
copied the profile from one to the other!

Thanks again for your attempts to help me.
Lab Lover
2014-05-09 15:05:18 UTC
Permalink
Post by Lab Lover
Post by Lab Lover
Post by Nick Name
On Wed, 07 May 2014 23:30:22 GMT, Nick Name
Post by Nick Name
Post by Nick Name
Post by pasha19
Post by Nick Name
I have stunnel installed as a service, configured to connect to two
different nntps providers. I use a different port on the localhost
to distinguish between the news providers. When I right-click on
the stunnel icon in the system tray and select "Save peer
certificate", there are two lines that say "peer-nntps.pem", and
both are greyed out.
Hi, you'll need to set verify=1 or 2 (or off, though I don't
recommend that) while you go through the "Save peer certificate"
phase. The option will be greyed out if you set verify=3 or 4 as
those
levels assume you already have a local certificate copy.
I uninstalled the stunnel service, and then set Windows task
scheduler to run stunnel with "highest privileges" at system
startup, since Windows 7 doesn't allow programs running with lesser
permissions to write to any folder under C:\Program Files or
C:\Program Files (x86).
To get the "Save peer certificate" options to work, I first had to
connect to the nntps providers through stunnel. When I did, there
were two available, both named "peer-nntps.pem". I saved them both,
which caused a box to pop-up telling me to add the lines "CAfile =
peer-nntps.pem" and "verify = 3" to the stunnel.conf file and then
reload the configuration. I did so, which made the provider specific
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept =
127.0.0.1:118 connect = ssl-XX.XXXXXXX.XXX:563
[nntps]
client = yes CAfile = peer-nntps.pem verify = 3 accept =
127.0.0.1:119 connect = secure-us.news.easynews.com:443
and it seems to be running correctly, for now, even though they are
both apparently using the same file to store their certificates and
keys.
Thanks for your assistance.
Looks like I spoke too soon. I went away from my computer for a few
hours, and when I came back and tried to post to another news
provider's ssl server through stunnel, it wouldn't work, even though I
made no changes!
This program is really driving me bonkers. I can't figure out how to
get it to verify the connections, and I can't figure out how to get it
to start automatically at boot time AND display its icon in the system
tray!
In the Stunnel start menu folder (not the install folder) there should
be an entry that says "stunnel service install". Right click that
entry and select run as administrator.
Reboot the system and see if Stunnel is running as a service with the
icon in your system tray. If the icon is not present, open your
services control panel (elevated command prompt, services.msc). Find
the stunnel service, open it and on the log on tab, selected should be
Local account and allow service to interact with desktop.
Save the above and reboot again, the icon should be present in the tray.
I am suggesting the reboots just to be on the safe side.
Followed the above procedure, and the icon was not in the system tray
after the first reboot. I opened the service properties, and on the
logon tab it was set to "Local System Account", and "Allow service to
interact with desktop" was already selected.
Do you have your Windows 7 system configured to display all system tray icons?
http://windows.microsoft.com/en-us/windows-vista/show-all-icons-in-the-
notification-area-system-tray
No, but I have it set to display the icons I want it to display, including
Stunnel's. I have given up for now on running Stunnel as a service or
getting it to verify the certificates. There is obviously something about
my installation that is different from yours, and I think at this point it
would be close to a miracle if we were to figure out what that is and get
stunnel to work on my machine the way it does on yours. Hell, I have two
machines on the same desk and I can't get Firefox to look the same on both
of them, even though they're both running the same version of FF AND I
copied the profile from one to the other!
Thanks again for your attempts to help me.
You are welcome.

As for Firefox, try using the sync feature on both machines, that might help.
Loading...