Hi Robert,
If your only reason to migrate is to mitigate an OpenSSL vuln, you can try to
replace the openssl.exe binary and the DLLs used in your currently working
Stunnel version. Since there is no compatibility breaking changes in latest
OpenSSL releases, Stunnel should be able to load it without complaining. I
currently do this with the 1.1.1 branch, and it is working flawlessly so far :)
Can't say for sure for the 3.0.0 branch, but it's worth a try.
You can find up-to-date pre-built binaries here:
http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Binaries_.2
8required_for_SSL-enabled_components.29
Other options are also listed on the official OpenSSL wiki:
https://wiki.openssl.org/index.php/Binaries
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
-----Message d'origine-----
De : robert.croteau--- via stunnel-users<[email protected]>
Envoyé : vendredi 15 avril 2022 09:21
À :[email protected]
Objet : [stunnel-users] Windows service won't start. ""The Stunnel TLS wrapper
service
is marked as an interactive service."
Window 10 LTCS (1089):
"The Stunnel TLS wrapper service is marked as an interactive service.
However, the
system is configured to not allow interactive services. This service may not
function
properly."
looks like starting with version 5.61, this above error appears in the System
Event log.
I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of
them.
From the release notes, seems that windows services code might have been
affected:
New features for the Windows platform
- Added client mode allowing authenticated users to view logs, reconfigure and
terminate running stunnel services.
- Added support for multiple GUI and service instances distinguised by the
location of
stunnel.conf.
On GitHub, I also noticed that in the source code for src/ui_win_gui.c the
service is
created as follows:
service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path,
NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line
1622
the SERVICE_INTERACTIVE_PROCESS flag is set
Is this flag necessary? I guess that would be the culprit.
my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability
anyone has a workaround for this?
Microsoft has fully disabled Interactive Service Detection starting with
Windows 10
Build 1803 and Windows Server 2016 and 2019. So, it looks like that that
Interactive
services are no longer allowed and this can't be circumvented by changing some
registry setting like it seems it was possible before.
thank you
_______________________________________________
stunnel-users mailing list [email protected] To unsubscribe send an
email
[email protected]
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations
confidentielles, être soumis aux règlementations relatives au contrôle des exportations
ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il
est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque
manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est
interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur
et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous
les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary
information and may be subject to export control laws and regulations. If you are not the
intended recipient, you are notified that any dissemination, copying of this e-mail and
any attachments thereto or use of their contents by any means whatsoever is strictly
prohibited. Unauthorized export or re-export is prohibited. If you have received this
e-mail in error, please advise the sender immediately and delete this e-mail and all
attached documents from your computer system."
#
_______________________________________________
stunnel-users mailing list [email protected]
To unsubscribe send an email [email protected]
