<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Hello there!<br><br>Some time ago I used stunnel to send the output of a homebrew logging script to a remote server. For a few weeks now, the sever has an expired certificate, so I get an error while connecting to it. The stunnel.log looks like that:<br><br>2011.11.18 12:23:36 LOG5[753:3078719168]: stunnel 4.29 on i486-pc-linux-gnu with OpenSSL 0.9.8o 01 Jun 2010<br>2011.11.18 12:23:36 LOG5[753:3078719168]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP<br>2011.11.18 12:23:36 LOG5[753:3078719168]: 500 clients allowed<br>2011.11.18 12:24:00 LOG5[759:3078716272]: https accepted connection from 127.0.0.1:40691<br>2011.11.18 12:24:00 LOG5[759:3078716272]: connect_blocking: connected example.com:443<br>2011.11.18 12:24:00 LOG5[759:3078716272]: https connected remote server from my_outside_ip:38486<br>2011.11.18
12:24:00 LOG3[759:3078716272]: SSL_connect: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired<br>2011.11.18 12:24:00 LOG5[759:3078716272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<br><br>This happens, when connecting manually with "nc -v 127.0.0.1 1234" to make a http-get request.<br>To also provide the config file of my linux client:<br><br>; Sample stunnel configuration file by Michal Trojnara 2002-2009<br>; Some options used here may not be adequate for your particular configuration<br>; Please make sure you understand them (especially the effect of the chroot jail)<br><br>; Certificate/key is needed in server mode and optional in client mode<br>cert = /etc/ssl/certs/https.pem<br>;key = /etc/ssl/certs/stunnel.pem<br><br>; Protocol version (all, SSLv2, SSLv3, TLSv1)<br>sslVersion = SSLv3<br><br>; Some security enhancements for UNIX systems - comment them out on Win32<br>chroot =
/var/lib/stunnel4/<br>setuid = stunnel4<br>setgid = stunnel4<br>; PID is created inside the chroot jail<br>pid = /stunnel4.pid<br><br>; Some performance tunings<br>socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1<br>;compression = zlib<br><br>; Workaround for Eudora bug<br>;options = DONT_INSERT_EMPTY_FRAGMENTS<br><br>; Authentication stuff<br>;verify = 2<br>; Don't forget to c_rehash CApath<br>; CApath is located inside chroot jail<br>;CApath = /certs<br>; It's often easier to use CAfile<br>;CAfile = /etc/stunnel/certs.pem<br>; Don't forget to c_rehash CRLpath<br>; CRLpath is located inside chroot jail<br>;CRLpath = /crls<br>; Alternatively you can use CRLfile<br>;CRLfile = /etc/stunnel/crls.pem<br>; Some debugging stuff useful for troubleshooting<br>;debug = 7<br>output = /var/log/stunnel4/stunnel.log<br><br>; Use it for client mode<br>client = yes<br><br>; Service-level configuration<br><br>[https]<br>accept = 127.0.0.1:1234<br>connect =
example.com:443<br>TIMEOUTclose = 0<br><br>;[pop3s]<br>;accept = 995<br>;connect = 110<br><br>;[imaps]<br>;accept = 993<br>;connect = 143<br><br>[ssmtp]<br>accept = 465<br>connect = 25<br><br>;[https]<br>;accept = 443<br>;connect = 80<br>;TIMEOUTclose = 0<br><br>; vim:ft=dosini<br><br>So, the server is not under my control, where I am logging to.<br>Is there a problem I don't see? I thought, that when I connect to localhost, the data should be forwarded to the https-server.<br><br>Thanks in advance.<br><br>-Rolf</div></div></body></html>