Hello,<br><br>after a day of trying..<br><ul><li>2 box of <b>Win7 Pro x64</b></li><li>fresh install of <b>stunnel 4.52</b></li><li>keys generated with
C:\Program Files (x86)\stunnel><b> </b><b>.\openssl.exe req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem</b></li>
<li><b>certs.pem</b> on both box contains certificate part of stunnel.pem from both machine</li></ul><p>server stunnel.conf (192.168.0.52):</p><p style="margin-left:40px;font-family:courier new,monospace">debug = 7<br>cert = stunnel.pem<br>
verify = 2<br>CAfile = certs.pem<br>
options = NO_SSLv2</p><p style="margin-left:40px;font-family:courier new,monospace">[unison]<br>accept = 10001<br>connect = <a href="http://127.0.0.1:10000">127.0.0.1:10000</a></p><p>client stunnel.conf (192.168.0.216):</p>
<p style="margin-left:40px"><span style="font-family:courier new,monospace">client = yes</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">
debug = 7</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">cert = stunnel.pem</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">
verify = 2</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">CAfile = certs.pem</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">options = NO_SSLv2</span></p>
<p style="margin-left:40px"><span style="font-family:courier new,monospace">[unison]</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">client = yes</span><br style="font-family:courier new,monospace">
<span style="font-family:courier new,monospace">accept = <a href="http://127.0.0.1:10000">127.0.0.1:10000</a></span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">connect = <a href="http://192.168.0.52:10001">192.168.0.52:10001</a></span><br>
</p><p>Test #1: <b>OK</b><br></p><p style="margin-left:40px">
C:\Program Files (x86)\stunnel><b> .\openssl verify -CAfile certs.pem stunnel.pem</b><br><b>stunnel.pem: OK</b><br><br>C:\Program Files (x86)\stunnel><b> .\openssl verify -CAfile certs.pem certs.pem</b><br><b>certs.pem: OK</b><br>
</p><p>Test #2: <b>OK</b><br></p><p style="margin-left:40px">C:\Program Files (x86)\stunnel> <b>.\openssl s_server -accept 10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2</b></p><p style="margin-left:40px">
vs</p><p style="margin-left:40px">C:\Program Files (x86)\stunnel> <b>.\openssl s_client -connect <a href="http://192.168.0.52:10001">192.168.0.52:10001</a> -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2</b></p>
<p>Test #3: <b>OK - "certificate accepted"<br></b></p><p style="margin-left:40px">C:\Program Files (x86)\stunnel> <b>.\openssl s_server -accept 10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2</b></p>
<p style="margin-left:40px">vs</p>
<p style="margin-left:40px">
<b>stunnel client</b><b><br></b></p>
<p>Test #4: <b>OK - "certificate accepted"<br></b></p><p style="margin-left:40px"><b>stunnel server</b></p><p style="margin-left:40px">vs</p><p style="margin-left:40px">C:\Program Files (x86)\stunnel> <b>.\openssl s_client -connect <a href="http://192.168.0.52:10001">192.168.0.52:10001</a> -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2</b></p>
<p><span style="background-color:rgb(255,255,102)">Test #5: </span><b><span style="background-color:rgb(255,255,102)">FAILED</span></b></p><p style="margin-left:40px"><b>stunnel server</b></p><p style="margin-left:40px">
Service unison accepted connection from <a href="http://192.168.0.216:23134">192.168.0.216:23134</a><br>2012.02.14 09:02:39 LOG3[134028:132792]: SSL_accept: 140943F2: error:140943F2:SSL routines:<b>SSL3_READ_BYTES:sslv3 alert unexpected message</b><br>
2012.02.14 09:02:39 LOG5[134028:132792]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<b><br></b></p><p style="margin-left:40px">
vs</p>
<p style="margin-left:40px"><b>stunnel client<br></b></p><p style="margin-left:40px">2012.02.14 09:02:33 LOG5[2500:5876]: Service unison connected remote server from <a href="http://192.168.0.216:23134">192.168.0.216:23134</a><br>
2012.02.14 09:02:33 LOG7[2500:5876]: Remote FD=372 initialized<br>
2012.02.14 09:02:33 LOG3[2500:5876]: SSL_connect: 140870E8: error:140870E8:SSL routines:<b>SSL3_GET_CERTIFICATE_</b><b>REQUEST:tls client cert req with anon cipher</b><br>
2012.02.14 09:02:33 LOG5[2500:5876]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</p><br><span style="background-color:rgb(255,255,51)">After a </span><i style="background-color:rgb(255,255,51)">stunnel.conf </i><b style="background-color:rgb(255,255,51)">reload</b><span style="background-color:rgb(255,255,51)"> on both box (yes, only a reload) then the following details and differences appear:</span><p style="margin-left:40px">
<b>stunnel server</b> vs <b>openssl s_client : OK - "certificate accepted"<br></b></p><p style="margin-left:40px">2012.02.14 09:42:02 LOG5[134236:132440]: Service unison accepted connection from <a href="http://192.168.0.216:23698">192.168.0.216:23698</a><br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): before/accept initialization<br>2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client hello B<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): <b>SSLv3 write server hello A</b><br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): <b style="background-color:rgb(255,255,51)">SSLv3 write certificate A</b><br>2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): <b>SSLv3 write key exchange A</b><br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write certificate request A<br>2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush data<br>
2012.02.14 09:42:02 LOG7[134236:132440]: Starting certificate verification: depth=0, /C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc<br>
2012.02.14 09:42:02 LOG5[134236:132440]: Certificate accepted: depth=0, /C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc</p><p style="margin-left:40px">2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client certificate A<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client key exchange A<br>2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read certificate verify A<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read finished A<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write session ticket A<br>2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write change cipher spec A<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write finished A<br>
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush data<br></p><p style="margin-left:40px"><b>stunnel server</b> vs <b>stunnel client : <span style="background-color:rgb(255,255,51)">FAILED</span><br>
</b></p>
<p style="margin-left:40px"><i>server:</i><br></p><p style="margin-left:40px">
2012.02.14 09:45:24 LOG5[134236:134552]: Service unison accepted connection from <a href="http://192.168.0.216:23752">192.168.0.216:23752</a><br>
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): before/accept initialization<br>
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 read client hello B<br>2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): <b>SSLv3 write server hello A</b><br>
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): <b>SSLv3 write key exchange A</b><br>
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 write certificate request A<br>2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 flush data<br>
2012.02.14 09:45:24 LOG7[134236:134552]: SSL alert (read): fatal: unexpected_message<br>
2012.02.14 09:45:24 LOG3[134236:134552]: SSL_accept: 140943F2: error:140943F2:SSL routines:<b>SSL3_READ_BYTES:sslv3 alert unexpected message</b><br>2012.02.14 09:45:24 LOG5[134236:134552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<br>
2012.02.14 09:45:24 LOG7[134236:134552]: Service unison finished (0 left)</p><p style="margin-left:40px"><i>client:</i></p><p style="margin-left:40px">2012.02.14 09:45:18 LOG5[1100:7176]: Service unison connected remote server from <a href="http://192.168.0.216:23752">192.168.0.216:23752</a><br>
2012.02.14 09:45:18 LOG7[1100:7176]: Remote FD=452 initialized<br>2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): before/connect initialization<br>2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): SSLv3 write client hello A<br>
2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): <b>SSLv3 read server hello A</b><br>2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): <b>SSLv3 read server key exchange A</b><br>2012.02.14 09:45:18 LOG7[1100:7176]: SSL alert (write): <b>fatal: unexpected_message</b><br>
2012.02.14 09:45:18 LOG3[1100:7176]: SSL_connect: 140870E8: error:140870E8:SSL routines:<b>SSL3_GET_CERTIFICATE_</b><b>REQUEST:tls client cert req with anon cipher</b><br>2012.02.14 09:45:18 LOG5[1100:7176]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</p>
<p>Please, give me some clues.</p><p><br></p><p>Thank you,</p><p>Laszlo</p><p><br></p><p style="margin-left:40px"></p><p><br></p><p><br>
<b><span style="background-color:rgb(255,255,102)"></span></b><span style="background-color:rgb(255,255,102)"></span></p><div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div></div>
<div style id="avg_ls_inline_popup"></div>