<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error.</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
SSL23_GET_CLIENT_HELLO:unknown protocol</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
Here is my config file.</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Some options used here may be inadequate for your particular configuration</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; This sample file does *not* represent stunnel.conf defaults</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Please consult the manual for detailed description of available options</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; * Global options *</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Debugging stuff (may useful for troubleshooting)</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
;debug = 7</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;output = stunnel.log</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Disable FIPS mode to allow non-approved protocols and algorithms</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
fips = no</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; * Service defaults may also be specified in individual service sections *</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Certificate/key is needed in server mode and optional in client mode</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
cert = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;key = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Authentication stuff needs to be configured to prevent MITM attacks</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; It is not enabled by default!</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;verify = 2</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Don't forget to c_rehash CApath</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;CApath = certs</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; It's often easier to use CAfile</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;CAfile = certs.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Don't forget to c_rehash CRLpath</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;CRLpath = crls</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Alternatively CRLfile can be used</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;CRLfile = crls.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">sslVersion = all</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Disable support for insecure SSLv2 protocol</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
options = NO_SSLv2</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Workaround for Eudora bug</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
;options = DONT_INSERT_EMPTY_FRAGMENTS</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; These options provide additional security at some performance degradation</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;options = SINGLE_ECDH_USE</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;options = SINGLE_DH_USE</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; * Service definitions (at least one service has to be defined) *</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; **************************************************************************</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; The default certificate</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">cert = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Set client mode client = yes</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; GMail ssmtp settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
[ssmtp]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">accept = 25</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
connect = <a href="http://174.129.0.38:465/" target="_blank" style="color:rgb(17,85,204)">174.129.0.38:465</a></p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; GMail pop3s settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
[pop3s]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">accept = 110</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
connect = <a href="http://174.129.0.38:995/" target="_blank" style="color:rgb(17,85,204)">174.129.0.38:995</a></p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; GMail imaps settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">[imaps]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
accept = 143</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">connect = <a href="http://174.129.0.38:993/" target="_blank" style="color:rgb(17,85,204)">174.129.0.38:993</a></p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; Example SSL front-end to a web server</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
;[https]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;accept = 443</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
;connect = 80</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL</p>
<p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; Microsoft implementations do not use SSL close-notify alert and thus</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
; they are vulnerable to truncation attacks</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">;TIMEOUTclose = 0</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
</p><p class="MsoNormal" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">; vim:ft=dosini</p>