<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Try adding verifyPeer=no <div><br></div><div>Stunnel does not trust the certificate presented by the server. Review the man page regarding certificate verification.<br><br><div id="AppleMailSignature">Saludos<div>Jose Alfredo Diaz</div><div><br></div><div><br></div></div><div><br>On Dec 4, 2017, at 4:24 AM, Ziad Badawi <<a href="mailto:ZiadR.B@gmail.com">ZiadR.B@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div class="gmail_quote"><div class="m_1265305938352508894HOEnZb"><div class="m_1265305938352508894h5"><div dir="ltr"><div style="font-size:12.8px"><font color="#000000">Greetings,</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">I am trying to capture clear text pcaps from client (browser) - server (java appserver) traffic.</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">The java appserver is jboss using https. I'm running jboss and stunnel on the same machine.</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000"># stunnel.conf</font></div><div style="font-size:12.8px"><font color="#000000">debug = 3</font></div><div style="font-size:12.8px"><font color="#000000">foreground = yes</font></div><div style="font-size:12.8px"><font color="#000000">[jboss]</font></div><div style="font-size:12.8px"><font color="#000000">client = yes</font></div><div style="font-size:12.8px"><font color="#000000">cert= stunnel.pem # generated using makecert.sh</font></div><div style="font-size:12.8px"><font color="#000000">accept = 1234</font></div><div style="font-size:12.8px"><font color="#000000">connect = <a href="http://127.0.0.1:443">127.0.0.1:443</a></font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">Version:</font></div><div style="font-size:12.8px"><font color="#000000">stunnel 5.44 on x86_64-pc-linux-gnu platform</font></div><div style="font-size:12.8px"><font color="#000000">Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017</font></div><div style="font-size:12.8px"><font color="#000000">Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">Global options:</font></div><div style="font-size:12.8px"><font color="#000000">RNDbytes = 64</font></div><div style="font-size:12.8px"><font color="#000000">RNDfile = /dev/urandom</font></div><div style="font-size:12.8px"><font color="#000000">RNDoverwrite = yes</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">Service-level options:</font></div><div style="font-size:12.8px"><font color="#000000">ciphers = FIPS (with "fips = yes")</font></div><div style="font-size:12.8px"><font color="#000000">ciphers = HIGH:!DH:!aNULL:!SSLv2 (with "fips = no")</font></div><div style="font-size:12.8px"><font color="#000000">curve = prime256v1</font></div><div style="font-size:12.8px"><font color="#000000">debug = daemon.notice</font></div><div style="font-size:12.8px"><font color="#000000">logId = sequential</font></div><div style="font-size:12.8px"><font color="#000000">options = NO_SSLv2</font></div><div style="font-size:12.8px"><font color="#000000">options = NO_SSLv3</font></div><div style="font-size:12.8px"><font color="#000000">sessionCacheSize = 1000</font></div><div style="font-size:12.8px"><font color="#000000">sessionCacheTimeout = 300 seconds</font></div><div style="font-size:12.8px"><font color="#000000">stack = 65536 bytes</font></div><div style="font-size:12.8px"><font color="#000000">TIMEOUTbusy = 300 seconds</font></div><div style="font-size:12.8px"><font color="#000000">TIMEOUTclose = 60 seconds</font></div><div style="font-size:12.8px"><font color="#000000">TIMEOUTconnect = 10 seconds</font></div><div style="font-size:12.8px"><font color="#000000">TIMEOUTidle = 43200 seconds</font></div><div style="font-size:12.8px"><font color="#000000">verify = none</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">When I try to test it usng firefox by browsing to <a href="https://localhost:1234">https://localhost:1234</a>, FF returns "Secure Connection Failed" and stunnel spits</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">2017.12.01 20:35:10 LOG3[0]: SSL_connect: 14094416: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown</font></div><div style="font-size:12.8px"><font color="#000000"><br></font></div><div style="font-size:12.8px"><font color="#000000">What am I missing / doing wrong?</font></div><div style="font-size:12.8px"><font color="#000000">Regards</font></div><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div class="m_1265305938352508894m_-1011681610714319299gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Z
</div></div></div>
</font></span></div>
</div></div></div><br></div>
</div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>stunnel-users mailing list</span><br><span><a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a></span><br><span><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a></span><br></div></blockquote></div></body></html>