* Graham Jones wrote:
stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro.
During installation, the process walked me through the creation of a certificate.
The connection fails with the following lines in the log:
2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root
I see it finds the self-signed certificate in certificate chain. Why is this rejected? It finds _a_ self-signed certificate, but not the one you created. Your antivirus software ("AVG") is doing TLS interception to get at the unencrypted IMAP data.
You have three options: 1. Disable verification of the remote cert, because stunnel doesn't see it anyway. 2. Disable TLS interception in AVG. This will let stunnel see the actual remote certificate, but AVG will not scan e-mail content anymore. 3. Tell stunnel about the AVG certificate. See the manual about the CAfile option. How to get the certificate data with stunnel alone is beyond me; "openssl s_client -showcerts 193.143.227.10:993" would work. You can also try adding "CAengine = cng" to the stunnel configuration; I have not used it before but it based on the manual it might work and read trusted CAs from the Windows trust store, where AVG would have put its own certificate to prevent your exact problem with other software. Options 1 and 3 are effectively the same; they mean that stunnel does not verify the server certificate, which it simply cannot see with AVG in the way. Instead they rely on AVG refusing the connection if an unexpected certificate appears. Option 2 trades the security of scanning the e-mail content for that of verifying the certificate. -- Christian