I'm new to Stunnel. stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro. During installation, the process walked me through the creation of a certificate. I have these settings: [Lopham-imap] client = yes accept = 127.0.0.1:52143 connect = mail.lopham.co.uk:993 CAfile = ca-certs.pem The connection succeeds. I add the following lines: verifyChain = yes checkHost = mail.lopham.co.uk OCSPaia = yes The connection fails with the following lines in the log: 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root 2026.05.30 21:45:52 LOG3[2]: SSL_connect: tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124: error:0A000086:SSL routines::certificate verify failed: client 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket I see it finds the self-signed certificate in certificate chain. Why is this rejected? Any ideas, please? Regards, == Graham
* Graham Jones wrote:
stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro.
During installation, the process walked me through the creation of a certificate.
The connection fails with the following lines in the log:
2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root
I see it finds the self-signed certificate in certificate chain. Why is this rejected? It finds _a_ self-signed certificate, but not the one you created. Your antivirus software ("AVG") is doing TLS interception to get at the unencrypted IMAP data.
You have three options: 1. Disable verification of the remote cert, because stunnel doesn't see it anyway. 2. Disable TLS interception in AVG. This will let stunnel see the actual remote certificate, but AVG will not scan e-mail content anymore. 3. Tell stunnel about the AVG certificate. See the manual about the CAfile option. How to get the certificate data with stunnel alone is beyond me; "openssl s_client -showcerts 193.143.227.10:993" would work. You can also try adding "CAengine = cng" to the stunnel configuration; I have not used it before but it based on the manual it might work and read trusted CAs from the Windows trust store, where AVG would have put its own certificate to prevent your exact problem with other software. Options 1 and 3 are effectively the same; they mean that stunnel does not verify the server certificate, which it simply cannot see with AVG in the way. Instead they rely on AVG refusing the connection if an unexpected certificate appears. Option 2 trades the security of scanning the e-mail content for that of verifying the certificate. -- Christian
Hi Graham, The issue you have is due to your locally installed AVG Security product. In order to do a security scan/review of your encrypted connections (web, SMTP, IMAP), AVG works as a man-in-the-middle and is intercepting the connection that Stunnel is trying to do to mail.lopham.co.uk and presenting a certificate signed by a local CA that is unknown to Stunnel. I understand that you can configure AVG to disable this TLS scanning/interception, but most likely you want to keep it enabled and to avoid the failure in Stunnel you must add the local AVG CA root certificate to the file ca-certs.pem, You need to export the cert in PEM format and append it to your ca-certs.pem with a text editor. See:https://support.avg.com/SupportArticleView?l=en&urlname=content-products-avg... Hope this helps. Regards,Jose A. Diaz On Sunday, May 31, 2026 at 01:26:29 AM GMT-5, Graham Jones via stunnel-users <stunnel-users@lists.stunnel.org> wrote: I'm new to Stunnel. stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro. During installation, the process walked me through the creation of a certificate. I have these settings: [Lopham-imap] client = yes accept = 127.0.0.1:52143 connect = mail.lopham.co.uk:993 CAfile = ca-certs.pem The connection succeeds. I add the following lines: verifyChain = yes checkHost = mail.lopham.co.uk OCSPaia = yes The connection fails with the following lines in the log: 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root 2026.05.30 21:45:52 LOG3[2]: SSL_connect: tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124: error:0A000086:SSL routines::certificate verify failed: client 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket I see it finds the self-signed certificate in certificate chain. Why is this rejected? Any ideas, please? Regards, == Graham _______________________________________________ stunnel-users mailing list -- stunnel-users@lists.stunnel.org To unsubscribe send an email to stunnel-users-leave@lists.stunnel.org
Hi Jose, I have exported the certificate from AVG and appended it to my ca-certs.pem using a text editor. To make it easier to read I included a line break before the appended text thus: -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- I’m testing with my Zen connection for convenience: [zen-pop3] client = yes accept = 127.0.0.1:26110 connect = mailhost.zen.co.uk:995 CAfile = ca-certs.pem verifyChain = yes checkHost = mailhost.zen.co.uk OCSPaia = yes It succeeds. The log shows: 2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] accepted connection from 127.0.0.1:63471 2026.05.31 20:39:42 LOG5[2]: s_connect: connected 212.23.1.11:995 2026.05.31 20:39:42 LOG5[2]: Service [zen-pop3] connected remote server from 127.0.0.1:63472 2026.05.31 20:39:42 LOG5[2]: Certificate accepted at depth=0: CN=*.zen.co.uk 2026.05.31 20:39:42 LOG5[2]: Connection closed: 71 byte(s) sent to TLS, 6771 byte(s) sent to socket Thank you so much for your help. Regards, == Graham From: Jose Alf. [mailto:josealf@rocketmail.com] Sent: 31 May 2026 17:53 To: stunnel-users@lists.stunnel.org; graham@lorien56.co.uk Subject: Re: [stunnel-users] Certificate rejected ...? Hi Graham, The issue you have is due to your locally installed AVG Security product. In order to do a security scan/review of your encrypted connections (web, SMTP, IMAP), AVG works as a man-in-the-middle and is intercepting the connection that Stunnel is trying to do to mail.lopham.co.uk and presenting a certificate signed by a local CA that is unknown to Stunnel. I understand that you can configure AVG to disable this TLS scanning/interception, but most likely you want to keep it enabled and to avoid the failure in Stunnel you must add the local AVG CA root certificate to the file ca-certs.pem, You need to export the cert in PEM format and append it to your ca-certs.pem with a text editor. See: https://support.avg.com/SupportArticleView?l=en <https://support.avg.com/SupportArticleView?l=en&urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert> &urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert Hope this helps. Regards, Jose A. Diaz On Sunday, May 31, 2026 at 01:26:29 AM GMT-5, Graham Jones via stunnel-users <stunnel-users@lists.stunnel.org> wrote: I'm new to Stunnel. stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro. During installation, the process walked me through the creation of a certificate. I have these settings: [Lopham-imap] client = yes accept = 127.0.0.1:52143 connect = mail.lopham.co.uk:993 CAfile = ca-certs.pem The connection succeeds. I add the following lines: verifyChain = yes checkHost = mail.lopham.co.uk OCSPaia = yes The connection fails with the following lines in the log: 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993 2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server from 127.0.0.1:51902 2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate in certificate chain 2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail Shield Root 2026.05.30 21:45:52 LOG3[2]: SSL_connect: tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124: error:0A000086:SSL routines::certificate verify failed: client 127.0.0.1:51901 2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket I see it finds the self-signed certificate in certificate chain. Why is this rejected? Any ideas, please? Regards, == Graham _______________________________________________ stunnel-users mailing list -- stunnel-users@lists.stunnel.org To unsubscribe send an email to stunnel-users-leave@lists.stunnel.org
participants (3)
-
Christian Ullrich -
Graham Jones -
Jose Alf.