May 2009 - stunnel-users

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

Re: [stunnel-users] Stunnel on the same machine
by subrata＠indiatimes.com 01 Aug '11

01 Aug '11

The configuration files are : pid = /var/stunnel.pid ;chroot = /var/lib/stunnel setuid = nobody setgid = nobody foreground =yes ; Use it for client mode client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept = 3307 connect = 192.168.1.6:3307 On 192.168.1.6 ---------------------- pid = /var/stunnel.pid setuid =nobody setgid = nobody foreground = yes client = no ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [mysqls] accept =3307 connect =3306 connecting like /usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p -P 3307 Enter password: On entring password the following lines appear : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 Subrata ----- Original Message ----- From: Brian Hatch <bri(a)stunnel.org> To: subrata(a)indiatimes.com Sent: Sun, 7 Oct 2007 10:02:17 +0530 (IST) Subject: Re: [stunnel-users] Stunnel on the same machine Near 2007-10-05 22:17 +0530, subrata(a)indiatimes.com insisted: > After starting stunnel and connecting the mysql client/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root -p the flow gets stuck at the Enter password prompt any suggestions how to proceed from there. What do your stunnel configuration files look like? Other problem: mysql client may decide to use a local domain socket when connecting to localhost, thwarting your attempts to go via Stunnel. You might want to 'strace mysql ...' and look for the connect() lines. -- Brian Hatch Time flies like an Systems and arrow. Fruit flies Security Engineer like a banana. http://www.ifokr.org/bri/ Every message PGP signed -- My life has changed. What about yours? Log on to the new Indiatimes Mail and Live out of the Inbox!

3 3

Re: [stunnel-users] rewrite Destination: when rewriting Host:
by Brian Hatch 07 Oct '09

07 Oct '09

Sometime near 2007-11-11 00:15 -0500, Marcio Marchini shouted: > Researching online one can see that WebDAV's spec requires that they > check both src and dest URLs for protocol & port. But with some proxies or > SSL fronts like stunnel, only one of the URLs is rewritten, so one goes as > http and the other as https. Here's one person explaining it, much better > than me: http://svn.haxx.se/users/archive-2006-03/0549.shtml Stunnel doesn't currently have the ability to scan and re-write the plaintext. For HTTP redirects it could possibly be implemented (re-write only the response before ^$, and redirects aren't chunked and don't have content lengths to work with, etc) but you'd still need enough HTTP logic to handle keepalives and such. It's not trivial and not likely. Another option would be to have something already HTTP aware doing the rewriting in between stunnel and subversion. A re-writing proxy. Another option would be to use mod_rewrite in apache to rewrite the urls. But the best way would be to just use SSL inside apache and drop stunnel entirely. -- Brian Hatch The best way to accelerate Systems and a Windows machine is at Security Engineer 9.8 meters per second http://www.ifokr.org/bri/ squared. Every message PGP signed

3 2

Re: [stunnel-users] Stunnel for secure email connections
by Lee 25 May '09

25 May '09

Thanks again, Guy, I appreciate your efforts there. So I don't have to do anything regarding certificates or digital signatures, or anything along those lines? I just install OpenSSL and Stunnel, configure stunnel.conf, tweak Thunderbird's accounts settings and Avast's ports, and go with it? Guy wrote: > So what you have to do to proxy the connections through Avast! I don't > know, you'll need to show. > Do you *really* need to scan your outbound connections? > This whole thing is more of a challenge / experiment than anything else. Certainly, scanning my SMTP connection(s) is far from important. Off this specific Stunnel issue but related:- For the last day or so, I've gone back to my 'old' setup of TB + Popfile + Avast, and I've noticed that emails from my 'secure' POP connections are actually being scanned by Avast. They probably have been for some time and I didn't notice, but only recently have I turned on the 'adding of notes' in Avast's email scanner which adds an email footer along the lines of 'Avast found this message to be clean'. I assume this scanning of 'secure' emails is a convenient byproduct somehow or other of routing the secure connections through Popfile. For reference, Popfile is listening on its default port of 110, and the Avast email scanner currently also only has port 110 in its POP redirected ports settings. Thunderbird has the host for those accounts as 127.0.0.1, also on port 110, and the username is in the form of: pop_server:username:ssl which Popfile requires. The :ssl is required by Popfile to handle secure connections. I do notice that non-secure connections' emails end up with the scanning footer being added twice, suggesting Avast is double scanning them. Secure connections' emails only get the one footer added. So all told, all incoming email seems to be scanned by Avast, albeit some of it twice. > Your stunnel configuration file has 2 [popmail] service names, that > will be confusing. And why do you have a [popmail] and [pop3_sky] > connecting to the same MTA? > That is because I don't know what I'm doing :) I originally built stunnel.conf without catering for Popfile, then I wanted to introduce Popfile into the equation, so I found the below advice page regarding Popfile and Stunnel :- http://getpopfile.org/docs/howtos:stunnel It appears I wrongly guessed how to interpret that advice on what to add to stunnel.conf I have since had some clarification on this from a query I raised on this at the Popfile forums:- http://getpopfile.org/discussion/1/188 > Did you enable debugging within stunnel? > > Global options: > > debug = debug > output = stunnel.log > Yes, I did try that, and dabbled a little with the packet sniffers. However I didn't find it any easier to pinpoint what was actually going on regarding the prescence or otherwise of a secure connection. ie I don't know what I'm looking at/for. At the moment, my only method of 'testing' what is 'probably' going on, is to open or close parts of my local chain, and thereby build an apparent picture of what is happening. My original doubts of 'am I actually achieving a secure connection using Stunnel and my local chain' are not grounded in anything; I am/was just wanting to somehow avoid just assuming I had set everything up properly. Lee

1 0

Re: [stunnel-users] Stunnel for secure email connections
by Lee 24 May '09

24 May '09

Hello Guy and thanks for your reply. Guy wrote: > So you have... > Client (MUA) <=> Avast and/or Popfile <=> Stunnel <=> Server (MTA) > > > Yes, that's right. I've looked at the mail headers more, and tried some of the packet sniffing/log methods, but I'm not really having any more success in understanding / pinpointing a secure connection. I think I'm not going to be able to grasp the issues here, so maybe it is simpler if I could simply state what I have done, to check that it should be correct; I installed both OpenSLL and Stunnel. I haven't changed anything from the OpenSLL install. In stunnel.conf, I currently have the file shown at the bottom of this email. I have changed settings in Thunderbird's mail accounts (hosts and ports) and in Avast Anti-Virus email scanner. (its redirected ports settings) Adding Popfile (a local mail 'tagging' proxy) back into the equation has required some further tweaks to Thunderbird's ports and server usernames syntax. As I said earlier, all seems to be working, in that my 'chain' appears to be having an effect. However should I be considering anything else to make this process meaningful, such as certificates or security issues? My only motive for using Stunnel and OpenSSL is to allow Avast email scanner to scan _all_ emails, including those it normally cannot scan due to their servers requiring me to use a secure connection. So, if I am doing this 'new' process wrongly or opening up security issues due to not understanding it, I would be better off reverting to how it was previously, seeing as the mail servers I use state they do virus scanning anyway. Thanks again, Lee UK my current stunnel.conf :- client=yes service=popmail [popmail] accept = 127.0.0.1:210 connect = pop.mail.yahoo.co.uk:995 [popmail] accept = 127.0.0.1:310 connect = pop.tools.sky.com:995 [pop3_sky] accept = 127.0.0.1:1109 connect = pop.tools.sky.com:995 [pop3_yahoo] accept = 127.0.0.1:1108 connect = pop.mail.yahoo.co.uk:995 [smtp_sky] accept=127.0.0.1:259 connect=smtp.tools.sky.com:465 [smtp_yahoo] accept=127.0.0.1:258 connect=smtp.mail.yahoo.co.uk:465 [imap_sky] accept=127.0.0.1:1439 connect=imap.tools.sky.com:993 -------------------------------------------------------------------------- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 090524-0, 24/05/2009 Tested on: 5/24/2009 15:38:38 avast! - copyright (c) 1988-2009 ALWIL Software. http://www.avast.com

1 0

Stunnel for secure email connections; email headers ?
by Lee 23 May '09

23 May '09

Hello, I have been dabbling with Stunnel in order to do the following: Connect with remote POP3, IMAP and SMTP servers using a secure connection; Path those connections on my Windows XP desktop pc through Avast Anti-Virus and/or Popfile to Mozilla Thunderbird. After much fiddling and grinding of my rusty mental muscles, I appear to have everything working and pathing properly. However I am not confident and some amount of luck has been involved in settling on the apparently correct pathing, ports settings and stunnel.conf So, my question here is; Can I look for anything in the email headers to verify that I am actually achieving a locally made secure connection using Stunnel? Or, if necessary, can I force something into the headers to show this? As I imply, results/clues suggest all is in place correctly, but part of me doesn't really believe I have actually done it. :) Thanks very much, Lee UK --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 090523-0, 23/05/2009 Tested on: 5/23/2009 23:25:18 avast! - copyright (c) 1988-2009 ALWIL Software. http://www.avast.com

1 0

Multiple SSL Versions
by Jeremy 22 May '09

22 May '09

Hi, Is there any way to make the sslVersion version take multiple options? I would like to restrict things to TLSv1 or SSLv3 but it seems only one option can be specified. I tried specifying this in the cipher section instead of ALL but couldn't seem to get it to work. Also here is something a little weird I've noticed, if anyone else has ran into it before and knows what's going on. With sites set to use TLSv1, sometimes while testing a HTTPS site using Firefox SSL (when both SSLv3 and TLSv1 is enabled in Firefox) sometimes the site won't come up. It feels like Firefox is using a weird SSL version to do the SSL certificate verification but once you trust the certificate it uses the right settings. I've set sslVersion = all, and trusted the SSL certificate in Firefox, then set sslVersion = TLSv1 again and I can get to the site ok at that point. Kind of weird. I'm probably just going to have to leave sslVersion = all, but Nessus and other security scans really like things locked down to just TLSv1 or SSLv3. stunnel: LOG5[17972:3086609296]: https-site01 accepted connection from 1.2.3.4:50878 stunnel: LOG3[17972:3086609296]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number stunnel: LOG5[17972:3086609296]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2 1

Can't connect to Yahoo POP3
by Gary Kuznitz 18 May '09

18 May '09

Hi, I wonder if you could possibly help me get Stunnel ver. 4.26 working with Yahoo.com email? I have been trying to get it working and can't see what the problem is. I do have it working with Gmail just fine. My email client is setup with: Email server 127.0.0.1 Email user: 127.0.0.1/11011/MuUserName(a)yahoo.com Email password: <InsertPassword> Port 9999 My email client is connecting to K9 K9 connects to Stunnel on port 11011 I'm running this in Win '98se I'm following the instructions to use Yahoo POP3 Free at: http://sajeevnairs.blogspot.com/2009/03/pop3-access-in-yahoo-mail-free.html I think it's saying: SSL alert (read): fatal: bad certificate How can I get a god certificate for Stunnel to use? How would I set that up in Stunnel? Conf: cert = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [pop3_DslextremeGmail] accept = 127.0.0.1:11010 connect = pop.gmail.com:995 delay = yes [pop3_Yahoo] accept = 127.0.0.1:11011 connect = pop.mail.yahoo.com:995 delay = yes Log: 2009.05.14 15:48:12 LOG7[16278859:16041803]: RAND_status claims sufficient entropy for the PRNG 2009.05.14 15:48:12 LOG7[16278859:16041803]: PRNG seeded successfully 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: Key file: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Private key loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_DslextremeDocfxitGmail 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Certificate loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: Key file: stunnel.pem 2009.05.14 15:48:12 LOG7[16278859:16041803]: Private key loaded 2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized for service pop3_Docfxit_Yahoo 2009.05.14 15:48:12 LOG5[16278859:16041803]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008 2009.05.14 15:48:12 LOG5[16278859:16041803]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv4 2009.05.14 15:48:12 LOG5[16278859:16039767]: No limit detected for the number of clients 2009.05.14 15:48:12 LOG7[16278859:16039767]: FD 56 in non-blocking mode 2009.05.14 15:48:12 LOG7[16278859:16039767]: SO_REUSEADDR option set on accept socket 2009.05.14 15:48:12 LOG7[16278859:16039767]: pop3_DslextremeDocfxitGmail bound to 127.0.0.1:11010 2009.05.14 15:48:12 LOG7[16278859:16039767]: FD 60 in non-blocking mode 2009.05.14 15:48:12 LOG7[16278859:16039767]: SO_REUSEADDR option set on accept socket 2009.05.14 15:48:12 LOG7[16278859:16039767]: pop3_Docfxit_Yahoo bound to 127.0.0.1:11011 2009.05.14 15:48:30 LOG7[16278859:16039767]: pop3_Docfxit_Yahoo accepted FD=64 from 127.0.0.1:1105 2009.05.14 15:48:30 LOG7[16278859:16039767]: Creating a new thread 2009.05.14 15:48:30 LOG7[16278859:16039767]: New thread created 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo started 2009.05.14 15:48:30 LOG7[16278859:16038719]: FD 64 in non-blocking mode 2009.05.14 15:48:30 LOG7[16278859:16038719]: TCP_NODELAY option set on local socket 2009.05.14 15:48:30 LOG5[16278859:16038719]: pop3_Docfxit_Yahoo accepted connection from 127.0.0.1:1105 2009.05.14 15:48:30 LOG7[16278859:16038719]: FD 76 in non-blocking mode 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo connecting 68.142.206.14:995 2009.05.14 15:48:30 LOG7[16278859:16038719]: connect_wait: waiting 10 seconds 2009.05.14 15:48:30 LOG7[16278859:16038719]: connect_wait: connected 2009.05.14 15:48:30 LOG5[16278859:16038719]: pop3_Docfxit_Yahoo connected remote server from 192.168.1.3:1106 2009.05.14 15:48:30 LOG7[16278859:16038719]: Remote FD=76 initialized 2009.05.14 15:48:30 LOG7[16278859:16038719]: TCP_NODELAY option set on remote socket 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): before/connect initialization 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client hello A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server hello A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server certificate A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server certificate request A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 read server done A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client certificate A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write client key exchange A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write certificate verify A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write change cipher spec A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 write finished A 2009.05.14 15:48:30 LOG7[16278859:16038719]: SSL state (connect): SSLv3 flush data 2009.05.14 15:48:30 LOG3[16278859:16038719]: SSL_connect: Peer suddenly disconnected 2009.05.14 15:48:30 LOG5[16278859:16038719]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2009.05.14 15:48:30 LOG7[16278859:16038719]: pop3_Docfxit_Yahoo finished (0 left) Thank you for looking at it... Gary

4 8

Re: [stunnel-users] Can't connect to Yahoo POP3
by Gary Kuznitz 15 May '09

15 May '09

I made some changes... On 15 May 2009 at 12:40, stunnel-users(a)mirt.net (Gary Kuznitz <docfxit(a)theoffice.la>) commented about Re: [stunnel-users] Can't connect t: > Thank you for the reply... > > On 15 May 2009 at 20:55, Michal (Michal Trojnara <Michal.Trojnara(a)mobi-com.net>) commented about Re: [stunnel-users] Can't connect to Yahoo POP3: > > > Gary Kuznitz wrote: > > > How can I get a god certificate for Stunnel to use? > > > How would I set that up in Stunnel? > > > > You don't really need a certificate for an SSL client. Just disable it. > > How can I disable it? > > > You rather want to setup server certificate verification with "CAfile" > > and "verify". > > I have un-commented: > CAfile = certs.pem I commented out the above line. Now I'm getting a new error. Here is the log: 2009.05.15 16:32:30 LOG7[16267607:16279139]: RAND_status claims sufficient entropy for the PRNG 2009.05.15 16:32:30 LOG7[16267607:16279139]: PRNG seeded successfully 2009.05.15 16:32:31 LOG7[16267607:16279139]: Certificate: stunnel.pem 2009.05.15 16:32:31 LOG7[16267607:16279139]: Certificate loaded 2009.05.15 16:32:31 LOG7[16267607:16279139]: Key file: stunnel.pem 2009.05.15 16:32:31 LOG7[16267607:16279139]: Private key loaded 2009.05.15 16:32:31 LOG3[16267607:16279139]: Either CApath or CAfile has to be used for authentication 2009.05.15 16:32:31 LOG3[16267607:16279139]: Server is down > verify = 2 > > That gave me an error: > 2009.05.15 12:38:13 LOG3[16278859:16279139]: Error loading verify certificates > from certs.pem > 2009.05.15 12:38:13 LOG3[16278859:16279139]: error stack: B084002 : > error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib > 2009.05.15 12:38:13 LOG3[16278859:16279139]: error stack: 2006D080 : > error:2006D080:BIO routines:BIO_new_file:no such file > 2009.05.15 12:38:13 LOG3[16278859:16279139]: SSL_CTX_load_verify_locations: > 2001002: error:02001002:system library:fopen:No such file or directory > > > > ; Some performance tunings > > > socket = l:TCP_NODELAY=1 > > > socket = r:TCP_NODELAY=1 > > > > IMHO it's not a good idea for non-interactive connections, e.g. pop3. > > I will comment out both of the above. > > > > [pop3_DslextremeGmail] > > > accept = 127.0.0.1:11010 > > > connect = pop.gmail.com:995 > > > delay = yes > > > > > > [pop3_Yahoo] > > > accept = 127.0.0.1:11011 > > > connect = pop.mail.yahoo.com:995 > > > delay = yes > > [cut] > > > 2009.05.14 15:48:12 LOG7[16278859:16041803]: SSL context initialized > > > for service pop3_Docfxit_Yahoo > > > > I guess you use a different configuration file, as pop3_Docfxit_Yahoo > > is not defined in the one you sent. > > I'm sorry. I'm really using [pop3_Yahoo] > > After I make a change to the conf. file Do I have to re-boot the PC or is it > enough to exit out of Stunnel and launch it again? > > Thank you, > > Gary Kuznitz > > > Best regards, > > Mike > > _______________________________________________ > > stunnel-users mailing list > > stunnel-users(a)mirt.net > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > >

1 0

Preventing "choose a digital certificate" pop-up in IE
by Wallace Winfrey 08 May '09

08 May '09

Hello I have browsed the archives but have not found the answer to this question... I have stunnel set up to handle https connections. It sits on a CentOS server alongside HAProxy and works fine with every browser except for Internet Explorer. When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up. I am pretty sure I have a configuration issue. Here's what I have: socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1 options = NO_SSLv2 ciphers=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM output = /var/log/stunnel.log [my.host.name] accept=my.external.IP:443 connect=127.0.0.1:8101 xforwardedfor=yes CAfile=/etc/stunnel/GlobalSign.pem cert=/etc/stunnel/my.host.name.pem verify=1 How do we turn off the request for the client certificate in IE? Here are my details....thanks in advance. w * stunnel-4.15-2.el5.1 * I am running it standalone: /usr/sbin/stunnel /etc/stunnel/stunnel.conf * /usr/sbin/stunnel -version stunnel 4.15 on i686-pc-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP Global options debug = 5 pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /usr/local/etc/stunnel/stunnel.pem session = 300 seconds TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none * uname -a: Linux my.host.name 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:19:18 EDT 2009 i686 i686 i386 GNU/Linux * glibc version is 2.5-34 * gcc is not installed, using CentOS RPM * OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

1 1