June 2013 - stunnel-users

Re: [stunnel-users] Getting Stunnel working with Verizon.net SMTP
by Gary Kuznitz 12 Jun '13

12 Jun '13

Thank you very much for working with me on resolving this. On your first post I didn't see the difference in port numbers. I have corrected that. Thank you for catching it. It did get me closer to resolving the issue. I'm getting this log from my email client: --- Wed, 12 Jun 2013 12:22:46 --- Connect to 'localhost' port 10115, timeout 60. 12:22:46.960 [*] Connection established to 127.0.0.1 12:22:47.226 >> 0120 220 vms173007pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))\0D\0A 12:22:47.226 << 0023 EHLO [192.168.168.11]\0D\0A 12:22:47.288 >> 0030 250-vms173007pub.verizon.net\0D\0A 12:22:47.288 >> 0014 250-8BITMIME\0D\0A 12:22:47.288 >> 0016 250-PIPELINING\0D\0A 12:22:47.288 >> 0014 250-CHUNKING\0D\0A 12:22:47.288 >> 0009 250-DSN\0D\0A 12:22:47.288 >> 0025 250-ENHANCEDSTATUSCODES\0D\0A 12:22:47.288 >> 0010 250-HELP\0D\0A 12:22:47.288 >> 0044 250-XLOOP AD6DF29B04183351BAD9935B9A483ABE\0D\0A 12:22:47.288 >> 0042 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5\0D\0A 12:22:47.288 >> 0022 250-AUTH=LOGIN PLAIN\0D\0A 12:22:47.288 >> 0010 250-ETRN\0D\0A 12:22:47.288 >> 0019 250-NO-SOLICITING\0D\0A 12:22:47.288 >> 0019 250 SIZE 20971520\0D\0A 12:22:47.288 << 0015 AUTH CRAM-MD5\0D\0A 12:22:47.335 >> 0050 334 PDEzNTYyOTY5MjEuMTIxMTA1NTFAdm1zMTczMDA3Pg==\0D\0A 12:22:47.335 << 0058 YXR1cHJlcyBkYTlmZTI3MWFjODNjYWUxOTVjNmZhZWQ5ZGE0NTUzYg==\0D\0A 12:22:47.397 >> 0066 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).\0D\0A 12:22:50.845 << 0006 QUIT\0D\0A 12:22:50.892 >> 0034 221 2.3.0 Bye received. Goodbye.\0D\0A 12:22:50.892 --- Connection closed normally at Wed, 12 Jun 2013 12:22:50. ---\0A\0A I'm getting this in the Stunnel.log 2013.06.12 12:22:46 LOG7[660:2460]: New thread created 2013.06.12 12:22:46 LOG7[660:896]: Service [Verizon-smtp] started 2013.06.12 12:22:46 LOG5[660:896]: Service [Verizon-smtp] accepted connection from 127.0.0.1:52721 2013.06.12 12:22:46 LOG6[660:896]: connect_blocking: connecting 206.46.232.12:465 2013.06.12 12:22:46 LOG7[660:896]: connect_blocking: s_poll_wait 206.46.232.12:465: waiting 10 seconds 2013.06.12 12:22:46 LOG5[660:896]: connect_blocking: connected 206.46.232.12:465 2013.06.12 12:22:46 LOG5[660:896]: Service [Verizon-smtp] connected remote server from 192.168.168.11:52722 2013.06.12 12:22:46 LOG7[660:896]: Remote socket (FD=384) initialized 2013.06.12 12:22:46 LOG7[660:896]: SNI: sending servername: outgoing.verizon.net 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): before/connect initialization 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 write client hello A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 read server hello A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 read server certificate A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 read server key exchange A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 read server done A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 write client key exchange A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 write change cipher spec A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 write finished A 2013.06.12 12:22:46 LOG7[660:896]: SSL state (connect): SSLv3 flush data 2013.06.12 12:22:47 LOG7[660:896]: SSL state (connect): SSLv3 read finished A 2013.06.12 12:22:47 LOG7[660:896]: 2 items in the session cache 2013.06.12 12:22:47 LOG7[660:896]: 2 client connects (SSL_connect()) 2013.06.12 12:22:47 LOG7[660:896]: 2 client connects that finished 2013.06.12 12:22:47 LOG7[660:896]: 0 client renegotiations requested 2013.06.12 12:22:47 LOG7[660:896]: 0 server connects (SSL_accept()) 2013.06.12 12:22:47 LOG7[660:896]: 0 server connects that finished 2013.06.12 12:22:47 LOG7[660:896]: 0 server renegotiations requested 2013.06.12 12:22:47 LOG7[660:896]: 0 session cache hits 2013.06.12 12:22:47 LOG7[660:896]: 0 external session cache hits 2013.06.12 12:22:47 LOG7[660:896]: 0 session cache misses 2013.06.12 12:22:47 LOG7[660:896]: 0 session cache timeouts 2013.06.12 12:22:47 LOG6[660:896]: SSL connected: new session negotiated 2013.06.12 12:22:47 LOG6[660:896]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES256-SHA (256-bit encryption) 2013.06.12 12:22:47 LOG6[660:896]: Compression: null, expansion: null 2013.06.12 12:22:50 LOG6[660:896]: Read socket closed (readsocket) 2013.06.12 12:22:50 LOG7[660:896]: Sending close_notify alert 2013.06.12 12:22:50 LOG7[660:896]: SSL alert (write): warning: close notify 2013.06.12 12:22:50 LOG6[660:896]: SSL_shutdown successfully sent close_notify alert 2013.06.12 12:22:50 LOG7[660:896]: SSL alert (read): warning: close notify 2013.06.12 12:22:50 LOG6[660:896]: SSL closed (SSL_read) 2013.06.12 12:22:50 LOG7[660:896]: Sent socket write shutdown 2013.06.12 12:22:50 LOG5[660:896]: Connection closed: 102 byte(s) sent to SSL, 544 byte(s) sent to socket 2013.06.12 12:22:50 LOG7[660:896]: Remote socket (FD=384) closed 2013.06.12 12:22:50 LOG7[660:896]: Local socket (FD=216) closed 2013.06.12 12:22:50 LOG7[660:896]: Service [Verizon-smtp] finished (0 left) Do you have any idea why I am getting: 12:22:47.397 >> 0066 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).\0D\0A Thank you, Gary On 12 Jun 2013 at 20:36, Jochen (Jochen Bern <Jochen.Bern(a)LINworks.de>) commented about Re: [stunnel-users] Getting Stunnel working with : > On 12.06.2013 19:48, Gary Kuznitz wrote: > > Thanks for showing me how to test SSL. I installed openssl and ran the test. This is > > what I received back. > > > > C:\Programs\OpenSSL-Win32\bin>openssl s_client -connect smtp.verizon.net:465 > [...] > > Verify return code: 19 (self signed certificate in certificate chain) > > --- > > At this point, the SSL layer of the connection has been set up (s_client > ignores the non-null verification result) and the actual payload > protocol can start to do its thing. The payload protocol is SMTP, so the > server throws you a hello line: > > > 220 vms173025pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) > > and then waits for the client to send its requests. Since you apparently > didn't enter anything, the server obviously terminated the connection with: > > > 421 4.4.2 Timeout while waiting for command. > > An actual SMTP session with an *attempt* at transferring an e-mail would > look like, e.g.: > > > 220 vms173023pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) > > HELO this.is.my.laptop > > 250 vms173023pub.verizon.net OK, [unknown] [213.157.4.156]. > > MAIL FROM:<Jochen.Bern(a)LINworks.de> > > 550 5.7.1 Authentication Required > > rSET > > 250 2.5.0 Ok. > > QUIT > > (The lines starting with a three-digit SMTP status code number are sent > by the server; the 5xx code signals a permanent error; the lines > starting with a four-letter SMTP command are sent by the client, i.e., I > typed them into the s_client; and I typed "rSET" instead of the normal > "RSET" because s_client takes every line starting with an *uppercase* > 'R' as a command to do an SSL renegotiation.) > > > It sounds like something is wrong on this end. Any ideas? > > What about the two *****DIFFERING***** port numbers I pointed out in > your posted data? > > >> On 12.06.2013 05:12, Gary Kuznitz wrote: > >>> [Verizon-smtp] > >>> client = yes > >>> accept = 11015 > >> ^##^^ > >> [...] > >>> --- Tue, 11 Jun 2013 16:38:55 --- > >>> Connect to 'localhost' port 10115, timeout 60. > >> ^##^^ > > I don't actually use stunnel (subscribed to the list when I had a need > that I later fulfilled with socat, but that's Unix/Linux only), so I > don't know whether stunnel has a problem with the self-signed cert ... > > Regards, > J. Bern > -- > *NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: > Server--Storage--Virtualisierung--Management SW--Passion for Performance > Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> > Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt > PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 > Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 > Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

1 0

Getting Stunnel working with Verizon.net SMTP
by Gary Kuznitz 12 Jun '13

12 Jun '13

I can't seem to connect with email at Verizon.net SMTP. I can connect with POP3. The Stunnel.log shows: 2013.06.11 19:27:04 LOG5[3752:2524]: stunnel 4.56 on x86-pc-msvc-1500 platform 2013.06.11 19:27:04 LOG5[3752:2524]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 2013.06.11 19:27:04 LOG5[3752:2524]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2013.06.11 19:27:04 LOG5[3752:2524]: Reading configuration from file stunnel.conf 2013.06.11 19:27:04 LOG5[3752:2524]: FIPS mode is enabled 2013.06.11 19:27:04 LOG5[3752:2524]: Configuration successful I have IPv6 turned off in my network settings. The Stunnel.conf looks like this: output = stunnel.log cert = stunnel.pem options = NO_SSLv2 [Verizon-pop3] client = yes accept = 11014 connect = pop.verizon.net:995 delay = yes [Verizon-smtp] client = yes accept = 11015 connect = smtp.verizon.net:465 delay = yes I do not have SSL turned on in my email client. The log from my email client looks like this: --- Tue, 11 Jun 2013 16:38:55 --- Connect to 'localhost' port 10115, timeout 60. 16:38:56.897 15: Peer connect failure (the host has refused the connection). The Verizon account is FIOS. I am not connected directly to the Verizon ISP. I can't send email without SSL. Does anyone have any idea how I can get this working? Thanks, Gary Kuznitz

3 4

Certificate failure to verify with verify = 4 option
by Thomas Eifert 10 Jun '13

10 Jun '13

Correction: The cert issuer is Startcom Ltd, not Startcom LLC. -- Greetings; Stunnel 4.56 running under Win 7 SP1 x86. Recently, the owners of a server I regularly connect to updated their server certificate; the former had expired at the end of May. As soon as that event occurred, I deleted the old certificate, then used the "save peer certificate" function of Stunnel to get the updated one. However, the new certificate fails to verify, even with the verify = 4 option in Stunnel. The error message is similar to what I used to get when doing a verify = 3 with some certificates. The general error output of Stunnel is: CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0 When I open the new certificate with: openssl x509 -text -in certname.pem and view the certificate details, I'm not seeing anything obvious. The certificate is within a valid date range, and contains the same basic elements as other certs I've viewed. The certificate appears to have been issued by Startcom LLC. If I comment out the verify statement, I'm able to successfully negotiate an SSL connection with the server. I realize that this may be more of an openssl issue than an issue with Stunnel. Nevertheless, I thought I'd start here and throw it out to the floor for comments. Anyone have any ideas or have run into this issue? Regards, Thomas -- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately. _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

3 3

weird stunnel problem
by Stephen Griffin 03 Jun '13

03 Jun '13

Hello A few days ago we ran into issue where the number of stunnel threads sky rocketed to over 3000 open stunnel threads. When this happen connections to our website slowed down considerably or failed to connect. It was resolved by flipping to our other proxy which accepted any new connections. It took about 5 minutes for the threads to die off on the other proxy. I was wondering if anyone has come across this problem? Here are some details of our stunnel version and config. Stunnel 4.44 with patch for x-forwarder [root@brm-proxy01 ~]# stunnel -version stunnel 4.44 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6 Global options: debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH curve = prime256v1 session = 300 seconds sslVersion = TLSv1 for client, all for server stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none appriacated Our stunnel.conf. /etc/stunnel/stunnel.conf #sslVersion = TLSv1 pid = /var/run/stunnel.pid syslog = yes output = /var/log/stunnel.log debug = 3 [https] cert = /etc/stunnel/ssl/wildcard.blah.com.pem accept = 443 connect = 80 xforwardedfor = yes TIMEOUTbusy = 300 TIMEOUTclose = 0 TIMEOUTconnect = 10 TIMEOUTidle = 60 Is there anything we could add for performance tuning in stunnel? Any suggestions on what I could look for when this happens again would be appreciated. Our platform does between 2000 to 3000 rpm (request per minute) during peak hours. We constantly see a lot of these messages every hour but I am not sure what is happening as the connections seem to be working. SSL_accept: Peer suddenly disconnected There was a higher spike of them as per the normal rate during our incident described above. Thanks Stephen Griffin Sr. System Administrator www.achievers.com<http://www.achievers.com/> Confidentiality: The information contained in this e-mail and any attachments are confidential. If you are not the intended recipient, you may not copy or distribute this information. If you have received this communication in error, please notify the sender immediately and delete it from your system.

1 0