stunnel-users August 2024

stunnel-users@stunnel.org

14 participants
13 discussions

Help
by Hugo Sarkissian 10 Aug '24

10 Aug '24

Hello, Tried to configure stunnel linked to pdm (solidworks) When I try I have an error : Service [ssmtp] started 2024.07.30 15:01:27 LOG7[1]: Setting local socket options (FD=1184) 2024.07.30 15:01:27 LOG7[1]: Option TCP_NODELAY set on local socket 2024.07.30 15:01:27 LOG5[1]: Service [ssmtp] accepted connection from 127.0.0.1:60652 2024.07.30 15:01:27 LOG6[1]: Peer certificate not required 2024.07.30 15:01:27 LOG7[1]: TLS state (accept): before SSL initialization 2024.07.30 15:01:37 LOG7[1]: TLS alert (write): fatal: record overflow 2024.07.30 15:01:37 LOG3[1]: error queue: ssl/record/rec_layer_s3.c:645: error:0A000139:SSL routines::record layer failure 2024.07.30 15:01:37 LOG3[1]: SSL_accept: ssl/record/methods/tls_common.c:654: error:0A0000C6:SSL routines::packet length too long 2024.07.30 15:01:37 LOG5[1]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2024.07.30 15:01:37 LOG7[1]: Local descriptor (FD=1184) closed 2024.07.30 15:01:37 LOG7[1]: Service [ssmtp] finished (0 left) My config : ; Configuration de Stunnel ; Niveau de journalisation debug = 7 output = stunnel.log ; Service SMTP sécurisé [ssmtp] accept = 127.0.0.1:25 connect = 127.0.0.1:587 cert = C:\Program Files (x86)\stunnel\config\stunnel.pem key = C:\Program Files (x86)\stunnel\config\stunnel.pem ; Protocoles et suites de chiffrement sslVersion = all ciphers = ALL:!aNULL:!MD5 renegotiation = no options = NO_SSLv2 TIMEOUTclose = 0 Can you help me please [cid:logopiabgroup_89c2c8d4-09f6-4cf6-87f9-3682b4094f7c.jpg] Hugo Sarkissian IT Operation Support Technician Piab Group Montelier FR (+33) 7 88 06 22 31 Hugo.Sarkissian(a)piabgroup.com<mailto:hugo.sarkissian@piabgroup.com> Please consider your environmental responsibility. Before printing this email message, ask yourself whether you really need a hard copy.

2 1

421 mismatched
by d.arlo.421642＠gmail.com 07 Aug '24

07 Aug '24

Hi I am running stunnel on my local pc win10. Trying to stunnel to https://api.interactsms.com/HTTP_API/V1/sendmessage.aspx?user=User1&passwor… Password1&api_id=9876&to=353879999999&text=HelloWorld&from=YourCompany which gives me wrong user name and password which is fine. if I Stunnel this http://localhost:8083/HTTP_API/V1/sendmessage.aspx?user=User1&password=Pass… I get Misdirected Request The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection. Is this a problem with the site or my Stunnel config? when I installed Stunnel, I used localhost for the CN. I have tried downloading the client, intermediate and CA cert with the below config... ;cert = D:\Program Files (x86)\stunnel\config\sms\interactsms-com.pem ;CAfile= D:\Program Files (x86)\stunnel\config\sms\godaddyca.pem this is current config... [sms] client = yes accept = 8083 connect = api.interactsms.com:443 cert = D:\Program Files (x86)\stunnel\config\stunnel.pem

3 3

OCSP: The root CA certificate was not found
by akos.schneemaier＠gmail.com 06 Aug '24

06 Aug '24

Hi, this is my first post on this mailing list. I did extensive search and tried to resolve the issue I have in pfsense with stunnel. Pfsense CE 2.7.2 uses stunnel 5.71. In my config I created certificate using the acme package with Let's ecrypt. The created certificate works fine in pfsense wenb consol and also with stunnel 5.68 on Debian, but it does not work with stunnel 5.71 on Pfsense. All connections going through stunnel get are timing out and the stunnel log has the following in it: ``` Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: Service [XXXX] accepted connection from xxxxxx:46415 Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: Peer certificate not required Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: OCSP: The root CA certificate was not found Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: OCSP: Connecting the AIA responder "http://r10.o.lencr.org" Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: Error resolving "r10.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY) Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: OCSP: Failed to resolve the OCSP responder address Jul 19 00:56:05 router1 stunnel[2933]: LOG6[6]: OCSP: No OCSP stapling response to send Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading Jul 19 00:56:05 router1 stunnel[2933]: LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ``` So far i tried: 1. Creating new certificate with acme 2. Unisntall and reinstall both acme and stunnel 3. Tried new cetrificate provider (zerossl) 4. tried adding "OCSPrequire = no" to stunnel.conf based on https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@stunnel.org/… None of the above fixed the issue and not I am not sure how to resolve it. I have another Pfsense installation where all these things work fine. I compaired the stunnel.conf files, but there are identical (except the certificate ofcourse). I looked into the source code and found that the error message is comming from ocsp_params_append_root_ca function in opcs.c, but I ma not a C programer and neither familiar with the stunnel code to figure out more. I hope someone from the stunnel list has some ideas how to proceed based on the logs above. Thank you!

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users August 2024