stunnel-users

stunnel-users@stunnel.org

5 participants
3293 discussions

error:0A000438:SSL routines::tlsv1 alert internal error
by johannwang＠ami.com 21 Sep '22

21 Sep '22

Hello, I am trying to use the xvncviewer on Ubuntu by VNC over stunnel, it will connect failed and print "xvncviewer: read: Connection reset by peer". The LOG on VNC server is here: 2012.01.01 00:21:58 LOG7[1]: Initializing application specific data for session authenticated 2012.01.01 00:21:58 LOG7[1]: SNI: no virtual services defined 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS read client hello 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS write server hello 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS write certificate 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS write key exchange 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS write certificate request 2012.01.01 00:21:58 LOG7[1]: TLS state (accept): SSLv3/TLS write server done 2012.01.01 00:21:58 LOG7[1]: TLS alert (read): fatal: internal error 2012.01.01 00:21:58 LOG3[1]: SSL_accept: ssl/record/rec_layer_s3.c:1584: error:0A000438:SSL routines::tlsv1 alert internal error 2012.01.01 00:21:58 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2012.01.01 00:21:58 LOG7[1]: Deallocating application specific data for session connect address 2012.01.01 00:21:58 LOG7[1]: Local descriptor (FD=3) closed 2012.01.01 00:21:58 LOG7[1]: Service [vnc] finished (0 left) I am running Stunnel 5.63 Here is the configuration currently: stunnel.conf on VNC client: cert = /home/server.pem key = /home/privkey.pem [VNC] client = yes accept = 127.0.0.1:5901 connect = 172.31.100.121:5901 sslVersion = all verifyChain = yes CAfile = /home/server.pem checkIP = 172.31.100.121 stunnel.conf on VNC server: cert = /conf/server.pem ;key = /conf/certs/privkey.pem setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = a:TCP_NODELAY=1 debug = 7 foreground = yes client = no ciphers=AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM sslVersion = TLSv1.2 [vnc] accept = :::5901 connect = 5900 verify = 3 CAfile = /conf/server.pem Is this something I can remedy from the configuration, or is this something that requires modification? Thank you Johan

1 0

v5.66: failing test 081
by Andreas Vetter 20 Sep '22

20 Sep '22

Hi, in open build system I get the following failing test, when building and testing stunnel 5.66: [ 45s] 081. Test IPv6 support [ 45s] [client] Read '2022.09.15 21:17:15 LOG6[0]: TLS fd: Connection reset by peer (104)' [ 45s] ...................................................................... failed Is this a stunnel problem or a problem with logging inside the build system? What can I do to get more verbose information during build? The test is working for a similar target OS (openSUSE_Tumbleweed) and not for this one (openSUSE:Factory). The difference is small, but sometimes not neglectible: openSUSE:Factory is the to be tested submissions, always in the flow. openSUSE_Tumbleweed is a tested working snapshot of Factory. Best regards, Andreas

1 1

stunnel 5.66 released
by Michał Trojnara 11 Sep '22

11 Sep '22

Dear Users, I have released version 5.66 of stunnel. ### Version 5.66, 2022.09.11, urgency: MEDIUM * New features - OpenSSL 3.0 FIPS Provider support for Windows. * Bugfixes - Fixed building on machines without pkg-config. - Added the missing "environ" declaration for BSD-based operating systems. - Fixed the passphrase dialog with OpenSSL 3.0. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 558178704d1aa5f6883aac6cc5d6bbf2a5714c8a0d2e91da0392468cee9f579c stunnel-5.66.tar.gz 5fccb2e4db0d2e3c1adb26c3906585ac545baf88226f4f539b2dc43fe418a3ef stunnel-5.66-win64-installer.exe 3b1e30e060e16f6aa9a8ad1b1a6ba1210c165bf76bd01e4734cb4537e0717c09 stunnel-5.66-android.zip Best regards, Mike

1 0

Stunnel Consulting
by Gary Jackson 10 Sep '22

10 Sep '22

I am looking for someone to assist with an stunnel configuration on windows that will accept TLS1.2 connections and then send them unencrypted to an IP and port. I would need to get it working within the next week or so and am available most times if scheduled. Thank you. Gary Jackson Sent from my mobile

2 1

TLS 1.2 traffic on STunnel
by Gary Jackson 08 Sep '22

08 Sep '22

Good afternoon, I am trying to use Stunnel to accept traffic from a custom application using TLS 1.2 and a self signed cert and then send it to a back end application unencrypted. I want the configuration to only affect one listener on Stunnel and not all incoming ports. I am using Stunnel v.5.6 I am confused with all the documentation and what needs to be set in the config file for this use case. The config file currently has connections where it accepts traffic on one port and then directs it to another port internally but not with TLS 1.2. Thank you for all your knowledge and insight! _________________________________ Gary Jackson | Senior Systems Engineer

2 1

Certificate Request's "Distinguished Names" list is empty when using CAPath (but not when using CAFile)
by david.rundqvist＠gmail.com 26 Aug '22

26 Aug '22

Hi, If I hash the client certificates and put them in a folder (with file names <hash>.0), and use the CAPath parameter on the server, together with verify=3, the server's Certificate Request message contains an empty list of "Distinguished Names". However, if I put the client certificates concatenated in a .pem file, and use the CAFile parameter on the server, the Certificate Request message does contain the Distinguished Names. Is this the correct behavior? I thought CAFile and CAPath worked more or less in the same way, but perhaps the Certificate Request message is implemented differently, depending on if you use CAFile or CAPath? My preferred way is to use CAPath: Is there some way I can get the Distinguished Names not to be empty, when using CAPath? I'm on Windows, using stunnel version 5.49, currently. Thanks in advance! Kind regards, /David

2 1

looking to pay for stunnel support
by jkorman＠pcvisions1.com 24 Aug '22

24 Aug '22

I have an issue with a program that is 9 years old that uses old stunnel for email forwarding of automated alerts. I would gladly pay for support for assistance configuring the newest version of stunnel. My issue is that present configuration is sending smtp at tls 1.0 which is getting rejected. Please send me your info via email and I will promptly respond Joe Korman

1 0

FIPS-enabled Windows installer of stunnel
by Vadim Loevski 22 Aug '22

22 Aug '22

Hi, I would appreciate it if you let me know how I could obtain a FIPS-enabled Windows 64 bit installer of stunnel. Regards, Vadim

1 0

Stunnel is throwing Timeout connect and Timeout closed error
by Ferdous K 16 Aug '22

16 Aug '22

Hello, I have been using Stunnel 3.5.44 (latest for Ubuntu 18) to connect to my remote load balancer which serves traffic to several backend nodes. After recent O/S update, I have noticed one weird issue. I am seeing frequent TIMEOUTconnect and TIMEOUTclosed exceeded errors when stunnel service tries to connect to backend nodes via load balancer in round robin mode. If I replace load balancer or multiple backends (to rule out DNS issue) entries: connect = remote-load-balancer:8080 Or connect = remote-backend-node1:8080 connect = remote-backend-node2:8080 With single backend entry like this: connect = remote-backend-node1:8080 Or, connect = remote-backend-node2:8080 Then those errors go away. I have tested on multiple servers with different backends and timeout configuration and all are showing same issues so the problem seems like not related to specific server of backend. Any idea what could cause this issue? Thanks in advance, Ferdous Reference: https://launchpad.net/ubuntu/bionic/+package/stunnel4 Stunnel sample config: pid = /var/run/stunnel4/stunnel.pid output = /var/log/stunnel4/stunnel.log socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 socket = r:TCP_KEEPIDLE=120 socket = r:TCP_KEEPINTVL=30 socket = r:TCP_KEEPCNT=6 socket = l:TCP_KEEPIDLE=120 socket = l:TCP_KEEPINTVL=30 socket = l:TCP_KEEPCNT=6 [remote] client = yes accept = 127.0.0.1:6500 connect = remote-load-balancer:8080 cert = /opt/service/etc/cert.d/remote.crt key = /opt/service/etc/key.d/remote.key sslVersion = TLSv1.2 debug = info verifyChain = no verifyPeer = no

1 1

TLS alert (write): fatal: decode error (pop3 to office365)
by Martijn Strunk - Mulder Connect 15 Aug '22

15 Aug '22

We now use stunnel as a solution for a pop3 import for Office365. It just stopped working since Wednesday. we have done a new installation on this, only now we run into these problems that it no longer wants to connect. Below you will find our debug list and config list. Do any of you have a solution to this problem? Debug: 2022.07.26 14:34:37 LOG6[service]: Service [POP3 Incoming] (FD=876) bound to 0.0.0.0:110 2022.07.26 14:34:37 LOG6[service]: Service [SMTP Outgoing] (FD=840) bound to 0.0.0.0:25 2022.07.26 14:34:54 LOG5[21]: Service [POP3 Incoming] accepted connection from 192.168.110.11:60494 2022.07.26 14:34:54 LOG6[21]: Peer certificate not required 2022.07.26 14:35:24 LOG3[21]: SSL_accept: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.07.26 14:35:24 LOG5[21]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2022.07.26 14:35:24 LOG4[21]: Possible memory leak at crypto/asn1/asn1_lib.c:308: 87315 allocations 2022.07.26 14:35:24 LOG4[21]: Possible memory leak at crypto/asn1/tasn_new.c:136: 77533 allocations 2022.07.26 14:35:24 LOG4[21]: Possible memory leak at crypto/asn1/asn1_lib.c:350: 70711 allocations 2022.07.26 14:37:21 LOG6[service]: Initializing inetd mode configuration 2022.07.26 14:37:21 LOG5[service]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf 2022.07.26 14:37:21 LOG5[service]: UTF-8 byte order mark detected 2022.07.26 14:37:21 LOG5[service]: FIPS mode disabled 2022.07.26 14:37:21 LOG6[service]: Compression enabled: 0 methods 2022.07.26 14:37:21 LOG6[service]: Initializing service [POP3 Incoming] 2022.07.26 14:37:21 LOG6[service]: User-specified security level set: 0 2022.07.26 14:37:21 LOG6[service]: Session resumption enabled 2022.07.26 14:37:21 LOG6[service]: Loading certificate from file: stunnel.pem 2022.07.26 14:37:21 LOG6[service]: Certificate loaded from file: stunnel.pem 2022.07.26 14:37:21 LOG6[service]: Loading private key from file: stunnel.pem 2022.07.26 14:37:21 LOG6[service]: Private key loaded from file: stunnel.pem 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G3 2022.07.26 14:37:21 LOG6[service]: Client CA: O=Entrust.net<http://o=entrust.net/>, OU=www.entrust.net/CPS_2048<http://ou=www.entrust.net/CPS_2048> incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net<http://entrust.net/> Limited, CN=Entrust.net<http://cn=entrust.net/> Certification Authority (2048) 2022.07.26 14:37:21 LOG6[service]: Client CA: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="Entrust, Inc.", OU=www.entrust.net/CPS<http://ou=www.entrust.net/CPS> is incorporated by reference, OU="(c) 2006 Entrust, Inc.", CN=Entrust Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=PL, O=Unizeto Sp. z o.o., CN=Certum CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=JP, O=SECOM Trust.net<http://trust.net/>, OU=Security Communication RootCA1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FI, O=Sonera, CN=Sonera Class2 CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org<http://ou=http//www.chambersign.org>, CN=Chambers of Commerce Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org<http://ou=http//www.chambersign.org>, CN=Global Chambersign Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, OU=www.xrampsecurity.com<http://ou=www.xrampsecurity.com/>, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="Starfield Technologies, Inc.", OU=Starfield Class 2 Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TW, O=Government Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Assured ID Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Global Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert High Assurance EV Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Certplus, CN=Class 2 Primary CA 2022.07.26 14:37:21 LOG6[service]: Client CA: O=Digital Signature Trust Co., CN=DST Root CA X3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=SecureTrust Corporation, CN=SecureTrust CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=SecureTrust Corporation, CN=Secure Global CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV RootCA1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Dhimyotis, CN=Certigna 2022.07.26 14:37:21 LOG6[service]: Client CA: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2 2022.07.26 14:37:21 LOG6[service]: Client CA: O="Cybertrust, Inc", CN=Cybertrust Global Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=RO, O=certSIGN, OU=certSIGN ROOT CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="thawte, Inc.", OU="(c) 2007 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2008 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2008 VeriSign, Inc. - For authorized use only", CN=VeriSign Universal Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2007 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G4 2022.07.26 14:37:21 LOG6[service]: Client CA: C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Arany (Class Gold) Főtanúsítvány 2022.07.26 14:37:21 LOG6[service]: Client CA: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=JP, O="Japan Certification Services, Inc.", CN=SecureSign RootCA11 2022.07.26 14:37:21 LOG6[service]: Client CA: CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES 2022.07.26 14:37:21 LOG6[service]: Client CA: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, emailAddress=info(a)e-szigno.hu 2022.07.26 14:37:21 LOG6[service]: Client CA: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign 2022.07.26 14:37:21 LOG6[service]: Client CA: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 2022.07.26 14:37:21 LOG6[service]: Client CA: C=ES, O=IZENPE S.A., CN=Izenpe.com<http://cn=izenpe.com/> 2022.07.26 14:37:21 LOG6[service]: Client CA: C=EU, L=Madrid (see current address at www.camerfirma.com/address<http://www.camerfirma.com/address>), serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008 2022.07.26 14:37:21 LOG6[service]: Client CA: C=EU, L=Madrid (see current address at www.camerfirma.com/address<http://www.camerfirma.com/address>), serialNumber=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com<http://o="godaddy.com/>y.com, Inc.", CN=Go Daddy Root Certificate Authority - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Root Certificate Authority - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Services Root Certificate Authority - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=AffirmTrust, CN=AffirmTrust Commercial 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=AffirmTrust, CN=AffirmTrust Networking 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=AffirmTrust, CN=AffirmTrust Premium 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC 2022.07.26 14:37:21 LOG6[service]: Client CA: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Certinomis, OU=0002 433998903<tel:0002%20433998903>, CN=Certinomis - Autorité Racine 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011 2022.07.26 14:37:21 LOG6[service]: Client CA: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, emailAddress=pki(a)sk.ee 2022.07.26 14:37:21 LOG6[service]: Client CA: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı, C=TR, L=Ankara, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007 2022.07.26 14:37:21 LOG6[service]: Client CA: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009 2022.07.26 14:37:21 LOG6[service]: Client CA: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009 2022.07.26 14:37:21 LOG6[service]: Client CA: emailAddress=contacto(a)procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert 2022.07.26 14:37:21 LOG6[service]: Client CA: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2 2022.07.26 14:37:21 LOG6[service]: Client CA: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: O=TeliaSonera, CN=TeliaSonera Root CA v1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2 2022.07.26 14:37:21 LOG6[service]: Client CA: CN=Atos TrustedRoot 2011, O=Atos, C=DE 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Assured ID Root G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Assured ID Root G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Global Root G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Global Root G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=DigiCert Inc, OU=www.digicert.com<http://ou=www.digicert.com/>, CN=DigiCert Trusted Root G4 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CN, O=WoSign CA Limited, CN=CA 沃通根证书 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority 2022.07.26 14:37:21 LOG6[service]: Client CA: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign 2022.07.26 14:37:21 LOG6[service]: Client CA: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign 2022.07.26 14:37:21 LOG6[service]: Client CA: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms<http://www.entrust.net/legal-terms>, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms<http://www.entrust.net/legal-terms>, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - EC1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TR, L=Ankara, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş., CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Certinomis, OU=0002 433998903<tel:0002%20433998903>, CN=Certinomis - Root CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root 2022.07.26 14:37:21 LOG6[service]: Client CA: C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015 2022.07.26 14:37:21 LOG6[service]: Client CA: C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Certplus, CN=Certplus Root CA G1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=Certplus, CN=Certplus Root CA G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=OpenTrust, CN=OpenTrust Root CA G1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=OpenTrust, CN=OpenTrust Root CA G2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=FR, O=OpenTrust, CN=OpenTrust Root CA G3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Internet Security Research Group, CN=ISRG Root X1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Amazon, CN=Amazon Root CA 1 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Amazon, CN=Amazon Root CA 2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Amazon, CN=Amazon Root CA 3 2022.07.26 14:37:21 LOG6[service]: Client CA: C=US, O=Amazon, CN=Amazon Root CA 4 2022.07.26 14:37:21 LOG6[service]: Client CA: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2 2022.07.26 14:37:21 LOG6[service]: Client CA: C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 2022.07.26 14:37:21 LOG6[service]: DH initialization needed for DHE-DSS-AES256-GCM-SHA384 2022.07.26 14:37:21 LOG6[service]: Using dynamic DH parameters 2022.07.26 14:37:21 LOG5[service]: Configuration successful 2022.07.26 14:37:21 LOG7[service]: Deallocating deployed section defaults 2022.07.26 14:37:21 LOG7[service]: Deallocating section [POP3 Incoming] 2022.07.26 14:37:21 LOG7[service]: Deallocating section [SMTP Outgoing] 2022.07.26 14:37:21 LOG7[service]: Binding service [POP3 Incoming] 2022.07.26 14:37:21 LOG7[service]: Listening file descriptor created (FD=840) 2022.07.26 14:37:21 LOG7[service]: Setting accept socket options (FD=840) 2022.07.26 14:37:21 LOG7[service]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2022.07.26 14:37:21 LOG6[service]: Service [POP3 Incoming] (FD=840) bound to 0.0.0.0:110 2022.07.26 14:37:29 LOG7[service]: Found 1 ready file descriptor(s) 2022.07.26 14:37:29 LOG7[service]: FD=664 ifds=r-x ofds=--- 2022.07.26 14:37:29 LOG7[service]: FD=840 ifds=r-x ofds=r-- 2022.07.26 14:37:29 LOG7[service]: Service [POP3 Incoming] accepted (FD=740) from 192.168.110.11:60596 2022.07.26 14:37:29 LOG7[service]: Creating a new thread 2022.07.26 14:37:29 LOG7[service]: New thread created 2022.07.26 14:37:29 LOG7[22]: Service [POP3 Incoming] started 2022.07.26 14:37:29 LOG7[22]: Setting local socket options (FD=740) 2022.07.26 14:37:29 LOG7[22]: Option TCP_NODELAY set on local socket 2022.07.26 14:37:29 LOG5[22]: Service [POP3 Incoming] accepted connection from 192.168.110.11:60596 2022.07.26 14:37:29 LOG6[22]: Peer certificate not required 2022.07.26 14:37:29 LOG7[22]: TLS state (accept): before SSL initialization 2022.07.26 14:37:59 LOG7[22]: TLS alert (write): fatal: decode error 2022.07.26 14:37:59 LOG3[22]: SSL_accept: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.07.26 14:37:59 LOG5[22]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2022.07.26 14:37:59 LOG7[22]: Local descriptor (FD=740) closed 2022.07.26 14:37:59 LOG7[22]: Service [POP3 Incoming] finished (0 left) Config: ; Sample stunnel configuration file for Win64 by Michal Trojnara 2002-2022 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may be useful for troubleshooting) debug = 7 output = stunnel.log log = overwrite ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes ; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS ;sslVersionMax = TLSv1.1 ; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later securityLevel = 0 ; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234 ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Enable support for the insecure SSLv3 protocol ;sslVersion = all sslVersionMax=TLSv1.3 sslVersionMin=TLSv1.2 sslVersion = TLSv1.2 sslVersion = TLSv1.3 ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_TLSv1 ciphers = ALL ;ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256 options = CIPHER_SERVER_PREFERENCE cert = stunnel.pem CAfile = ca-certs.pem OCSPaia = no verify = 0 ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** ;include = conf.d ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** ; ***************************************** Example TLS client mode services ;[POP3 Incoming] ;client = yes ;accept = 110 ;connect = outlook.office365.com:995 ;verifyChain = yes ;CAfile = ca-certs.pem ;checkHost = outlook.office365.com<http://outlook.office365.com/> ;OCSPaia = yes [POP3 Incoming] accept = 110 connect = outlook.office365.com:995 ;[SMTP Outgoing] ;accept = 25 ;connect = smtp.office365.com:587 ;[SMTP Outgoing] ;client = yes ;accept = 25 ;protocol = smtp ;connect = smtp.office365.com:587 ;verifyChain = yes ;CAfile = ca-certs.pem ;checkHost = smtp.office365.com<http://smtp.office365.com/> ;OCSPaia = yes ; Encrypted HTTP proxy authenticated with a client certificate ; located in the Windows certificate store ;[example-proxy] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = capi ; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token ;[example-pkcs11] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = pkcs11 ;cert = pkcs11:token=MyToken;object=MyCert ;key = pkcs11:token=MyToken;object=MyKey ; ***************************************** Example TLS server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;cert = stunnel.pem ;[imaps] ;accept = 993 ;connect = 143 ;cert = stunnel.pem ; Either only expose this service to trusted networks, or require ; authentication when relaying emails originated from loopback. ; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 ;cert = stunnel.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; Remote cmd.exe protected with PSK-authenticated TLS ; Create "secrets.txt" containing IDENTITY:KEY pairs ;[cmd] ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe ;PSKsecrets = secrets.txt ; vim:ft=dosini Met vriendelijke groeten, Martijn Strunk Laan van de Ram 59 06 - 13 10 67 62 7324 BW APELDOORN M.Strunk(a)mulderconnect.nl 055 - 303 12 34 www.mulderconnect.nl Mulder Connect is een onderdeel van Mulder Systems, specialist op het gebied van elektrotechniek, data-infra, IT, telecommunicatie, beveiliging en duurzame technieken. Disclaimer Deze E-mail en alle daarbij meegestuurde bijlagen zijn uitsluitend bestemd voor geadresseerde(n). Verstrekking aan en gebruik door anderen is niet toegestaan. Mulder Systems sluit iedere aansprakelijkheid uit die voortvloeit uit elektronische verzending. This E-mail and any attachment sent with it are intended exclusively for the addressee(s), and may not be passed on to, or made available for use by any person other than the addressee(s). Mulder Systems rules out any and every liability resulting from any electronic transmission.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users