Hello there!
Some time ago I used stunnel to send the output of a homebrew logging script to a remote server. For a few weeks now, the sever has an expired certificate, so I get an error while connecting to it. The stunnel.log looks like that:
2011.11.18 12:23:36 LOG5[753:3078719168]: stunnel 4.29 on i486-pc-linux-gnu with OpenSSL 0.9.8o 01 Jun 2010 2011.11.18 12:23:36 LOG5[753:3078719168]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.11.18 12:23:36 LOG5[753:3078719168]: 500 clients allowed 2011.11.18 12:24:00 LOG5[759:3078716272]: https accepted connection from 127.0.0.1:40691 2011.11.18 12:24:00 LOG5[759:3078716272]: connect_blocking: connected example.com:443 2011.11.18 12:24:00 LOG5[759:3078716272]: https connected remote server from my_outside_ip:38486 2011.11.18 12:24:00 LOG3[759:3078716272]: SSL_connect: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired 2011.11.18 12:24:00 LOG5[759:3078716272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
This happens, when connecting manually with "nc -v 127.0.0.1 1234" to make a http-get request. To also provide the config file of my linux client:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode cert = /etc/ssl/certs/https.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 output = /var/log/stunnel4/stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[https] accept = 127.0.0.1:1234 connect = example.com:443 TIMEOUTclose = 0
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
[ssmtp] accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
So, the server is not under my control, where I am logging to. Is there a problem I don't see? I thought, that when I connect to localhost, the data should be forwarded to the https-server.
Thanks in advance.
-Rolf