After building stunnel 5.34 from source I noticed that my old config (5.22) was not working.
[dwiest@716161-compute2 ~]$ sudo ./stunnel /etc/stunnel/stunnel.conf 2016.07.07 14:07:41 LOG5[ui]: stunnel 5.34 on x86_64-unknown-linux-gnu platform 2016.07.07 14:07:41 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 2016.07.07 14:07:41 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2016.07.07 14:07:41 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2016.07.07 14:07:41 LOG5[ui]: UTF-8 byte order mark not detected 2016.07.07 14:07:41 LOG5[ui]: FIPS mode disabled 2016.07.07 14:07:41 LOG5[ui]: Configuration successful 2016.07.07 14:07:41 LOG5[cron]: Updating DH parameters 2016.07.07 14:07:42 LOG5[0]: Service [rabbitmq] accepted connection from 192.168.237.81:49535 2016.07.07 14:07:42 LOG3[0]: SSL_accept: Peer suddenly disconnected 2016.07.07 14:07:42 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.07.07 14:07:42 LOG5[1]: Service [rabbitmq] accepted connection from 192.168.237.81:49536 2016.07.07 14:07:42 LOG3[1]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
But I haven't enabled client certificate verification!
[dwiest@716161-compute2 ~]$ sudo grep verify /etc/stunnel/stunnel.conf ; verify = 2
I have to explicitly set verify to 0 or 1 in order to connect without a client cert.
Is this intentional? The documentation suggests that by default no verification should be taking place.
-Damian