Guys,
Just be aware a configuration without any authentication (a certificate is not sent nor verified) is vulnerable to trivial active (MiTM) attacks. There are various lamer-friendly tools available, so an attack is no more difficult than sniffing a plaintext connection.
Mike
On Sat, 29 Nov 2008 13:24:52 -0800 (PST), alexlim alex@limberis.net wrote:
Thanks to James email today. I was able to get it to work. Quoting James here.
The solution was to remove the "cert" line from the configuration file. The "verify" level had to stay at 0.
This did the trick.
James Moe-2 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks
claim
all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local
socket
2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush
data
2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to
SSL,
0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2)
iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- View this message in context:
http://www.nabble.com/Cannot-connect-to-SBC-yahoo-to-send-%28or-telnet%29-tp...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users