SciFi wrote:
$ uname -a Darwin SciFi.homeip.net 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386 i386 iMac6,1 Darwin
I couldn't reproduce your problem. It just works for me.
$ uname -a Darwin PowerBook.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh
I am fine while relegated to using stunnel-4.49, but we have a further issue, in that the "verify=<number>" option seems to reject the certs & what-not coming from these servers, for any <number> higher than 0 (yes I saw the maillist discussion about what 4 means there, and tried it also).
Are you sure you've put your peer certificates in /usr/local/var/lib/ stunnel/certs, and then executed c_rehash there? In most cases it's better to use CAfile instead of CApath.
I manually start stunnel on a login-root terminal window, this way: # stunnel /usr/local/etc/stunnel/stunnel.conf -sockets
You are supposed to use *either* stunnel.conf or -sockets as a parameter. See the manual for details.
key = /usr/local/etc/stunnel/stunnel.pem
There is no point in specifying your private key in client mode, unless you also specify your certificate *and* configure remote servers to perform authentication based on client certificates. In your case (connecting some public services) it just doesn't make sense.
sslVersion = all ciphers = ALL
It doesn't look very secure.
chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup
For troubleshooting it's best to avoid these options.
CApath = /certs CRLpath = /crls
Again it's better to use CAfile instead. Do you really use CRLs?
Thanks for any help at all.
My troubleshooting tip:
Start with stable OpenSSL, and a minimal configuration:
foreground = yes pid = debug = 7 client = yes
[nntp_gn] accept = 12000 connect = news.giganews.com:563
[nntp_aw] accept = 12001 connect = ssl.astraweb.com:563
[nntp_gm] accept = 12002 connect = 80.91.229.10:563
Try to get it working. Useful Mac OS X diagnostic commands: dtruss, lastwords.
Then add other options one by one.
Mke