Hello,
I'd like to use stunnel to acccess SMTP server that has following configuration parameters.
Host: smtp.example.org Port number: smtps (465) Encryption method: SMTP over TLS
At first I created following configuration file and run stunnel 5.70 with it on FreeBSD 13.2-RELEASE.
---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ----------------------------------------------------------------------
But unfortunately stunnel emits following messages and local-side connection.is closed when I connect to 12345 port of localhost.
---------------------------------------------------------------------- 2023.07.14 12:29:12 LOG5[0]: Service [12345] accepted connection from ::1:14632 2023.07.14 12:29:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:29:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.1:14633 2023.07.14 12:29:12 LOG5[0]: Certificate accepted at depth=0: C=JP, ST=Tokyo, L=Ohta-Ku, O=EXAMLE.INC, CN=smtp.examle.org 2023.07.14 12:29:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/t1_lib.c:1146: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type 2023.07.14 12:29:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ----------------------------------------------------------------------
So I added setting of securityLevel as following.
---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes securityLevel=1 syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ----------------------------------------------------------------------
And now I can successfully access to STMP server through stunnel.
Next, I also tried it on FreeBSD 14-CURRENT and surprisingly stunnel 5.70 emits following messages even if 'securityLevel=1' is specified in configuration file.
---------------------------------------------------------------------- 2023.07.14 12:31:12 LOG5[0]: Service [12345] accepted connection from ::1:10838 2023.07.14 12:31:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:31:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.11:41449 2023.07.14 12:31:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/statem/extensions.c:894: error:0A000152:SSL routines::unsafe legacy renegotiation disabled 2023.07.14 12:31:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ----------------------------------------------------------------------
So I also tried on 2 other platforms.
a. Cygwin's stunnel.exe (version 5.69) b. tstunnel.exe installed by useing stunnel-5.69-win64-installer.exe
And result is that the former works fine and the latter emits same message as FreeBSD 14-CURRENT.
According to these result it seems the failure is related to the version of OpenSSL. That is, while FreeBSD 13.2-RELEASE and Cygwin use OpenSSL 1.1.1, FreeBSD 14-CURRENT and stunnel-5.69-win64-installer.exe use OpenSSL 3.0.
So does this mean securityLevel option doesn't work with OpenSSL 3.0?
Regards.
--- Yasuhiro Kimura