Hi,
Thank you very much for taking time to help.
I rebuilt stunnel-4.52b2, changing my ./configure to "--with-ssl=/usr" so to use Apple's version.
Then I made a new .conf file with your minimal lines: ---start--- foreground = yes pid = debug = 7 client = yes
[nntp_gn] accept = 12000 connect = news.giganews.com:563
[nntp_aw] accept = 12001 connect = ssl.astraweb.com:563
[nntp_gm] accept = 12002 connect = 80.91.229.10:563 ---end---
That much worked. :)
But I am still highly skeptical whether we are _really_ secure along the pipe. So I added the "verify = 0" line (placed just under the "client = yes" line shown above), and now we get a Bus Error whenever we make Pan go into session with Astraweb (in this case trying to fetch a simple text post).
I did a backtrace:
# gdb stunnel GNU gdb 6.3.50-20050815 (Apple version gdb-1705) (Tue Jul 5 07:28:08 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ...... done
(gdb) set args /usr/local/etc/stunnel/stunnel2.conf (gdb) run Starting program: /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel2.conf Reading symbols for shared libraries .+++++. done 2012.01.11 20:48:52 LOG7[25326:2697274688]: Clients allowed=500 2012.01.11 20:48:52 LOG5[25326:2697274688]: stunnel 4.52 on x86_64-apple-darwin10.8.0 platform 2012.01.11 20:48:52 LOG5[25326:2697274688]: Compiled with OpenSSL 1.1.0-dev xx XXX xxxx 2012.01.11 20:48:52 LOG5[25326:2697274688]: Running with OpenSSL 0.9.8r 8 Feb 2011 2012.01.11 20:48:52 LOG5[25326:2697274688]: Update OpenSSL shared libraries or rebuild stunnel 2012.01.11 20:48:52 LOG5[25326:2697274688]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:SELECT,IPv6 2012.01.11 20:48:52 LOG5[25326:2697274688]: Reading configuration from file /usr/local/etc/stunnel/stunnel2.conf 2012.01.11 20:48:52 LOG7[25326:2697274688]: Compression not enabled 2012.01.11 20:48:52 LOG7[25326:2697274688]: PRNG seeded successfully 2012.01.11 20:48:52 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gn 2012.01.11 20:48:52 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:52 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_aw 2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gm 2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004 2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized 2012.01.11 20:48:53 LOG5[25326:2697274688]: Configuration successful 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gn bound FD=11 to 0.0.0.0:12000 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_aw bound FD=12 to 0.0.0.0:12001 2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gm bound FD=13 to 0.0.0.0:12002 2012.01.11 20:48:53 LOG7[25326:2697274688]: No pid file being created 2012.01.11 20:49:06 LOG7[25326:2697274688]: Service nntp_aw accepted FD=14 from 127.0.0.1:58969 2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw started 2012.01.11 20:49:06 LOG7[25326:2952859648]: Waiting for a libwrap process 2012.01.11 20:49:06 LOG7[25326:2952859648]: Acquired libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Releasing libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Released libwrap process #0 2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw permitted by libwrap from 127.0.0.1:58969 2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw accepted connection from 127.0.0.1:58969 2012.01.11 20:49:06 LOG6[25326:2952859648]: connect_blocking: connecting 216.151.153.14:563 2012.01.11 20:49:06 LOG7[25326:2952859648]: connect_blocking: s_poll_wait 216.151.153.14:563: waiting 10 seconds 2012.01.11 20:49:06 LOG5[25326:2952859648]: connect_blocking: connected 216.151.153.14:563 2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw connected remote server from 192.168.1.65:58970 2012.01.11 20:49:06 LOG7[25326:2952859648]: Remote FD=15 initialized 2012.01.11 20:49:06 LOG7[25326:2952859648]: SNI: host name: ssl.astraweb.com
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000020 [Switching to process 25326 thread 0x1403] 0x94b0b2d6 in X509_get_subject_name () (gdb) bt #0 0x94b0b2d6 in X509_get_subject_name () #1 0x0000f213 in verify_callback () #2 0x94ac68ce in X509_verify_cert_orig () #3 0x94a487af in X509_verify_cert () #4 0x946159fb in ssl_verify_cert_chain () #5 0x9460624c in ssl3_get_server_certificate () #6 0x94608748 in ssl3_connect () #7 0x00002ed7 in init_ssl () #8 0x000040a3 in client_try () #9 0x00005206 in client_run () #10 0x00005490 in client_main () #11 0x000054c3 in client_thread () #12 0x9a193259 in _pthread_start () #13 0x9a1930de in thread_start () (gdb) quit The program is running. Exit anyway? (y or n) y
# _
I'm sorry, that's about as deep as I know to go. ;) But I should be able to do more tests with detailed instructions if needed.
For now, I will comment-out the "verify" line, and use this build with your basic .conf file even tho it makes me remain highly paranoid. ;(
(I have further questions about your reply; I'll postpone them once I know I can use the 4.5-series properly, then go forward from there.)
Thank you(-all) again.