Re: [stunnel-users] stunnel 5.11 released

11 Mar 2015


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Javier wrote:
...
connect = pop3.live.com:995
<cut>
...
I attach both logs to compare, even don't tell too much. Until the 
connection "all" is the same except OpenSSL version.
It indeed seems to be caused by the OpenSSL version:
$ /usr/bin/openssl version
OpenSSL 1.0.1k 8 Jan 2015
$ /usr/bin/openssl s_client -connect pop3.live.com:995
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=*.hotmail.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgISESHl0vjrML7zKmGlv42YL75vMA0GCSqGSIb3DQEBBQUA
MF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTMwMQYD
VQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gRzIw
HhcNMTMwNDI0MjAzNTA5WhcNMTYwNDI0MjAzNTA5WjBsMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
TWljcm9zb2Z0IENvcnBvcmF0aW9uMRYwFAYDVQQDDA0qLmhvdG1haWwuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumSiBWrzHZf6WFP5a/j4+K7D
1izLoYKj5Omll0pdxKvKcBRDf+iaIkCbSOPNpx2uWGZdwNwkabYCQavaBf2ebwmS
S8i1CJpHflO+k0qYd5WUi7sSsZ3+6RaCMdLoDIPGyYMQuy7TFtVO7LSt5+qscyyi
ET8c3lE2aj/XW13UZvRrV65ZJvMjUtwaDnIcAxGeasYoebLsKdqHQ2uTr4PmNwCc
viGVFSOzkGAoC0PfyqKB2xUWy3Kc5zRI2xvUW8Jb2b/9Ze3g55pIUzKsjpglkQTm
edVPSYYPGNz6Kl/ZshBXdBAk398q1JkSmUaTMa2hJgBbcC+73ax40AJDGJlz+QID
AQABo4IB6zCCAecwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIC
MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z
aXRvcnkvMEAGA1UdEQQ5MDeCDSouaG90bWFpbC5jb22CCioubGl2ZS5jb22CDSou
b3V0bG9vay5jb22CC2hvdG1haWwuY29tMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwu
Z2xvYmFsc2lnbi5jb20vZ3MvZ3Nvcmdhbml6YXRpb252YWxnMi5jcmwwgZYGCCsG
AQUFBwEBBIGJMIGGMEcGCCsGAQUFBzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNp
Z24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbGcyLmNydDA7BggrBgEFBQcw
AYYvaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFs
ZzIwHQYDVR0OBBYEFHbgHqTLsXDt7uMRyE62rnDEfLn9MB8GA1UdIwQYMBaAFF1G
so3ES3Qcu+31c7Y6tziPdZ5+MA0GCSqGSIb3DQEBBQUAA4IBAQByy1+3N6ZRVooI
xqw8Ng+UFz0g7UHkbPEnvTu1uxJ2AojFuP/P1PAk+/6uMRvpPlWg/5uqmOIWxKxJ
Lo6xSbkDf4LN+KYwes3XSuPyziZ4QbPnehHhZ0377iiA8fpRJADg9NWKCRHh5aAd
e9QvJUW/GgYkBN+F4yYc2jIjR3Rehv4JYOKS3iXO9OoHsDS2CcCFaS2imgQVfYLg
slBwT/A08PCOhW5huiluSmih7x5Qf7sFDv8jineu6ehKzi8pKnOq4k8G4QiWn38Y
CeiBkkwFOwj7T3M/ITiiSS9DHDGeokj16eBi83Zx3YYiJ9YZvnQ+4GvqJ5eJJ6pR
KKvemr+m
- -----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=*.hotmail.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
CA - G2
- ---
No client certificate CA names sent
- ---
SSL handshake has read 2656 bytes and written 615 bytes
- ---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
5B1C000024A49549D3FC25B82623E52CFD62A118EA36198E88369773F5E9EA53
    Session-ID-ctx:
    Master-Key:
EA7B5AFEA681E4599551C67F7777F519123B714585F1948B498D0ADD4412CD023A91BD5947C41B177A31D4A420E495E9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1426106767
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
- ---
+OK BLU0-POP741 POP3 server ready
^C
$ /usr/local/ssl/bin/openssl version
OpenSSL 1.0.2 22 Jan 2015
$ /usr/local/ssl/bin/openssl s_client -connect pop3.live.com:995
CONNECTED(00000003)
140039514363536:error:140790E5:SSL routines:ssl23_write:ssl handshake
failure:s23_lib.c:177:
- ---
no peer certificate available
- ---
No client certificate CA names sent
- ---
SSL handshake has read 0 bytes and written 361 bytes
- ---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
- ---
I found two workarounds:
1. Force TLSv1 handshake:
    sslVersion = TLSv1
2. Enable FIPS mode:
    fips = yes
Mike
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJVALByAAoJEC78f/DUFuAU1NEP/Ao/5qNFnuFG9rQqYkhplJxW
12qSji2gOg3R6T9gczZhh5bTY+E2gS3nAhxcC5W5ppRhu0mmo9WnpgOXHoQYgdv1
7y/RDodrG8xmr3MiR5VLmMFZd8hPx9Uo6BZnJkDCUWOIP+2IWuSh8RDLl8/rCFkj
u+Xi9FRCqGYjX5d8AR6rztilw+Xf12uc1DXrbyk73V+7YyvIwiCOrl0tam1CG3RY
ikNBPy37qzeMKvBgV0fRH+r6pTejgsrJ2ww2x0K78Dy9mdBoA7cokaBAydlx/KSq
UFCguJLdSFnL5tAipxlN1Uagn0wnxlSD5OGtXgpwE/quMQStRxYz4rK718aBCQPS
1TySeVUXibYXrEZBKWaAkZxHZA49GPK3+uFBLrBYEt13HkZX7p2GkV1cZ51l2WJc
pA9fXJsLhiwVBA9bXakDvXi/c3RCI5MGzxqi1e5WhJU/XEoN+BI281k3Wz0HMeB0
s6d7TskOPj4EbaLUUhcHXjWXrvUOxAYusWg8Nx5BuaOM44PFJ4+/yfm0sCHsgaKS
RlCN2sgHKr8xFmI9N/C8mWR9L9KSQuFlW3rskNfOeI5G9beERBS8vhR5Qy4OzSUa
BqYOGqpZ18V6Wdj7Z8F4mvYyCc/71lNhJ5U1kiG1UVZd5mxVn8bf8qak7a2Wq8Y1
S15fpc50FG0UoPNkr15R
=YzR9
-----END PGP SIGNATURE-----

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [stunnel-users] stunnel 5.11 released