Hello all, I am using stunnel in order to send encrypted http request/response messages to an external system called Tradeweb. Our python program sends the message to stunnel and stunnel sends it to Tradeweb through a proxy. My version of stunnel is the following stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011 and it has been installed in a Solaris 10 operating system. My configuration file looks like this CAfile=/home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer client=yes verify=2 debug=7 output=stunnel.log [TradeXpress] # Port on which STUNNEL listens for local connections accept=stunnelserveripaddress:17000 # Destination address and port of TW data-center libwrap=no connect=proxyipaddress:80 protocol=connect protocolHost=tradewebipaddress:443 I have a python program that sends a http post message to stunnel. When I send the message I can see the following in the log (see below) The message gets to the other end (tradeweb system), but it looks like the encryption does not work properly. The relevant lines of the log are (see full log below) 2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate 2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call 2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket Do you know what is the problem? Thank you, Julian 2011.03.14 18:23:54 LOG5[6083:1]: Reading configuration from file stunnel.conf 2011.03.14 18:23:54 LOG7[6083:1]: Snagged 64 random bytes from /home/usr/vptfk/.rnd 2011.03.14 18:23:54 LOG7[6083:1]: Wrote 1024 new random bytes to /home/usr/vptfk/.rnd 2011.03.14 18:23:54 LOG7[6083:1]: PRNG seeded successfully 2011.03.14 18:23:54 LOG7[6083:1]: Loaded verify certificates from /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer 2011.03.14 18:23:54 LOG7[6083:1]: Loaded /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer revocation lookup file 2011.03.14 18:23:54 LOG7[6083:1]: SSL context initialized for service TradeXpress 2011.03.14 18:23:54 LOG5[6083:1]: Configuration successful 2011.03.14 18:23:54 LOG5[6083:1]: No limit detected for the number of clients 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=8 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=9 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=4 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=10 allocated (blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: accept socket: FD=11 allocated (non-blocking mode) 2011.03.14 18:23:54 LOG7[6083:1]: Option SO_REUSEADDR set on accept socket 2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress bound to 0.0.0.0:17000 2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress opened FD=11 2011.03.14 18:23:54 LOG7[6089:1]: Created pid file /home/aps/tfk/stunnel/var/run/stunnel/stunnel.pid 2011.03.14 18:23:54 LOG5[6089:1]: stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011 2011.03.14 18:23:54 LOG5[6089:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.03.14 18:23:54 LOG7[6089:1]: Dispatching signals from the signal pipe 2011.03.14 18:23:54 LOG7[6089:1]: Signal pipe is empty 2011.03.14 18:24:19 LOG7[6089:1]: local socket: FD=0 allocated (non-blocking mode) 2011.03.14 18:24:19 LOG7[6089:1]: Service TradeXpress accepted FD=0 from stunnelserveripaddress:61449 2011.03.14 18:24:19 LOG7[6089:2]: Service TradeXpress started 2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress accepted connection from stunnelserveripaddress:61449 2011.03.14 18:24:19 LOG7[6089:2]: remote socket: FD=1 allocated (non-blocking mode) 2011.03.14 18:24:19 LOG6[6089:2]: connect_blocking: connecting proxyipaddress:80 2011.03.14 18:24:19 LOG7[6089:2]: connect_blocking: s_poll_wait proxyipaddress:80: waiting 10 seconds 2011.03.14 18:24:19 LOG5[6089:2]: connect_blocking: connected proxyipaddress:80 2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress connected remote server from stunnelserveripaddress:61450 2011.03.14 18:24:19 LOG7[6089:2]: Remote FD=1 initialized 2011.03.14 18:24:19 LOG5[6089:2]: Negotiations for connect (client side) started 2011.03.14 18:24:19 LOG7[6089:2]: -> CONNECT tradewebipaddress:443 HTTP/1.1 2011.03.14 18:24:19 LOG7[6089:2]: -> Host: tradewebipaddress:443 2011.03.14 18:24:19 LOG7[6089:2]: -> 2011.03.14 18:24:19 LOG7[6089:2]: <- HTTP/1.1 200 Connection established 2011.03.14 18:24:19 LOG6[6089:2]: CONNECT request accepted 2011.03.14 18:24:19 LOG7[6089:2]: <- 2011.03.14 18:24:19 LOG5[6089:2]: Protocol negotiations succeeded 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): before/connect initialization 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client hello A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server hello A 2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.c 2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.com 2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234 2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate request A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server done A 2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client certificate A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client key exchange A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write change cipher spec A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write finished A 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 flush data 2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read finished A 2011.03.14 18:24:19 LOG7[6089:2]: 0 items in the session cache 2011.03.14 18:24:19 LOG7[6089:2]: 1 client connects (SSL_connect()) 2011.03.14 18:24:19 LOG7[6089:2]: 1 client connects that finished 2011.03.14 18:24:19 LOG7[6089:2]: 0 client renegotiations requested 2011.03.14 18:24:19 LOG7[6089:2]: 0 server connects (SSL_accept()) 2011.03.14 18:24:19 LOG7[6089:2]: 0 server connects that finished 2011.03.14 18:24:19 LOG7[6089:2]: 0 server renegotiations requested 2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache hits 2011.03.14 18:24:19 LOG7[6089:2]: 0 external session cache hits 2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache misses 2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache timeouts 2011.03.14 18:24:19 LOG6[6089:2]: SSL connected: new session negotiated 2011.03.14 18:24:19 LOG6[6089:2]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call 2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket 2011.03.14 18:29:25 LOG7[6089:2]: Service TradeXpress finished (0 left) RAMIREZ Julián Technical Consultant Wall Street Systems <http://www.wallstreetsystems.com/> - Empowering Treasury, Trading and Settlement