There is a list of ciphers you need to list along with ssl options perhaps. Also try setting your sslVersion on both ends.

On Wednesday, January 2, 2013, Arun Kumar wrote:
Brian,

Thank you for the inputs. I tried without client parameter & notice unknown protocol.  I am not sure which "protocol" to use in stunnel.conf in my case.

comment out client = yes

restarted stunnel process.

ocm5-197-196:~ # dfm ldap find user1
Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=core,DC=dir,DC=telstra,DC=com': Can't contact LDAP server
Error: Failed to search for user1.

ocm5-197-196:~ # cat /root/stunnel.log
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Clients allowed=500
2013.01.02 19:31:43 LOG5[18156:46934667927072]: stunnel 4.54 on x86_64-unknown-linux-gnu platform
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Compression not enabled
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Snagged 64 random bytes from /root/.rnd
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Wrote 1024 new random bytes to /root/.rnd
2013.01.02 19:31:43 LOG7[18156:46934667927072]: PRNG seeded successfully
2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap]
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters
2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key
2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1
2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap-ha]
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters
2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key
2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1
2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Configuration successful
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap] (FD=7) bound to 0.0.0.0:389
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap-ha] (FD=8) bound to 0.0.0.0:8389
2013.01.02 19:31:43 LOG7[18157:46934667927072]: Created pid file /var/run/stunnel.pid
2013.01.02 19:32:02 LOG7[18157:46934667927072]: Service [ldap] accepted (FD=3) from 127.0.0.1:39760
2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] started
2013.01.02 19:32:02 LOG5[18157:1073809728]: Service [ldap] accepted connection from 127.0.0.1:39760
2013.01.02 19:32:02 LOG7[18157:1073809728]: SSL state (accept): before/accept initialization
2013.01.02 19:32:02 LOG3[18157:1073809728]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol   <----------
2013.01.02 19:32:02 LOG5[18157:1073809728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.01.02 19:32:02 LOG7[18157:1073809728]: Local socket (FD=3) closed
2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] finished (0 left)

appreciate your help.

Warm Regards,
Arun kumar c

On Wed, Jan 2, 2013 at 7:29 PM, Brian Wilkins <bwilkins@gmail.com> wrote:
It thinks your server is a client. Remove client = yes. You need to have a client instance if stunnel and a server instance of stunnel. I am not too keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the traffic and then it gets down selected to unencrypted on the receiving end.

Brian


On Wednesday, January 2, 2013, Arun Kumar wrote:
Team,

I am configuring stunnel for the first time.
My Requirement:     "NetApp DataFabricManager" application on SLES10 SP4 platform  <------  (LDAP over Stunnel) -----> Windows 2003 Active Directory, for Active Directory user authentication.


Stunnel.conf:
-----------------------------------------------------------
setuid = root
setgid = root

client = yes

debug = 7
output = /root/stunnel.log

cert = /opt/crt_key.pem
key = /opt/crt_key.pem

pid = /var/run/stunnel.pid

verify = 3
CAfile = /opt/crt_key.pem

options = NO_SSLv2

[ldap]
accept = 389
connect = winad1-197-187:636

[ldap-ha]
accept = 8389
connect = winad2-197-189:636
-----------------------------------------------------------

ocm5-197-196:~ # dfm ldap list
Address                                    Port   Last Use                   Last Failure
------------------------------------------ ------ -------------------------- --------------------------
127.0.0.1                                  389    2013-01-02 14:01:52.000000
127.0.0.1                                  8389   2013-01-02 13:49:35.000000
ocm5-197-196:~ #


ocm5-197-196:~ # dfm ldap find user1
Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact LDAP server
Error: Failed to search for user1.
ocm5-197-196:~ #

NOTE: If i add active directory server IP in the above list, instead of 127.0.0.1, ldap authentication works fine. 

ocm5-197-196:~ # cat /etc/services
...
.....
........
#### This is a Manual Entry made by root user for AD authentication services & Stunnel Integration ########
ldap-ha         8389/tcp    # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
ldap-ha         8389/udp    # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]


ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf


stunnel.log:

2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500
2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on x86_64-unknown-linux-gnu platform
2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005
2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6
2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf
2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled
2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes from /root/.rnd
2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new