-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks claim all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local socket 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush data 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
- -- jimoe (at) sohnen-moe (dot) com
Try the option sslVersion=TLSv1
2008/11/11 James Moe jimoe@sohnen-moe.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks claim all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local socket 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN= smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush data 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2)
iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hello,
I am trying to compile STunnel. I'd rather not, but the pre-compiled version does not support a proxy server. So I hop you will be able to help me, or point me to a good howto on how to compile stunnel using windows and a patch from the patch-list. Or does someone have a compiled (windows) version with proxy support? If so, please mail it to me.
Or tell me where to find more detailed information pls. - Next thing I will try is to install linux on a computer in order to try it that way...
Greetings,
Reinier.
Hello Reinier,
So I hope you will be able to help me, or point me to a good howto on how to compile stunnel using windows and a patch from the patch-list
The INSTALL.W32 file in the source tarball says "native compilation on a Windows machine is possible, but not supported." The approach suggested in the file is to install a cross compiler on a Linux machine and build the stunnel binary there. A while ago I successfully compiled stunnel 4.24 on Linux after a lot of trial and error. I wrote down these instructions at the time, but I don't know if they're applicable to openssl-0.9.8i and stunnel-4.26. Hopefully I wrote down everything correctly. If you (or anyone else) discovers or knows of a better way to build an stunnel binary for Windows, please share it with the list and/or add it to the INSTALL.W32 file.
* Install mingw32
apt-get install mingw32
* Download and unpack openssl-0.9.8h
* Make sure the environment is setup properly.
export CC=i586-mingw32msvc-gcc export CXX=i586-mingw32msvc-c++ export LD=i586-mingw32msvc-ld export AR=i586-mingw32msvc-ar export AS=i586-mingw32msvc-as export NM=i586-mingw32msvc-nm export STRIP=i586-mingw32msvc-strip export RANLIB=i586-mingw32msvc-ranlib export DLLTOOL=i586-mingw32msvc-dlltool export OBJDUMP=i586-mingw32msvc-objdump export RESCOMP=i586-mingw32msvc-windres
* Edit Configure, remove the following line
$IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
* Edit Configure, replace ":-mno-cygwin -shared:" with
:-mno-cygwin -Wl,--export-all -shared:
* Configure and make
perl Configure mingw shared sed -i -e 's/nm/i586-mingw32msvc-nm/g' Makefile.shared make CC=i586-mingw32msvc-gcc RANLIB=i586-mingw32msvc-ranlib
* Download and unpack stunnel-4.24
* Configure it
./configure --with-ssl=/path/to/openssl-0.9.8h
* Extracted openssl source code to /usr/src because the makefile adds "-I/usr/src/openssl-0.9.8h/include" to CFLAGS.
cd /usr/src && tar zvxf ~/openssl-0.9.8h.tar.gz
* Go back to stunnel-4.24/src
make stunnel.exe
Hope this helps, Tom
Hi, I'm having the same problem. Setting the ssl level to version 1 didn't seem to help. Did this work for you>
James Moe-2 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks claim all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local socket 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush data 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2)
iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Thanks to James email today. I was able to get it to work. Quoting James here.
The solution was to remove the "cert" line from the configuration file. The "verify" level had to stay at 0.
This did the trick.
James Moe-2 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks claim all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local socket 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush data 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2)
iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Guys,
Just be aware a configuration without any authentication (a certificate is not sent nor verified) is vulnerable to trivial active (MiTM) attacks. There are various lamer-friendly tools available, so an attack is no more difficult than sniffing a plaintext connection.
Mike
On Sat, 29 Nov 2008 13:24:52 -0800 (PST), alexlim alex@limberis.net wrote:
Thanks to James email today. I was able to get it to work. Quoting James here.
The solution was to remove the "cert" line from the configuration file. The "verify" level had to stay at 0.
This did the trick.
James Moe-2 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks
claim
all is well at their end. Is there something I am missing here? Here is the conf file:
....[ conf ]....
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
[sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465
....[ end conf ]....
....[ connection log ]....
2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local
socket
2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
server
done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush
data
2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to
SSL,
0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
....[ end log ]....
jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2)
iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- View this message in context:
http://www.nabble.com/Cannot-connect-to-SBC-yahoo-to-send-%28or-telnet%29-tp...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/01/08 02:10 am, Michal Trojnara wrote:
Just be aware a configuration without any authentication (a certificate is not sent nor verified) is vulnerable to trivial active (MiTM) attacks. There are various lamer-friendly tools available, so an attack is no more difficult than sniffing a plaintext connection.
(I had sent on 1-Dec-2008 but it never showed up on the list. :-( )
<rant> Computer security makes me feel stupid. It has got to be one of the most opaque concepts in the industry. The problems discussed in this thread are typical. sbc/yahoo changed their session setup to require an encrypted connection. Fine. Then they refuse a session if the client offers a certificate without a CA chain, i.e., self-signed. But allows a connection when no client certificate is offered at all. To verify that sbc is really sbc, a CA certificate is needed from sbc. But to get said certificate an extremely obscure method must be used. (And how do I know that the site I connected to is really sbc since I do not have a CA certificate?) Then more obscure file manipulation and setup is required for Stunnel. It is no wonder that computer security is bungled so often. It is set up to do so. I see a lot of "All you have to do is these 247 steps..." to accomplish a "simple" security task. That's assuming I have all of the tools needed. I am sure that, somewhere, there must be a clear discussion of how SSL/TSL certificates work, what the client may provide, what the server may provide, what is necessary to establish a secure, authenticated session. I have not found it. </rant>
- -- jimoe (at) sohnen-moe (dot) com
-
alexlim -
Christophe Nanteuil -
Cort, Tom -
James Moe -
Michal Trojnara -
Reinier van der Gugten