I’ve installed stunnel on an Amazon EC2 instance:
stunnel 4.56 on x86_64-redhat-linux-gnu platform Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Global options: debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
I’ve created the stunnel.conf file:
[smtp-tls-wrapper] accept = 2525 client = yes connect = email-smtp.us-west-2.amazonaws.com:465 protocol=smtp delay = yes
I’ve tested the connection to SES (successfully) via openssl:
[ec2-user@ip-172-31-4-68 ~]$ openssl s_client -quiet -crlf -connect email-smtp.us-west-2.amazonaws.com:465 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = email-smtp.us-west-2.amazonaws.com verify return:1 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-2370111491 wa7VtNk9b7c4TX0jNpdG
But when I try to access through stunnel via localhost with telnet, I get this:
[ec2-user@ip-172-31-4-68 ~]$ telnet localhost 2525 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.
I’ve tried everything I can think of; I’ve read all the blogs and pages related to connecting from ec2 to SES via stunnel and I just can’t get it to work. Does anyone have any suggestions for other things I could try?
Thanks in advance, Rob Allen, CPO Software Engineer | Eyefinity NOTICE: This message is intended only for the individual to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient, or the employee or person responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender and destroy or delete this communication immediately.
Robert,
Most likely amazon is not accepting TLSv1. It is a deprecated protocol. Remove sslVersion lines.
Check the OpenSSL output from your connection test. It should display the TLS version used.
Saludos Jose A. Diaz
On Sep 15, 2017, at 2:05 PM, Rob Allen robert.allen@eyefinity.com wrote:
I’ve installed stunnel on an Amazon EC2 instance:
stunnel 4.56 on x86_64-redhat-linux-gnu platform Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Global options: debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
I’ve created the stunnel.conf file:
[smtp-tls-wrapper] accept = 2525 client = yes connect = email-smtp.us-west-2.amazonaws.com:465 protocol=smtp delay = yes
I’ve tested the connection to SES (successfully) via openssl:
[ec2-user@ip-172-31-4-68 ~]$ openssl s_client -quiet -crlf -connect email-smtp.us-west-2.amazonaws.com:465 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = email-smtp.us-west-2.amazonaws.com verify return:1 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-2370111491 wa7VtNk9b7c4TX0jNpdG
But when I try to access through stunnel via localhost with telnet, I get this:
[ec2-user@ip-172-31-4-68 ~]$ telnet localhost 2525 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.
I’ve tried everything I can think of; I’ve read all the blogs and pages related to connecting from ec2 to SES via stunnel and I just can’t get it to work. Does anyone have any suggestions for other things I could try?
Thanks in advance, Rob Allen, CPO Software Engineer | Eyefinity NOTICE: This message is intended only for the individual to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient, or the employee or person responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender and destroy or delete this communication immediately. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
I added “sslVersion = TLSv1.2” to my stunnel.conf file, and this time my telnet attempt returned:
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-2370111491 vrvCuSNrkl4H4hgb19Wk
I think that’s what I wanted to see. Thanks so much for your help!
Rob Allen, CPO Software Engineer | Eyefinity | Team OCP | 3333 Quality Drive, Rancho Cordova, CA 95670 eyefinity.com | P: 916.858.5645 What does it mean to move Forward Together? Watch Eyefinity EHR Senior Product Manager Phernell Walker II, ABOM explain.https://www.youtube.com/watch?v=Nj2MzSZDKF0
From: "Josealf.rm" josealf@rocketmail.com Date: Friday, September 15, 2017 at 1:06 PM To: "robert.allen@eyefinity.com" robert.allen@eyefinity.com Cc: "stunnel-users@stunnel.org" stunnel-users@stunnel.org Subject: Re: [stunnel-users] Help with connectivity issue
Robert,
Most likely amazon is not accepting TLSv1. It is a deprecated protocol. Remove sslVersion lines.
Check the OpenSSL output from your connection test. It should display the TLS version used.
Saludos Jose A. Diaz
On Sep 15, 2017, at 2:05 PM, Rob Allen <robert.allen@eyefinity.commailto:robert.allen@eyefinity.com> wrote: I’ve installed stunnel on an Amazon EC2 instance:
stunnel 4.56 on x86_64-redhat-linux-gnu platform Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Global options: debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
I’ve created the stunnel.conf file:
[smtp-tls-wrapper] accept = 2525 client = yes connect = email-smtp.us-west-2.amazonaws.com:465https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com%3A465&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=%2BfS8Op4y7CLnSzoXnbOE87d6Kf5ApPh3ECQz%2Bw8%2FdDg%3D&reserved=0 protocol=smtp delay = yes
I’ve tested the connection to SES (successfully) via openssl:
[ec2-user@ip-172-31-4-68 ~]$ openssl s_client -quiet -crlf -connect email-smtp.us-west-2.amazonaws.com:465https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com%3A465&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=%2BfS8Op4y7CLnSzoXnbOE87d6Kf5ApPh3ECQz%2Bw8%2FdDg%3D&reserved=0 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.comhttps://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2FAmazon.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=SPg%2BeVhM4yAHLAPKSdCzgnnHoC51pmAaE1vQLq5RDfY%3D&reserved=0, Inc.", CN = email-smtp.us-west-2.amazonaws.comhttps://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=4vOpXE%2FdfjrzF7jAJsntndPu433EpFh%2FcQ0mJM%2FJjzE%3D&reserved=0 verify return:1 220 email-smtp.amazonaws.comhttps://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.amazonaws.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=BzqvMygpf9MVsmanrmhXorCK7xeONRU6%2FjrkJTM6pB8%3D&reserved=0 ESMTP SimpleEmailService-2370111491 wa7VtNk9b7c4TX0jNpdG
But when I try to access through stunnel via localhost with telnet, I get this:
[ec2-user@ip-172-31-4-68 ~]$ telnet localhost 2525 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.
I’ve tried everything I can think of; I’ve read all the blogs and pages related to connecting from ec2 to SES via stunnel and I just can’t get it to work. Does anyone have any suggestions for other things I could try?
Thanks in advance, Rob Allen, CPO Software Engineer | Eyefinity NOTICE: This message is intended only for the individual to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient, or the employee or person responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender and destroy or delete this communication immediately. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-usershttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stunnel.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fstunnel-users&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=LrMGRFpXuLN9IsaX6%2Fvd20SVYB%2FeNTB1ml1hKGK2cT0%3D&reserved=0
MailGate made the following annotations --------------------------------------------------------------------- NOTICE: This message is intended only for the individual to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient, or the employee or person responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender and destroy or delete this communication immediately. ---------------------------------------------------------------------
-
Josealf.rm -
Rob Allen