Hi all,
I'm pretty new to stunnel but did get this config to work on a linux box - now I am trying the same/similiar config on a win7 box but keep getting the handshake error below. I am using the latest version of stunnel and have tried searching for an answer via google, making the proposed changes as described
No matter what settings I use it always seems to use the sslv3 handshake which then goes wrong :-(
I'd appreciate any help on this
Colin
My config is as follows:
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may useful for troubleshooting) ; Some debugging stuff useful for troubleshooting debug = 7 output = c:\temp\stunnel.log
; Use it for client mode client = yes
rndbytes = 256 rndfile = c:\temp\randseed.bin
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Disable FIPS mode to allow non-approved protocols and algorithms fips = no
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode cert = CT_20110324.pem
; Disable support for insecure SSLv2 protocol sslVersion = TLSv1 options = NO_SSLv2 options = NO_SSLv3
[CT] ; incoming connection from the client application accept = 444 ; outgoing connection connect = remote.server.com:443 TIMEOUTclose = 0
Error in log file
2012.04.11 18:33:54 LOG7[3684:3640]: Remote socket (FD=440) initialized 2012.04.11 18:33:54 LOG3[3684:3640]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 2012.04.11 18:33:54 LOG5[3684:3640]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2012.04.11 18:33:54 LOG7[3684:3640]: Remote socket (FD=440) closed 2012.04.11 18:33:54 LOG7[3684:3640]: Local socket (FD=408) closed 2012.04.11 18:33:54 LOG7[3684:3640]: Service [CT] finished (0 left)
Colin Chalmers wrote:
; Disable support for insecure SSLv2 protocol sslVersion = TLSv1 options = NO_SSLv2 options = NO_SSLv3
[cut]
2012.04.11 18:33:54 LOG3[3684:3640]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Could it be that your server does not support TLSv1?
Mike
I'm having trouble getting exchange and stunnel to work in one direction. The exchange server is 2008 - the smtp connector is set for tls on port 465.
I would appreciate any and all suggestions.
my conf file (trimmed out all the comments) debug = 7 output = C:\Temp\TESTER\stunnel.log fips = no options = NO_SSLv2 cert = C:\Temp\TESTER\mycert.pem RNDfile = C:\Temp\TESTER\stunnel.rnd taskbar = no
[ssmtp-out] client = yes protocol = smtp sslVersion = all options = NO_SSLv3 accept = 127.0.0.1:46 connect = 10.50.228.15:465
[ssmtp-in] client = no protocol = smtp delay = yes accept = 465 connect = 127.0.0.1:45
my app -> ssmtp-out -> exchange works.
here is the .log showing one incoming connection from the exchange server:
2012.04.28 00:52:46 LOG7[49272:60328]: No limit detected for the number of clients 2012.04.28 00:52:46 LOG5[49272:60328]: stunnel 4.53 on x86-pc-mingw32-gnu platform 2012.04.28 00:52:46 LOG5[49272:60328]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012 2012.04.28 00:52:46 LOG5[49272:60328]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6 2012.04.28 00:52:46 LOG5[49272:60328]: Reading configuration from file C:\Temp\TESTER\stunnel.conf 2012.04.28 00:52:46 LOG5[49272:60328]: FIPS mode is disabled 2012.04.28 00:52:46 LOG7[49272:60328]: Compression not enabled 2012.04.28 00:52:46 LOG7[49272:60328]: Snagged 64 random bytes from C:\Temp\TESTER\stunnel.rnd 2012.04.28 00:52:46 LOG7[49272:60328]: Wrote 1024 new random bytes to C:\Temp\TESTER\stunnel.rnd 2012.04.28 00:52:46 LOG7[49272:60328]: PRNG seeded successfully 2012.04.28 00:52:46 LOG6[49272:60328]: Initializing service section [ssmtp-out] 2012.04.28 00:52:46 LOG7[49272:60328]: Certificate: C:\Temp\TESTER\mycert.pem 2012.04.28 00:52:46 LOG7[49272:60328]: Certificate loaded 2012.04.28 00:52:46 LOG7[49272:60328]: Key file: C:\Temp\TESTER\mycert.pem 2012.04.28 00:52:46 LOG7[49272:60328]: Private key loaded 2012.04.28 00:52:46 LOG7[49272:60328]: SSL options set: 0x03000004 2012.04.28 00:52:46 LOG6[49272:60328]: Initializing service section [ssmtp-in] 2012.04.28 00:52:46 LOG7[49272:60328]: Certificate: C:\Temp\TESTER\mycert.pem 2012.04.28 00:52:46 LOG7[49272:60328]: Certificate loaded 2012.04.28 00:52:46 LOG7[49272:60328]: Key file: C:\Temp\TESTER\mycert.pem 2012.04.28 00:52:46 LOG7[49272:60328]: Private key loaded 2012.04.28 00:52:46 LOG7[49272:60328]: Could not load DH parameters from C:\Temp\TESTER\mycert.pem 2012.04.28 00:52:46 LOG7[49272:60328]: Using hardcoded DH parameters 2012.04.28 00:52:46 LOG7[49272:60328]: DH initialized with 2048-bit key 2012.04.28 00:52:46 LOG7[49272:60328]: ECDH initialized with curve prime256v1 2012.04.28 00:52:46 LOG7[49272:60328]: SSL options set: 0x01000004 2012.04.28 00:52:46 LOG5[49272:60328]: Configuration successful 2012.04.28 00:52:46 LOG7[49272:60328]: Service [ssmtp-out] (FD=1772) bound to 127.0.0.1:46 2012.04.28 00:52:46 LOG7[49272:60328]: Service [ssmtp-in] (FD=1728) bound to 0.0.0.0:465 2012.04.28 00:53:35 LOG7[49272:60328]: Service [ssmtp-in] accepted (FD=1732) from 10.50.228.15:19251 2012.04.28 00:53:35 LOG7[49272:60328]: Creating a new thread 2012.04.28 00:53:35 LOG7[49272:60328]: New thread created 2012.04.28 00:53:35 LOG7[49272:67820]: Service [ssmtp-in] started 2012.04.28 00:53:35 LOG5[49272:67820]: Service [ssmtp-in] accepted connection from 10.50.228.15:19251 2012.04.28 00:53:35 LOG6[49272:67820]: connect_blocking: connecting 127.0.0.1:45 2012.04.28 00:53:35 LOG7[49272:67820]: connect_blocking: s_poll_wait 127.0.0.1:45: waiting 10 seconds 2012.04.28 00:53:35 LOG5[49272:67820]: connect_blocking: connected 127.0.0.1:45 2012.04.28 00:53:35 LOG5[49272:67820]: Service [ssmtp-in] connected remote server from 127.0.0.1:28047 2012.04.28 00:53:35 LOG7[49272:67820]: Remote socket (FD=1696) initialized 2012.04.28 00:53:35 LOG6[49272:67820]: Server-mode smtp protocol negotiations started 2012.04.28 00:53:35 LOG7[49272:67820]: RFC 2487 detected 2012.04.28 00:53:52 LOG7[49272:67820]: <- 220-<CGMSAlpha> Private ESMTP Server (SMTPTester-1.0 Build 12 [Alpha]) ready 2012.04.28 00:53:52 LOG7[49272:67820]: -> 220-<CGMSAlpha> Private ESMTP Server (SMTPTester-1.0 Build 12 [Alpha]) ready + stunnel 2012.04.28 00:58:52 LOG6[49272:67820]: fd_getline: s_poll_wait: TIMEOUTbusy exceeded: sending reset 2012.04.28 00:58:52 LOG5[49272:67820]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2012.04.28 00:58:52 LOG7[49272:67820]: Remote socket (FD=1696) closed 2012.04.28 00:58:52 LOG7[49272:67820]: Local socket (FD=1732) closed 2012.04.28 00:58:52 LOG7[49272:67820]: Service [ssmtp-in] finished (0 left) 2012.04.28 00:58:52 LOG7[49272:67820]: str_stats: 1 block(s), 82 data byte(s), 42 control byte(s)
-
Colin Chalmers -
Michal Trojnara -
Steve Marvin