Hello,
I'm encountering an issue while using sTunnel with an Office365 account.
sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration.
This is our configuration:
[pop3s] client = yes accept = 127.0.0.1:2001 connect = outlook.office365.com:995 CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem checkHost = outlook.office365.com verifyChain = yes OCSPaia = yes
This is what we get in the log:
2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s) 2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=--- 2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from 127.0.0.1:49619 2018.11.09 11:34:09 LOG7[main]: Creating a new thread 2018.11.09 11:34:09 LOG7[main]: New thread created 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started 2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from 127.0.0.1:49619 2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 40.101.9.178:995 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 40.101.9.178:995: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 40.101.9.178:995 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from 172.31.20.23:49620 2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized 2018.11.09 11:34:09 LOG6[30]: SNI: sending servername: outlook.office365.com 2018.11.09 11:34:09 LOG6[30]: Peer certificate required 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "http://ocsp.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocsp.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good 2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG6[30]: CERT: Host name "outlook.office365.com" matched with "*.office365.com" 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "http://ocspx.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocspx.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized 2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure 2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed 2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)
Can you please help me?
Thanks in advance!
Hi,
Damn, it seems that there's a serious issue with OCSP and microsoft certificates.
You can try to put the option: *OCSPaia* = no to see if it fixes the issue, but it seems that it needs further investigations.
https://www.stunnel.org/static/stunnel.html
Regards, Flo
On Fri, Nov 9, 2018 at 12:36 PM milanimarco82@libero.it wrote:
Hello,
I'm encountering an issue while using sTunnel with an Office365 account.
sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration.
This is our configuration:
[pop3s] client = yes accept = 127.0.0.1:2001 connect = outlook.office365.com:995 CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem checkHost = outlook.office365.com verifyChain = yes OCSPaia = yes
This is what we get in the log:
2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s) 2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=--- 2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from 127.0.0.1:49619 2018.11.09 11:34:09 LOG7[main]: Creating a new thread 2018.11.09 11:34:09 LOG7[main]: New thread created 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started 2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from 127.0.0.1:49619 2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 40.101.9.178:995 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 40.101.9.178:995: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 40.101.9.178:995 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from 172.31.20.23:49620 2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized 2018.11.09 11:34:09 LOG6[30]: SNI: sending servername: outlook.office365.com 2018.11.09 11:34:09 LOG6[30]: Peer certificate required 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder " http://ocsp.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocsp.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good 2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG6[30]: CERT: Host name "outlook.office365.com" matched with "*.office365.com" 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder " http://ocspx.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocspx.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized 2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure 2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed 2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)
Can you please help me?
Thanks in advance! _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Thanks for your suggestion, I just tried but nothing changed.
Il 9 novembre 2018 alle 12.44 Flo Rance trourance@gmail.com ha scritto:
Hi, Damn, it seems that there's a serious issue with OCSP and microsoft certificates. You can try to put the option: OCSPaia = no to see if it fixes the issue, but it seems that it needs further investigations. https://www.stunnel.org/static/stunnel.html Regards, Flo On Fri, Nov 9, 2018 at 12:36 PM < milanimarco82@libero.it mailto:milanimarco82@libero.it > wrote: > >Hello, I'm encountering an issue while using sTunnel with an Office365 account. sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration. This is our configuration: [pop3s] client = yes accept =http://127.0.0.1:2001 connect =http://outlook.office365.com:995 CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem checkHost =http://outlook.office365.com verifyChain = yes OCSPaia = yes This is what we get in the log: 2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s) 2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=--- 2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) fromhttp://127.0.0.1:49619 2018.11.09 11:34:09 LOG7[main]: Creating a new thread 2018.11.09 11:34:09 LOG7[main]: New thread created 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started 2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection fromhttp://127.0.0.1:49619 2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0 2018.11.09 11:34:09 LOG6[30]: s_connect: connectinghttp://40.101.9.178:995 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_waithttp://40.101.9.178:995 : waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connectedhttp://40.101.9.178:995 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server fromhttp://172.31.20.23:49620 2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized 2018.11.09 11:34:09 LOG6[30]: SNI: sending servername:http://outlook.office365.com 2018.11.09 11:34:09 LOG6[30]: Peer certificate required 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=http://www.digicert.com , CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=http://www.digicert.com , CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "http://ocsp.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connectinghttp://93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_waithttp://93.184.220.29:80 : waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connectedhttp://93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connectedhttp://ocsp.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good 2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=http://outlook.com 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG6[30]: CERT: Host name "http://outlook.office365.com " matched with "*.http://office365.com " 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "http://ocspx.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connectinghttp://93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_waithttp://93.184.220.29:80 : waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connectedhttp://93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connectedhttp://ocspx.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized 2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=http://outlook.com 2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure 2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed 2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left) Can you please help me? Thanks in advance! _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
Weird, I tried and it works perfectly for me using your configuration and stunnel 5.48.
*OCSPaia* = yes
2018.11.09 14:39:56 LOG6[0]: SNI: sending servername: outlook.office365.com 2018.11.09 14:39:56 LOG6[0]: Peer certificate required 2018.11.09 14:39:56 LOG7[0]: TLS state (connect): before SSL initialization 2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello 2018.11.09 14:39:56 LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:39:56 LOG7[0]: OCSP: Ignoring root certificate 2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 14:39:56 LOG7[0]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder " http://ocsp.digicert.com" 2018.11.09 14:39:56 LOG6[0]: s_connect: connecting 93.184.220.29:80 2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 14:39:56 LOG5[0]: s_connect: connected 93.184.220.29:80 2018.11.09 14:39:56 LOG7[0]: OCSP: Connected ocsp.digicert.com:80 2018.11.09 14:39:56 LOG7[0]: OCSP: Response received 2018.11.09 14:39:56 LOG6[0]: OCSP: Status: good 2018.11.09 14:39:56 LOG6[0]: OCSP: This update: Nov 9 00:00:00 2018 GMT 2018.11.09 14:39:56 LOG6[0]: OCSP: Next update: Nov 16 00:00:00 2018 GMT 2018.11.09 14:39:56 LOG5[0]: OCSP: Certificate accepted 2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 14:39:56 LOG7[0]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:39:56 LOG6[0]: CERT: Host name "outlook.office365.com" matched with "*.office365.com" 2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder " http://ocspx.digicert.com" 2018.11.09 14:39:56 LOG6[0]: s_connect: connecting 93.184.220.29:80 2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 14:39:57 LOG5[0]: s_connect: connected 93.184.220.29:80 2018.11.09 14:39:57 LOG7[0]: OCSP: Connected ocspx.digicert.com:80 2018.11.09 14:39:57 LOG7[0]: OCSP: Response received 2018.11.09 14:39:57 LOG3[0]: OCSP: Responder error: 6: unauthorized 2018.11.09 14:39:57 LOG4[0]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 14:39:57 LOG7[0]: Remove session callback 2018.11.09 14:39:57 LOG7[0]: TLS alert (write): fatal: handshake failure 2018.11.09 14:39:57 LOG3[0]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
*OCSPaia* = no
2018.11.09 14:41:17 LOG6[0]: SNI: sending servername: outlook.office365.com 2018.11.09 14:41:17 LOG6[0]: Peer certificate required 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): before SSL initialization 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello 2018.11.09 14:41:17 LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 14:41:17 LOG7[0]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 14:41:17 LOG7[0]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded 2018.11.09 14:41:17 LOG6[0]: CERT: Host name "outlook.office365.com" matched with "*.office365.com" 2018.11.09 14:41:17 LOG5[0]: Certificate accepted at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange 2018.11.09 14:41:17 LOG6[0]: Client certificate not requested 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server done 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec 2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read finished 2018.11.09 14:41:17 LOG7[0]: New session callback 2018.11.09 14:41:17 LOG7[0]: Peer certificate was cached (4683 bytes) 2018.11.09 14:41:17 LOG7[0]: 1 client connect(s) requested 2018.11.09 14:41:17 LOG7[0]: 1 client connect(s) succeeded 2018.11.09 14:41:17 LOG7[0]: 0 client renegotiation(s) requested 2018.11.09 14:41:17 LOG7[0]: 0 session reuse(s) 2018.11.09 14:41:17 LOG6[0]: TLS connected: new session negotiated 2018.11.09 14:41:17 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2018.11.09 14:41:17 LOG7[0]: Compression: null, expansion: null 2018.11.09 14:41:17 LOG6[0]: TLS socket closed (read hangup) 2018.11.09 14:41:17 LOG7[0]: Sent socket write shutdown 2018.11.09 14:41:17 LOG6[0]: Read socket closed (readsocket) 2018.11.09 14:41:17 LOG7[0]: Sending close_notify alert 2018.11.09 14:41:17 LOG7[0]: TLS alert (write): warning: close notify 2018.11.09 14:41:17 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2018.11.09 14:41:17 LOG5[0]: Connection closed: 24 byte(s) sent to TLS, 386 byte(s) sent to socket 2018.11.09 14:41:17 LOG7[0]: Remote descriptor (FD=8) closed 2018.11.09 14:41:17 LOG7[0]: Local descriptor (FD=3) closed 2018.11.09 14:41:17 LOG7[0]: Service [imaps] finished (0 left)
Regards, Flo
On Fri, Nov 9, 2018 at 1:02 PM milanimarco82@libero.it wrote:
Thanks for your suggestion, I just tried but nothing changed.
Il 9 novembre 2018 alle 12.44 Flo Rance trourance@gmail.com ha scritto:
Hi,
Damn, it seems that there's a serious issue with OCSP and microsoft certificates.
You can try to put the option: *OCSPaia* = no to see if it fixes the issue, but it seems that it needs further investigations.
https://www.stunnel.org/static/stunnel.html
Regards, Flo
On Fri, Nov 9, 2018 at 12:36 PM < milanimarco82@libero.it> wrote:
Hello,
I'm encountering an issue while using sTunnel with an Office365 account.
sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration.
This is our configuration:
[pop3s] client = yes accept = 127.0.0.1:2001 connect = outlook.office365.com:995 CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem checkHost = outlook.office365.com verifyChain = yes OCSPaia = yes
This is what we get in the log:
2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s) 2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=--- 2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from 127.0.0.1:49619 2018.11.09 11:34:09 LOG7[main]: Creating a new thread 2018.11.09 11:34:09 LOG7[main]: New thread created 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started 2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from 127.0.0.1:49619 2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 40.101.9.178:995 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 40.101.9.178:995: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 40.101.9.178:995 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from 172.31.20.23:49620 2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668) 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized 2018.11.09 11:34:09 LOG6[30]: SNI: sending servername: outlook.office365.com 2018.11.09 11:34:09 LOG6[30]: Peer certificate required 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder " http://ocsp.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocsp.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good 2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT 2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded 2018.11.09 11:34:09 LOG6[30]: CERT: Host name "outlook.office365.com" matched with "*.office365.com" 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder " http://ocspx.digicert.com" 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80: waiting 10 seconds 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocspx.digicert.com:80 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received 2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized 2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com 2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure 2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed 2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)
Can you please help me?
Thanks in advance! _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Flo Rance -
milanimarco82@libero.it