Hi,
I'm new to stunnel and I'm trying to troubleshoot why it currently isn't working. When I first set it up and tested it everything worked fine. I rebuilt everything to do it all again and now it's not working. I'm pretty sure I set everything up the same way. I'm trying to get it to work with AWS SES. Here is my stunnel config:
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2015 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may be useful for troubleshooting) debug = debug ;output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance ;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Enable support for the insecure SSLv3 protocol ;options = -NO_SSLv3
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; **************************************************************************
;include = conf.d
; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; **************************************************************************
; ***************************************** Example TLS client mode services
[gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verify = 2 CAfile = ca-certs.pem checkHost = pop.gmail.com OCSPaia = yes
[gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verify = 2 CAfile = ca-certs.pem checkHost = imap.gmail.com OCSPaia = yes
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verify = 2 CAfile = ca-certs.pem checkHost = smtp.gmail.com OCSPaia = yes
; Encrypted HTTP proxy authenticated with a client certificate ; located in the Windows certificate store ;[example-proxy] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = capi
; ***************************************** Example TLS server mode services
;[pop3s] ;accept = 995 ;connect = 110 ;cert = stunnel.pem
;[imaps] ;accept = 993 ;connect = 143 ;cert = stunnel.pem
;[ssmtp] ;accept = 465 ;connect = 25 ;cert = stunnel.pem
; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0
; Remote cmd.exe protected with PSK-authenticated TLS ; Create "secrets.txt" containing IDENTITY:KEY pairs ;[cmd] ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe ;ciphers = PSK ;PSKsecrets = secrets.txt
; vim:ft=dosini
[smtp-tls-wrapper] accept = 2525 client = yes connect = email-smtp.us-east-1.amazonaws.com:2465 delay = yes
Here is the debug from the log file:
2015.12.29 17:42:38 LOG7[main]: No limit detected for the number of clients 2015.12.29 17:42:38 LOG5[main]: stunnel 5.28 on x86-pc-msvc-1500 platform 2015.12.29 17:42:38 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015 2015.12.29 17:42:38 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2015.12.29 17:42:38 LOG7[main]: errno: (*_errno()) 2015.12.29 17:42:38 LOG5[main]: Reading configuration from file stunnel.conf 2015.12.29 17:42:38 LOG5[main]: UTF-8 byte order mark detected 2015.12.29 17:42:38 LOG5[main]: FIPS mode disabled 2015.12.29 17:42:38 LOG7[main]: Compression disabled 2015.12.29 17:42:38 LOG7[main]: Snagged 64 random bytes from C:/.rnd 2015.12.29 17:42:38 LOG7[main]: Wrote 1024 new random bytes to C:/.rnd 2015.12.29 17:42:38 LOG7[main]: PRNG seeded successfully 2015.12.29 17:42:38 LOG6[main]: Initializing service [gmail-pop3] 2015.12.29 17:42:38 LOG7[ui]: GUI message loop initialized 2015.12.29 17:42:38 LOG7[cron]: Cron thread initialized 2015.12.29 17:42:38 LOG7[main]: No certificate or private key specified 2015.12.29 17:42:38 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.29 17:42:38 LOG6[main]: Initializing service [gmail-imap] 2015.12.29 17:42:38 LOG7[main]: No certificate or private key specified 2015.12.29 17:42:38 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.29 17:42:38 LOG6[main]: Initializing service [gmail-smtp] 2015.12.29 17:42:38 LOG7[main]: No certificate or private key specified 2015.12.29 17:42:38 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.29 17:42:38 LOG6[main]: Initializing service [smtp-tls-wrapper] 2015.12.29 17:42:38 LOG7[main]: No certificate or private key specified 2015.12.29 17:42:38 LOG4[main]: Service [smtp-tls-wrapper] needs authentication to prevent MITM attacks 2015.12.29 17:42:38 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.29 17:42:38 LOG5[main]: Configuration successful 2015.12.29 17:42:38 LOG7[main]: Listening file descriptor created (FD=372) 2015.12.29 17:42:38 LOG7[main]: Service [gmail-pop3] (FD=372) bound to 127.0.0.1:110 2015.12.29 17:42:38 LOG7[main]: Listening file descriptor created (FD=376) 2015.12.29 17:42:38 LOG7[main]: Service [gmail-imap] (FD=376) bound to 127.0.0.1:143 2015.12.29 17:42:38 LOG7[main]: Listening file descriptor created (FD=380) 2015.12.29 17:42:38 LOG7[main]: Service [gmail-smtp] (FD=380) bound to 127.0.0.1:25 2015.12.29 17:42:38 LOG7[main]: Listening file descriptor created (FD=384) 2015.12.29 17:42:38 LOG7[main]: Service [smtp-tls-wrapper] (FD=384) bound to 0.0.0.0:2525 2015.12.29 17:43:25 LOG7[main]: Found 1 ready file descriptor(s) 2015.12.29 17:43:25 LOG7[main]: FD=332 ifds=r-x ofds=--- 2015.12.29 17:43:25 LOG7[main]: FD=372 ifds=r-x ofds=--- 2015.12.29 17:43:25 LOG7[main]: FD=376 ifds=r-x ofds=--- 2015.12.29 17:43:25 LOG7[main]: FD=380 ifds=r-x ofds=--- 2015.12.29 17:43:25 LOG7[main]: Service [smtp-tls-wrapper] accepted (FD=444) from 127.0.0.1:49510 2015.12.29 17:43:25 LOG7[main]: Creating a new thread 2015.12.29 17:43:25 LOG7[main]: New thread created 2015.12.29 17:43:25 LOG7[0]: Service [smtp-tls-wrapper] started 2015.12.29 17:43:25 LOG5[0]: Service [smtp-tls-wrapper] accepted connection from 127.0.0.1:49510 2015.12.29 17:43:25 LOG6[0]: failover: round-robin, starting at entry #0 2015.12.29 17:43:25 LOG6[0]: s_connect: connecting 54.243.71.143:2465 2015.12.29 17:43:25 LOG7[0]: s_connect: s_poll_wait 54.243.71.143:2465: waiting 10 seconds 2015.12.29 17:43:25 LOG5[0]: s_connect: connected 54.243.71.143:2465 2015.12.29 17:43:25 LOG5[0]: Service [smtp-tls-wrapper] connected remote server from 172.31.49.212:49511 2015.12.29 17:43:25 LOG7[0]: Remote descriptor (FD=468) initialized 2015.12.29 17:43:25 LOG6[0]: SNI: sending servername: email-smtp.us-east-1.amazonaws.com 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): before/connect initialization 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read server hello A 2015.12.29 17:43:25 LOG6[0]: Certificate verification disabled 2015.12.29 17:43:25 LOG6[0]: Certificate verification disabled 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read server certificate A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read server key exchange A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read server done A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 write client key exchange A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 write change cipher spec A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 write finished A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 flush data 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read server session ticket A 2015.12.29 17:43:25 LOG7[0]: SSL state (connect): SSLv3 read finished A 2015.12.29 17:43:25 LOG7[0]: 1 client connect(s) requested 2015.12.29 17:43:25 LOG7[0]: 1 client connect(s) succeeded 2015.12.29 17:43:25 LOG7[0]: 0 client renegotiation(s) requested 2015.12.29 17:43:25 LOG7[0]: 0 session reuse(s) 2015.12.29 17:43:25 LOG6[0]: SSL connected: new session negotiated 2015.12.29 17:43:25 LOG7[0]: Peer certificate was cached (3667 bytes) 2015.12.29 17:43:25 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.12.29 17:43:25 LOG7[0]: Compression: null, expansion: null 2015.12.29 17:43:36 LOG7[0]: SSL alert (read): warning: close notify 2015.12.29 17:43:36 LOG6[0]: SSL closed (SSL_read) 2015.12.29 17:43:36 LOG7[0]: Sent socket write shutdown 2015.12.29 17:43:38 LOG6[cron]: Executing cron jobs 2015.12.29 17:43:38 LOG6[cron]: Cron jobs completed in 0 seconds 2015.12.29 17:43:38 LOG7[cron]: Waiting 86400 seconds 2015.12.29 17:44:36 LOG3[0]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 2015.12.29 17:44:36 LOG5[0]: Connection closed: 995 byte(s) sent to SSL, 397 byte(s) sent to socket 2015.12.29 17:44:36 LOG7[0]: Remote descriptor (FD=468) closed 2015.12.29 17:44:36 LOG7[0]: Local descriptor (FD=444) closed 2015.12.29 17:44:36 LOG7[0]: Service [smtp-tls-wrapper] finished (0 left)
I've searched the web for that TIMEOUTclose message and haven't come up with a solution. I've also attached a packet capture. Any suggestions would be helpful.
Thanks!
Mike
-
Michael Calder