Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peer
Checking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps ----------------- Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peer
Checking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter: http://ubuntuforums.org/showthread.php?t=653246
and i can't get this to work with ssl at all.
-Mike
On 12-06-26 12:05 AM, Leandro Avila wrote:
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps
Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peerChecking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
So I made a couple changes in my config. I disabled "client=yes" and created a certificate key.
Now when I run this command: openssl s_client -ssl3 -connect localhost:119
I get a hopeful message that shows my certificate and ends like this: SSL handshake has read 969 bytes and written 253 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 512 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 9FBB246F77D9951629DE4E506B82B967B47CA3AFD0E8F792D44159A9016E3B16 Session-ID-ctx: Master-Key: 35BF62692EECE0641DD0E35EC2927757751E576A6DAF27B857FEDC8D0B47C05AB6854784B5C450739545E0DEDC3A3FA8 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1340744705 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- 200 NNRP news.aliant.net Service Ready - support@aliant.net (posting ok)
So everything looks good. But when I attempt to connect in Pan, it never connects and my stunnel log looks like this: 2012.06.26 18:07:45 LOG7[475:3074374512]: SSL state (accept): before/accept initialization 2012.06.26 18:07:55 LOG3[475:3074513776]: SSL_accept: Peer suddenly disconnected 2012.06.26 18:07:55 LOG5[475:3074513776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp finished (3 left) 2012.06.26 18:07:55 LOG7[475:3074758864]: nntp accepted FD=13 from 127.0.0.1:36457 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp started 2012.06.26 18:07:55 LOG7[475:3074513776]: FD 13 in non-blocking mode 2012.06.26 18:07:55 LOG7[475:3074513776]: Waiting for a libwrap process 2012.06.26 18:07:55 LOG7[475:3074513776]: Acquired libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: Releasing libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: Released libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp permitted by libwrap from 127.0.0.1:36457 2012.06.26 18:07:55 LOG5[475:3074513776]: nntp accepted connection from 127.0.0.1:36457
I'm stumped - anyone got any ideas?
On 12-06-26 04:10 PM, mike wrote:
Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter: http://ubuntuforums.org/showthread.php?t=653246
and i can't get this to work with ssl at all.
-Mike
On 12-06-26 12:05 AM, Leandro Avila wrote:
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps
Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peerChecking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Mike,
Your initial configuration was fine I think. Your side of the connection makes your stunnel a client. So you need the client = yes option for that.
What I meant to say on my earlier message is that the other side of the connection, that is the server at
news.aliant.net should also be ready to accept SSL. In this case news.aliant.net does not seem to support SSL.
So your stunnel is working properly trying to establish a connection using SSL but the server refuses because it does not use SSL. Hence, the need to check with the operator/owner of news.aliant.net and ask them if their configuration supports SSL.
I hope this makes more sense.
Thanks
----------------- Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Tuesday, June 26, 2012 4:08 PM Subject: Re: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
So I made a couple changes in my config. I disabled "client=yes" and created a certificate key.
Now when I run this command: openssl s_client -ssl3 -connect localhost:119
I get a hopeful message that shows my certificate and ends like this: SSL handshake has read 969 bytes and written 253 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 512 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 9FBB246F77D9951629DE4E506B82B967B47CA3AFD0E8F792D44159A9016E3B16 Session-ID-ctx: Master-Key: 35BF62692EECE0641DD0E35EC2927757751E576A6DAF27B857FEDC8D0B47C05AB6854784B5C450739545E0DEDC3A3FA8 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1340744705 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- 200 NNRP news.aliant.net Service Ready - support@aliant.net (posting ok)
So everything looks good. But when I attempt to connect in Pan, it never connects and my stunnel log looks like this: 2012.06.26 18:07:45 LOG7[475:3074374512]: SSL state (accept): before/accept initialization 2012.06.26 18:07:55 LOG3[475:3074513776]: SSL_accept: Peer suddenly disconnected 2012.06.26 18:07:55 LOG5[475:3074513776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp finished (3 left) 2012.06.26 18:07:55 LOG7[475:3074758864]: nntp accepted FD=13 from 127.0.0.1:36457 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp started 2012.06.26 18:07:55 LOG7[475:3074513776]: FD 13 in non-blocking mode 2012.06.26 18:07:55 LOG7[475:3074513776]: Waiting for a libwrap process 2012.06.26 18:07:55 LOG7[475:3074513776]: Acquired libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: Releasing libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: Released libwrap process #0 2012.06.26 18:07:55 LOG7[475:3074513776]: nntp permitted by libwrap from 127.0.0.1:36457 2012.06.26 18:07:55 LOG5[475:3074513776]: nntp accepted connection from 127.0.0.1:36457
I'm stumped - anyone got any ideas?
On 12-06-26 04:10 PM, mike wrote:
Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter: http://ubuntuforums.org/showthread.php?t=653246
and i can't get this to work with ssl at all.
-Mike
On 12-06-26 12:05 AM, Leandro Avila wrote:
Mike,
Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563 Instead of Port 119.
Hope this helps ----------------- Leandro Avila
----- Original Message ----- From: mike mgbutler@nbnet.nb.ca To: stunnel-users@stunnel.org Cc: Sent: Monday, June 25, 2012 12:15 PM Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
Hello All, Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the following error:
Error reading from localhost. Connection reset by peer
Checking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104
Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no
; Use it for client mode client = yes
; Service-level configuration
[nntp] accept = localhost:119 connect = news.aliant.net:119
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Leandro Avila -
mike