I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error.
SSL23_GET_CLIENT_HELLO:unknown protocol
Here is my config file.
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
sslVersion = all
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (at least one service has to be defined) *
; **************************************************************************
; The default certificate
cert = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Set client mode client = yes
; GMail ssmtp settings
[ssmtp]
accept = 25
connect = 174.129.0.38:465
; GMail pop3s settings
[pop3s]
accept = 110
connect = 174.129.0.38:995
; GMail imaps settings
[imaps]
accept = 143
connect = 174.129.0.38:993
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Try specifying the ssl versions and options that you want or don't want explicitly. On Jan 11, 2013 5:09 PM, "Brandon Glenn" kocrachon@gmail.com wrote:
I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error.
SSL23_GET_CLIENT_HELLO:unknown protocol
Here is my config file.
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
;
; * Global options
;
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
;
; * Service defaults may also be specified in individual service sections
;
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
sslVersion = all
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
;
; * Service definitions (at least one service has to be defined)
;
; The default certificate
cert = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Set client mode client = yes
; GMail ssmtp settings
[ssmtp]
accept = 25
connect = 174.129.0.38:465
; GMail pop3s settings
[pop3s]
accept = 110
connect = 174.129.0.38:995
; GMail imaps settings
[imaps]
accept = 143
connect = 174.129.0.38:993
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Brandon Glenn -
Brian Wilkins