First Time Troubles. - stunnel-users

22 Mar 2018


      Hello All,
I'm trying to configure STunnel4 on Windows to connect to my VPS 
installed with STunnel, so I can use SSH through a DPI laden network.
The configuration works if I try at home, or on a mobile data hotspot, 
but if I attempt within the DPI network, it does not work, and provides 
this console output:
2018.03.22 09:30:15 LOG5[main]: stunnel 5.44 on x86-pc-msvc-1500 
platform
2018.03.22 09:30:15 LOG5[main]: Compiled/running with OpenSSL 
1.0.2m-fips  2 Nov 2017
2018.03.22 09:30:15 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.03.22 09:30:15 LOG5[main]: Reading configuration from file 
stunnel.conf
2018.03.22 09:30:15 LOG5[main]: UTF-8 byte order mark detected
2018.03.22 09:30:15 LOG5[main]: FIPS mode disabled
2018.03.22 09:30:15 LOG5[main]: Configuration successful
2018.03.22 09:30:24 LOG5[0]: Service [ssh] accepted connection from 
127.0.0.1:65086
2018.03.22 09:30:24 LOG5[0]: s_connect: connected 130.185.251.28:443
2018.03.22 09:30:24 LOG5[0]: Service [ssh] connected remote server from 
172.28.1.25:65087
2018.03.22 09:30:25 LOG4[0]: CERT: Certificate not found in local 
repository
2018.03.22 09:30:25 LOG4[0]: Rejected by CERT at depth=0: 
CN=130.185.251.28
2018.03.22 09:30:25 LOG3[0]: SSL_connect: 14090086: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed
2018.03.22 09:30:25 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 
byte(s) sent to socket
This is the configuration I'm using:
[ssh]
client = yes
accept = 443
connect = 130.185.251.28:443
CAfile = peer-ssh.pem
verifyPeer = yes
The odd thing, is that if I connect using my mobile data, and then 
switch over to filtered internet and try again, it works fine, and adds 
the following lines to the log:
2018.03.22 09:36:46 LOG5[1]: Service [ssh] accepted connection from 
127.0.0.1:65237
2018.03.22 09:36:46 LOG5[1]: s_connect: connected 130.185.251.28:443
2018.03.22 09:36:46 LOG5[1]: Service [ssh] connected remote server from 
192.168.43.115:65238
2018.03.22 09:36:46 LOG5[1]: Certificate accepted at depth=0: C=GB, 
ST=Lincolnshire, L=Horncastle, O=N/A, OU=N/A, 
CN=personal.kilosierracharlie.me, 
emailAddress=webmaster@kilosierracharlie.me
Has anyone got any ideas regarding this issue? It's not mission 
critical, but it's quite annoyingly repetitive!
Cheers,
Kieran.