[stunnel-users] IMAPS stunnel on older OSX Mac: SSL3_GET_RECORD:wrong version number
Tom Shaw
tshaw at oitc.com
Sun Mar 23 17:52:28 CET 2008
1.
compiled and installed stunnel on older OSX Mac. Tried connectiong
via IMAPS and POP3S using Apple OSX Mail and I get the errors shown
in line 4. Process works when I change my .conf file to contain
sslVersion = SSLv2. I'm a neophyte to ssl and I have no idea what is
wrong or where to start or if this situation is OK. Any help is
appreciated. Also this needs to be backward compatible to OSX 10.3.9
which is why the compiling on Panther.
2.
stunnel version 4.20
3.
standalone via sudo from command line
4.
error message
Mar 23 10:49:52 musky stunnel: LOG5[2941:25192960]: imaps accepted
connection from 206.208.58.127:37295
Mar 23 10:49:52 musky stunnel: LOG3[2941:25192960]: SSL_accept:
1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number
Mar 23 10:49:52 musky stunnel: LOG5[2941:25192960]: Connection reset:
0 bytes sent to SSL, 0 bytes sent to socket
5.
$ /usr/local/sbin/stunnel -version
stunnel 4.20 on powerpc-apple-darwin7.9.0 with OpenSSL 0.9.7l 28 Sep 2006
Threading:PTHREAD SSL:ENGINE Sockets:SELECT,IPv4 Auth:LIBWRAP
Global options
debug = 5
pid = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
key = /usr/local/etc/stunnel/stunnel.pem
session = 300 seconds
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
6.
$ uname -a
Darwin musky.oitc.com 7.9.0 Darwin Kernel Version 7.9.0: Wed Mar 30
20:11:17 PST 2005; root:xnu/xnu-517.12.7.obj~1/RELEASE_PPC Power
Macintosh powerpc
7. Your libc version if you use Linux.
8.
$ gcc -v
Reading specs from /usr/libexec/gcc/darwin/ppc/3.3/specs
Thread model: posix
gcc version 3.3 20030304 (Apple Computer, Inc. build 1666)
9.
$ openssl version
OpenSSL 0.9.7l 28 Sep 2006
10.
My conf
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/secure_mail.pem
;key = /usr/local/etc/stunnel/secure_mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv2
; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /usr/local/var/lib/stunnel/
;setuid = nobody
;setgid = nobody
;setgid = nogroup
; PID is created inside chroot jail
pid = /var/run/stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
;output = stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 587
[sldap]
accept = 636
connect = 389
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
More information about the stunnel-users
mailing list