[stunnel-users] STunnel server handshake fails
Leandro Avila
leandro.avila at ymail.com
Fri Apr 8 06:32:48 CEST 2011
Hello,
I think you probably want to use the sslVersion = TLSv1 setting in your configuration.
Instead of the options for OpenSSL
Hope that helps
-----------------
Leandro Avila
________________________________
From: John C. Kadyk <jckadyk at pacbell.net>
To: stunnel-users at stunnel.org
Sent: Thursday, April 7, 2011 7:06 PM
Subject: Re: [stunnel-users] STunnel server handshake fails
STunnel server handshake fails I'm trying to set up STunnel so our non-SSL network scanner can email scans through our email server, which requires TLS. A desktop email client with the same server/port settings can send email OK.
I think I have STunnel configured correctly, but there's a handshake failure when it tries to connect to the server. STunnel seems to be attempting an SSLv3 connection even though I turned that option off in the config file. I want to force it to use TLS but not sure how to do that. Any suggestions greatly appreciated.
Here's the config file:
cert = stunnel.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
;output = stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 1025
connect = mail022-1.exch022.serverdata.net:1025 <http://mail022-1.exch022.serverdata.net:1025>
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
and here's the log:
2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file stunnel.conf
2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service pop3s
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service imaps
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service ssmtp
2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful
2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of clients
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995 <http://0.0.0.0:995>
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993 <http://0.0.0.0:993>
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025 <http://0.0.0.0:1025>
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148
2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with OpenSSL 1.0.0c 2 Dec 2010
2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated (non-blocking mode)
2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from 10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:2436]: Creating a new thread
2011.04.07 16:41:17 LOG7[3744:2436]: New thread created
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from 10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated (non-blocking mode)
2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting 64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected 64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server from 10.10.17.249:4081 <http://10.10.17.249:4081>
2011.04.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect initialization
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client hello A
2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake failure
2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left)
Any suggestions greatly appreciated.
Thanks!
John
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list