[stunnel-users] STunnel server handshake fails

Leandro Avila leandro.avila at ymail.com
Fri Apr 8 06:32:48 CEST 2011


Hello,

I think you probably want to use the sslVersion = TLSv1 setting in your configuration.
Instead of the options for OpenSSL

Hope that helps

-----------------
Leandro Avila


________________________________
From: John C. Kadyk <jckadyk at pacbell.net>
To: stunnel-users at stunnel.org
Sent: Thursday, April 7, 2011 7:06 PM
Subject: Re: [stunnel-users] STunnel server handshake fails


STunnel server handshake fails I'm trying to set up STunnel so our non-SSL network scanner can email scans through our email server, which requires TLS. A desktop email client with the same server/port settings can send email OK.

I think I have STunnel configured correctly, but there's a handshake failure when it tries to connect to the server. STunnel seems to be attempting an SSLv3 connection even though I turned that option off in the config file. I want to force it to use TLS but not sure how to do that. Any suggestions greatly appreciated.

Here's the config file:

cert = stunnel.pem
;key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
;output = stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[ssmtp]
accept  = 1025
connect = mail022-1.exch022.serverdata.net:1025 <http://mail022-1.exch022.serverdata.net:1025> 

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

and here's the log:

2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file stunnel.conf
2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service pop3s
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service imaps
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service ssmtp
2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful
2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of clients
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995 <http://0.0.0.0:995> 
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993 <http://0.0.0.0:993> 
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated (non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025 <http://0.0.0.0:1025> 
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148
2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with OpenSSL 1.0.0c 2 Dec 2010
2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated (non-blocking mode)
2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from 10.10.17.57:49968 <http://10.10.17.57:49968> 
2011.04.07 16:41:17 LOG7[3744:2436]: Creating a new thread
2011.04.07 16:41:17 LOG7[3744:2436]: New thread created
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from 10.10.17.57:49968 <http://10.10.17.57:49968> 
2011.04.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated (non-blocking mode)
2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting 64.78.22.98:1025 <http://64.78.22.98:1025> 
2011.04.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected 64.78.22.98:1025 <http://64.78.22.98:1025> 
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server from 10.10.17.249:4081 <http://10.10.17.249:4081> 
2011.04.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect initialization
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client hello A
2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake failure
2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left)

Any suggestions greatly appreciated.

Thanks!
John 
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users 



More information about the stunnel-users mailing list