[stunnel-users] STunnel server handshake fails
John Kadyk
jckadyk at pacbell.net
Tue Apr 12 00:53:35 CEST 2011
Thanks for the quick response, Leandronot sure I¹m replying to this
correctly.
Adding sslVersion = TLSv1 as you suggested did allow STunnel to connect with
the server, and in the log it looked like everything was workingbut the
email client still registered an error and the message didn¹t go through. So
I just created a new GMail address for the scanner so I could use a vanilla
SSL connection, and that¹s working fine.
Thanks again,
John
[stunnel-users] STunnel server handshake fails
Leandro Avila leandro.avila at ymail.com
Fri Apr 8 06:32:48 CEST 2011
Previous message: [stunnel-users] STunnel server handshake fails
Next message: [stunnel-users] stunnel through elb.. need packets sent
semi-frequently
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
I think you probably want to use the sslVersion = TLSv1 setting in your
configuration.
Instead of the options for OpenSSL
Hope that helps
-----------------
Leandro Avila
________________________________
From: John C. Kadyk <jckadyk at pacbell.net>
To: stunnel-users at stunnel.org
Sent: Thursday, April 7, 2011 7:06 PM
Subject: Re: [stunnel-users] STunnel server handshake fails
STunnel server handshake fails I'm trying to set up STunnel so our non-SSL
network scanner can email scans through our email server, which requires
TLS. A desktop email client with the same server/port settings can send
email OK.
I think I have STunnel configured correctly, but there's a handshake failure
when it tries to connect to the server. STunnel seems to be attempting an
SSLv3 connection even though I turned that option off in the config file. I
want to force it to use TLS but not sure how to do that. Any suggestions
greatly appreciated.
Here's the config file:
cert = stunnel.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
;output = stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 1025
connect = mail022-1.exch022.serverdata.net:1025
<http://mail022-1.exch022.serverdata.net:1025>
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
and here's the log:
2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file
stunnel.conf
2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
pop3s
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
imaps
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
ssmtp
2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful
2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of
clients
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995
<http://0.0.0.0:995>
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993
<http://0.0.0.0:993>
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025
<http://0.0.0.0:1025>
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148
2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with
OpenSSL 1.0.0c 2 Dec 2010
2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated
(non-blocking mode)
2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from
10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:2436]: Creating a new thread
2011.04.07 16:41:17 LOG7[3744:2436]: New thread created
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from
10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated
(non-blocking mode)
2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting
64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected
64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server
from 10.10.17.249:4081 <http://10.10.17.249:4081>
2011.04.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect
initialization
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client
hello A
2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake
failure
2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left)
Any suggestions greatly appreciated.
Thanks!
John
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Previous message: [stunnel-users] STunnel server handshake fails
Next message: [stunnel-users] stunnel through elb.. need packets sent
semi-frequently
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the stunnel-users mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110411/157772c4/attachment.html>
More information about the stunnel-users
mailing list