[stunnel-users] expired certificate problem

Rolf Ruediger stunnel at ymail.com
Fri Nov 18 13:42:18 CET 2011


Hello there!

Some time ago I used stunnel to send the output of a homebrew logging script to a remote server. For a few weeks now, the sever has an expired certificate, so I get an error while connecting to it. The stunnel.log looks like that:

2011.11.18 12:23:36 LOG5[753:3078719168]: stunnel 4.29 on i486-pc-linux-gnu with OpenSSL 0.9.8o 01 Jun 2010
2011.11.18 12:23:36 LOG5[753:3078719168]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2011.11.18 12:23:36 LOG5[753:3078719168]: 500 clients allowed
2011.11.18 12:24:00 LOG5[759:3078716272]: https accepted connection from 127.0.0.1:40691
2011.11.18 12:24:00 LOG5[759:3078716272]: connect_blocking: connected example.com:443
2011.11.18 12:24:00 LOG5[759:3078716272]: https connected remote server from my_outside_ip:38486
2011.11.18 12:24:00 LOG3[759:3078716272]: SSL_connect: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
2011.11.18 12:24:00 LOG5[759:3078716272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

This happens, when connecting manually with "nc -v 127.0.0.1 1234" to make a http-get request.
To also provide the config file of my linux client:

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/https.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[https]
accept = 127.0.0.1:1234
connect = example.com:443
TIMEOUTclose = 0

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

[ssmtp]
accept  = 465
connect = 25

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

So, the server is not under my control, where I am logging to.
Is there a problem I don't see? I thought, that when I connect to localhost, the data should be forwarded to the https-server.

Thanks in advance.

-Rolf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111118/ccdc072e/attachment.html>


More information about the stunnel-users mailing list