[stunnel-users] I am having problems with the 4.5x-series also: Pan connects, nothing else happens.

Michal Trojnara Michal.Trojnara at mirt.net
Wed Jan 11 22:56:27 CET 2012 

SciFi wrote:
> $ uname -a
> Darwin SciFi.homeip.net 10.8.0 Darwin Kernel Version 10.8.0: Tue  
> Jun  7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386  
> i386 iMac6,1 Darwin

I couldn't reproduce your problem.  It just works for me.

$ uname -a
Darwin PowerBook.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15  
16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh

> I am fine while relegated to using stunnel-4.49, but we have a  
> further issue, in that the "verify=<number>" option seems to reject  
> the certs & what-not coming from these servers, for any <number>  
> higher than 0 (yes I saw the maillist discussion about what 4 means  
> there, and tried it also).

Are you sure you've put your peer certificates in /usr/local/var/lib/ 
stunnel/certs, and then executed c_rehash there?  In most cases it's  
better to use CAfile instead of CApath.

> I manually start stunnel on a login-root terminal window, this way:
> # stunnel /usr/local/etc/stunnel/stunnel.conf -sockets

You are supposed to use *either* stunnel.conf or -sockets as a  
parameter.  See the manual for details.

> key = /usr/local/etc/stunnel/stunnel.pem

There is no point in specifying your private key in client mode,  
unless you also specify your certificate *and* configure remote  
servers to perform authentication based on client certificates.  In  
your case (connecting some public services) it just doesn't make sense.

> sslVersion = all
> ciphers = ALL

It doesn't look very secure.

> chroot = /usr/local/var/lib/stunnel/
> setuid = nobody
> setgid = nogroup

For troubleshooting it's best to avoid these options.

> CApath = /certs
> CRLpath = /crls

Again it's better to use CAfile instead.  Do you really use CRLs?

> Thanks for any help at all.

My troubleshooting tip:

Start with stable OpenSSL, and a minimal configuration:

foreground = yes
pid =
debug = 7
client = yes

[nntp_gn]
accept	=	12000
connect	=	news.giganews.com:563

[nntp_aw]
accept	=	12001
connect	=	ssl.astraweb.com:563

[nntp_gm]
accept	=	12002
connect	=	80.91.229.10:563

Try to get it working.  Useful Mac OS X diagnostic commands: dtruss,  
lastwords.

Then add other options one by one.

Mke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120111/b7b78cac/attachment.sig>

More information about the stunnel-users mailing list