[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol

mike mgbutler at nbnet.nb.ca
Mon Jun 25 19:15:10 CEST 2012 

Hello All,
Running Debian 6.0, stunnel4 and Pan 0.133

I have set up Pan and installed stunnel so that I can use ssl with nntp. 
Installing Pan and stunnel was easy. I've edited Pan to use 
localhost:119 and edited my config file in stunnel to point to my nntp 
server. I have allowed nntp in my hosts.allow for ALL:ALL.

The problem I am running into is that Pan does not connect. I get the 
following error:

     Error reading from localhost. Connection reset by peer

Checking with the following openssl command produced this error:
     root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect 
localhost:119
     CONNECTED(00000003)
     write:errno=104

Looking at the logs for stunnel I see many repetitions of this message:
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on 
local socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process
2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap 
from 127.0.0.1:59451
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection 
from 127.0.0.1:59451
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 
209.197.15.238:119
2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: 
s_poll_wait 209.197.15.238:119: waiting 10 seconds
2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 
209.197.15.238:119
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server 
from 192.168.2.56:51455
2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on 
remote socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): 
before/connect initialization
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): 
SSLv2/v3 write client hello A
2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: 
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes 
sent to SSL, 0 bytes sent to socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)

Anyone know what is missing? It almost looks like it cant talk in either 
SSLv2 or v3 which makes no sense.

Here is my stunnel config:

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular 
configuration
; Please make sure you understand them (especially the effect of the 
chroot jail)

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
foreground = no


; Use it for client mode
client = yes

; Service-level configuration

[nntp]
accept  = localhost:119
connect = news.aliant.net:119

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

More information about the stunnel-users mailing list