[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
mike
mgbutler at nbnet.nb.ca
Mon Jun 25 19:15:10 CEST 2012
Hello All,
Running Debian 6.0, stunnel4 and Pan 0.133
I have set up Pan and installed stunnel so that I can use ssl with nntp.
Installing Pan and stunnel was easy. I've edited Pan to use
localhost:119 and edited my config file in stunnel to point to my nntp
server. I have allowed nntp in my hosts.allow for ALL:ALL.
The problem I am running into is that Pan does not connect. I get the
following error:
Error reading from localhost. Connection reset by peer
Checking with the following openssl command produced this error:
root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect
localhost:119
CONNECTED(00000003)
write:errno=104
Looking at the logs for stunnel I see many repetitions of this message:
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on
local socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process
2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap
from 127.0.0.1:59451
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection
from 127.0.0.1:59451
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting
209.197.15.238:119
2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking:
s_poll_wait 209.197.15.238:119: waiting 10 seconds
2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected
209.197.15.238:119
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server
from 192.168.2.56:51455
2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on
remote socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect):
before/connect initialization
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect):
SSLv2/v3 write client hello A
2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
Anyone know what is missing? It almost looks like it cant talk in either
SSLv2 or v3 which makes no sense.
Here is my stunnel config:
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular
configuration
; Please make sure you understand them (especially the effect of the
chroot jail)
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
foreground = no
; Use it for client mode
client = yes
; Service-level configuration
[nntp]
accept = localhost:119
connect = news.aliant.net:119
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
More information about the stunnel-users
mailing list