[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
mike
mgbutler at nbnet.nb.ca
Tue Jun 26 21:10:50 CEST 2012
Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My
nntp server definitely uses port 119. I followed the set up for this
from these instructions almost to the letter:
http://ubuntuforums.org/showthread.php?t=653246
and i can't get this to work with ssl at all.
-Mike
On 12-06-26 12:05 AM, Leandro Avila wrote:
> Mike,
>
> Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563
> Instead of Port 119.
>
> Hope this helps
>
> -----------------
> Leandro Avila
>
>
> ----- Original Message -----
> From: mike <mgbutler at nbnet.nb.ca>
> To: stunnel-users at stunnel.org
> Cc:
> Sent: Monday, June 25, 2012 12:15 PM
> Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
>
> Hello All,
> Running Debian 6.0, stunnel4 and Pan 0.133
>
> I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
>
> The problem I am running into is that Pan does not connect. I get the following error:
>
> Error reading from localhost. Connection reset by peer
>
> Checking with the following openssl command produced this error:
> root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119
> CONNECTED(00000003)
> write:errno=104
>
> Looking at the logs for stunnel I see many repetitions of this message:
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451
> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
> 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds
> 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119
> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A
> 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
>
> Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
>
> Here is my stunnel config:
>
> ; Sample stunnel configuration file by Michal Trojnara 2002-2009
> ; Some options used here may not be adequate for your particular configuration
> ; Please make sure you understand them (especially the effect of the chroot jail)
>
> ; Certificate/key is needed in server mode and optional in client mode
> ;cert = /etc/ssl/certs/stunnel.pem
> ;key = /etc/ssl/certs/stunnel.pem
>
> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> sslVersion = all
>
> ; Some security enhancements for UNIX systems - comment them out on Win32
> chroot = /var/lib/stunnel4/
> setuid = stunnel4
> setgid = stunnel4
> ; PID is created inside the chroot jail
> pid = /stunnel4.pid
>
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ;compression = zlib
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ; CApath is located inside chroot jail
> ;CApath = /certs
> ; It's often easier to use CAfile
> ;CAfile = /etc/stunnel/certs.pem
> ; Don't forget to c_rehash CRLpath
> ; CRLpath is located inside chroot jail
> ;CRLpath = /crls
> ; Alternatively you can use CRLfile
> ;CRLfile = /etc/stunnel/crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> debug = 7
> output = /var/log/stunnel4/stunnel.log
> foreground = no
>
>
> ; Use it for client mode
> client = yes
>
> ; Service-level configuration
>
> [nntp]
> accept = localhost:119
> connect = news.aliant.net:119
>
> ;[https]
> ;accept = 443
> ;connect = 80
> ;TIMEOUTclose = 0
>
> ; vim:ft=dosini
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>
More information about the stunnel-users
mailing list