[stunnel-users] Fwd: Do Not Make Stunnel on El Capitan

WATANABE Takeo take at kasaneiro.jp
Fri Jan 15 05:53:27 CET 2016


Hi Thireus.

Thank you for your advice.
In its thanks to the installation of the SSL build and Stunnel it went well.
Swollen properly also server and connection with TLSv1 (OpenSSL_test)

However, in Cocoa Emacs 25.1.50 on Mew 6.7,
if you try to use as POP3S and SMTPS,
it is not Halle session is an error in the flow,
such as the accompanying text (Mew_debug).

Of course, in Mew settings, if you disable the SMTPS and POP3S,
but you can normally e-mail reading and writing.
But, then, there is no sense in which you installed Stunnel.
How do you good to deal with this error?

(Mew) E-mail software that runs on top of Emacs.
Using Stunnel, thereby realizing a POP3S and SMTPS.



on Sat, 2 Jan 2016 20:11:41 +0000
Thireus <thireus at gmail.com> wrote: 

> Hi Takeo,
> 
> These are my raw notes you can use to compile OpenSSL and stunnel (OpenSSL static lib, no SSLv3).
> 
> ------------------------
> 
> bash
> 
> cd ~/Downloads && wget https://github.com/openssl/openssl/archive/OpenSSL_1_0_2e.tar.gz && \
> tar xvf OpenSSL_1_0_2e.tar.gz && \
> cd ~/Downloads/openssl-OpenSSL_1_0_2e && \
> ./Configure darwin64-x86_64-cc threads -fPIC zlib no-dso no-ssl3 --prefix=~/Downloads/openssl-built/ --openssldir=~/Downloads/openssl-built/ssl && \
> make depend
> make && make install
> 
> cd ~/Downloads && rm -rf stunnel-* && \
> wget https://www.stunnel.org/downloads/stunnel-5.28.tar.gz && \
> tar xvf stunnel-5.28.tar.gz  && \
> cd ~/Downloads/stunnel-5.28 && \
> ./configure --with-ssl=~/Downloads/openssl-built --enable-static --disable-shared && \
> make && sudo make install
> 
> /usr/local/bin/stunnel -version
> 
> ------------------------
> 
> Cheers,
> 
> Thireus (thireus at gmail.com <mailto:thireus at gmail.com>), 
> IT Security Engineer Consultant.
> http://blog.thireus.com <http://blog.thireus.com/>
>> Le 2 janv. 2016 à 20:00, Michał Trojnara <Michal.Trojnara at mirt.net> a écrit :
>> 
>> Hi WATANABE, Takeo,
>> 
>> I've heard that El Capitan no longer installs OpenSSL headers. You may need to install OpenSSL (either directly from source, or using a package manager).
>> 
>> Mike
>> 
>> 
>> 
>> 
>> -------- Original message --------
>> Subject:[stunnel-users] Do Not Make Stunnel on El Capitan
>> From:WATANABE Takeo <take at kasaneiro.jp>
>> To:stunnel-users at stunnel.org
>> Cc:
>> 
>> 
>> Dear all.
>> 
>> Hi. My name is WATANABE, Takeo in Japan.
>> There is a thing that is very troubled,
>> it will post to this ML.
>> 
>> It is in OS X El Capitan(10.11.x),
>> it is stunnel of make it is that does not pass.
>> The rootkill mechanism I think is causing,
>> but tried again to disable this,
>> even doing several times, not as make is.
>> 
>> Even latest Stunnel, make will fail.
>> 
>> Where everyone is, what you can well Build.
>> 
>> If you have person there know what measures
>> and successes such as a, please tell me.
>> Warm Regards.
>> 
>> Sincerely yours.
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>  > _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-------------- next part --------------

<SSL/TLS: >
2016.01.15 13:20:03 LOG7[ui]: Clients allowed=125
2016.01.15 13:20:03 LOG7[cron]: Cron thread initialized
2016.01.15 13:20:03 LOG5[ui]: stunnel 5.29 on x86_64-apple-darwin15.2.0 platform
2016.01.15 13:20:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.2e 3 Dec 2015
2016.01.15 13:20:03 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2016.01.15 13:20:03 LOG7[ui]: errno: (*__error())
2016.01.15 13:20:03 LOG5[ui]: Reading configuration from file /private/var/folders/wk/4j5vw5vn33v4dd7l8yljm7f40000gn/T/take31865yNH/mew31865v3S
2016.01.15 13:20:03 LOG5[ui]: UTF-8 byte order mark not detected
2016.01.15 13:20:03 LOG5[ui]: FIPS mode disabled
2016.01.15 13:20:03 LOG7[ui]: Compression disabled
2016.01.15 13:20:03 LOG6[ui]: Cannot retrieve any random data from /Users/take/.rnd
2016.01.15 13:20:03 LOG7[ui]: Wrote 0 new random bytes to /Users/take/.rnd
2016.01.15 13:20:03 LOG7[ui]: PRNG seeded successfully
2016.01.15 13:20:03 LOG6[ui]: Initializing service [8805]
2016.01.15 13:20:04 LOG7[ui]: No 

<SSL/TLS: >
certificate or private key specified
2016.01.15 13:20:04 LOG4[ui]: Service [8805] needs authentication to prevent MITM attacks
2016.01.15 13:20:04 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000)
2016.01.15 13:20:04 LOG5[ui]: Configuration successful
2016.01.15 13:20:04 LOG7[ui]: Listening file descriptor created (FD=8)
2016.01.15 13:20:04 LOG7[ui]: Service [8805] (FD=8) bound to 127.0.0.1:8805
2016.01.15 13:20:04 LOG7[ui]: No pid file being created


<SSL/TLS: >
2016.01.15 13:20:04 LOG7[ui]: Found 1 ready file descriptor(s)
2016.01.15 13:20:04 LOG7[ui]: FD=4 events=0x1 revents=0x0
2016.01.15 13:20:04 LOG7[ui]: FD=8 events=0x1 revents=0x1
2016.01.15 13:20:04 LOG7[ui]: Service [8805] accepted (FD=3) from 127.0.0.1:60895
2016.01.15 13:20:04 LOG7[0]: Service [8805] started
2016.01.15 13:20:04 LOG5[0]: Service [8805] accepted connection from 127.0.0.1:60895
2016.01.15 13:20:04 LOG6[0]: s_connect: connecting 202.189.178.66:110
2016.01.15 13:20:04 LOG7[0]: s_connect: s_poll_wait 202.189.178.66:110: waiting 10 seconds
2016.01.15 13:20:04 LOG5[0]: s_connect: connected 202.189.178.66:110
2016.01.15 13:20:04 LOG5[0]: Service [8805] connected remote server from 192.168.131.70:60896
2016.01.15 13:20:04 LOG7[0]: Remote descriptor (FD=16) initialized


<SSL/TLS: >
2016.01.15 13:20:04 LOG7[0]:  <- +OK Dovecot ready. <1e47.25baee.56987374.WakidhB/[email protected]>
2016.01.15 13:20:04 LOG7[0]:  -> +OK Dovecot ready. <1e47.25baee.56987374.WakidhB/[email protected]>
2016.01.15 13:20:04 LOG7[0]:  -> STLS
2016.01.15 13:20:04 LOG7[0]:  <- +OK Begin TLS negotiation now.
2016.01.15 13:20:04 LOG6[0]: SNI: sending servername: wx06.wadax.ne.jp
2016.01.15 13:20:04 LOG7[0]: SSL state (connect): before/connect initialization


<SSL/TLS: >
2016.01.15 13:20:04 LOG7[0]: Verification started at depth=1: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
2016.01.15 13:20:04 LOG4[0]: CERT: Pre-verification error: unable to get local issuer certificate
2016.01.15 13:20:04 LOG4[0]: Rejected by CERT at depth=1: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
2016.01.15 13:20:04 LOG7[0]: SSL alert (write): fatal: unknown CA
2016.01.15 13:20:04 LOG3[0]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.01.15 13:20:04 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.01.15 13:20:04 LOG7[0]: Deallocating application specific data for addr index
2016.01.15 13:20:04 LOG7[0]: Remote descriptor (FD=16) closed
2016.01.15 13:20:04 LOG7[0]: Local descriptor (FD=3) closed
2016.01.15 13:20:04 LOG7[0]: Service [8805] finished (0 left)

-------------- next part --------------
% openssl s_client -connect wx06.wadax.ne.jp:995 -CApath ~/.certs/
CONNECTED(00000003)
depth=2 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
verify return:1
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
verify return:1
depth=0 /C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
verify return:1
---
Certificate chain
 0 s:/C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgISESFZQ0yRqyxamnso7LXiJFTtMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUxMTI2MDAxODE0WhcNMTcwMTIxMDMxNzEzWjBLMQswCQYDVQQGEwJK
UDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRkwFwYDVQQDDBB3
eDA2LndhZGF4Lm5lLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xkZGKi1LOhEapE0hM2qqTVm5boWGYhrj6NanBC/FmvqOVjD8JBNDHgASO9ErtCoV
GeBOBG+yCmZa9JoGOVAFhZyYVJEJzYJpewfmQZUPIK7kgn9EUNBQ5SLRO7TeoH5U
0qTLVDE8O5399gv1igqLw63XVB4koVWJJPjqK8ow+6ZPQl8Iqc26kCa7ZLlsz/0A
TjGF+gSR6gRMrU8/njA1JJhcTylqs313w/OuHZvV2/v2aPUPU4K5zeCotTJUJ0UG
w0UOvzFFyylMbTw0DMZZdVrk+SiK6eZIa48L8551ghyhXfjMNlognmHD/e2Lmr08
IYs3PDeijLWU4N3gP6j+fQIDAQABo4IBwjCCAb4wDgYDVR0PAQH/BAQDAgWgMEkG
A1UdIARCMEAwPgYGZ4EMAQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmds
b2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMBsGA1UdEQQUMBKCEHd4MDYud2FkYXgu
bmUuanAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n
c2RvbWFpbnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUF
BzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFp
bnZhbHNoYTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2Jh
bHNpZ24uY29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBRv9rS13D5CKae4
ajJTx+VNR0nKmDAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkq
hkiG9w0BAQsFAAOCAQEAV+UmsKrp+hJ7L3Rg5CNX1OEU3GAjXimw03Y/DIeeYax8
GfJsWdA7DET/F+3HvafJzYvsYG3fU0WFsdCthzcM1J8cnXXUmW7Vce2LJ6vkbgh3
LAymC5PmGauKu1pNkOUfjwzGEfvnkNk5NuOWsvsvWAHiPsbktvUzI71qL525BRIK
qOOyutNxtWipz7GDG0Az7AweAFzHe+Lp9BRTiD2x5AuwmKp3nPFta6IKJoWAlBeS
diPUhCshr7xh1uW5d5Wf3Yt3I5NyoA3PCM7UZ3vLAjWYCFYH4i6GkvDP0loK4F6+
d+BT02RcFWW5Wia0M81ddho/J2BBrw9LryRUsHFnpA==
-----END CERTIFICATE-----
subject=/C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3108 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 58E3F4BFB0EEA77521D6AA0D7EF70195C0067FD1F8591937F455EC3A9A32CE81
    Session-ID-ctx:
    Master-Key: F29342FEFFB92FB1640458764F17B08E0AED3D1097E949839DDBC03EC240AAABCB459830154AB462778A23BB0D25C036
    Key-Arg   : None
    Start Time: 1452832568
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready. <[email protected]>


More information about the stunnel-users mailing list