[stunnel-users] checkHost: No matching host name found
Schmitz Gerrit (CC-AD/PJ-MBB)
Gerrit.Schmitz at de.bosch.com
Mon Jan 22 13:08:04 CET 2018
Hello everybody,
I’m trying to get of the Gmail-POP3 working but run into an error message which seems to be related to checkHost, since commenting it out it enables the connection to be established ☹ The service is configured as follows:
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
checkHost = pop.gmail.com
verifyChain = yes
CApath = /etc/ssl/certs/
I also found Parker (https://www.stunnel.org/pipermail/stunnel-users/2018-January/005902.html) running the same version as me but his platform is different from mine (Alpine, LibreSSL). Could this be the reason?
Here the startup and connection portion of my log:
2018.01.22 08:58:13 LOG7[ui]: Clients allowed=512000
2018.01.22 08:58:13 LOG5[ui]: stunnel 5.44 on x86_64-alpine-linux-musl platform
2018.01.22 08:58:13 LOG5[ui]: Compiled/running with LibreSSL 2.6.3
2018.01.22 08:58:13 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,SNI
2018.01.22 08:58:13 LOG7[ui]: errno: (*__errno_location())
2018.01.22 08:58:13 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2018.01.22 08:58:13 LOG5[ui]: UTF-8 byte order mark not detected
2018.01.22 08:58:13 LOG7[ui]: Snagged 64 random bytes from /dev/urandom
2018.01.22 08:58:13 LOG7[ui]: PRNG seeded successfully
2018.01.22 08:58:13 LOG6[ui]: Initializing service [redis]
2018.01.22 08:58:13 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.01.22 08:58:13 LOG7[ui]: TLS options: 0x00000004 (+0x00000000, -0x00000000)
2018.01.22 08:58:13 LOG7[ui]: No certificate or private key specified
2018.01.22 08:58:13 LOG5[ui]: Configuration successful
2018.01.22 08:58:13 LOG7[ui]: Binding service [redis]
2018.01.22 08:58:13 LOG7[ui]: Listening file descriptor created (FD=7)
2018.01.22 08:58:13 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.01.22 08:58:13 LOG7[ui]: Service [redis] (FD=7) bound to 0.0.0.0:6379
2018.01.22 08:58:13 LOG7[ui]: No pid file being created
2018.01.22 08:58:13 LOG7[cron]: Cron thread initialized
2018.01.22 09:36:41 LOG7[ui]: Found 1 ready file descriptor(s)
2018.01.22 09:36:41 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.01.22 09:36:41 LOG7[ui]: FD=3 events=0x2001 revents=0x0
2018.01.22 09:36:41 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.01.22 09:36:41 LOG7[ui]: Service [gmail-pop3] accepted (FD=8) from 127.0.0.1:42040
2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] started
2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on local socket
2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] accepted connection from 127.0.0.1:42040
2018.01.22 09:36:41 LOG6[6]: failover: round-robin, starting at entry #2
2018.01.22 09:36:41 LOG6[6]: s_connect: connecting 2a00:1450:4013:c00::6c:995
2018.01.22 09:36:41 LOG3[6]: s_connect: connect 2a00:1450:4013:c00::6c:995: Network unreachable (101)
2018.01.22 09:36:41 LOG6[6]: s_connect: connecting 108.177.119.108:995
2018.01.22 09:36:41 LOG7[6]: s_connect: s_poll_wait 108.177.119.108:995: waiting 10 seconds
2018.01.22 09:36:41 LOG5[6]: s_connect: connected 108.177.119.108:995
2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] connected remote server from 10.244.0.21:51954
2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on remote socket
2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) initialized
2018.01.22 09:36:41 LOG6[6]: SNI: sending servername: pop.gmail.com
2018.01.22 09:36:41 LOG6[6]: Peer certificate required
2018.01.22 09:36:41 LOG7[6]: TLS state (connect): before/connect initialization
2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 write client hello A
2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 read server hello A
2018.01.22 09:36:41 LOG7[6]: Verification started at depth=2: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=2: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
2018.01.22 09:36:41 LOG7[6]: Verification started at depth=1: C=US, O=Google Trust Services, CN=Google Internet Authority G3
2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=1: C=US, O=Google Trust Services, CN=Google Internet Authority G3
2018.01.22 09:36:41 LOG7[6]: Verification started at depth=0: C=US, ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com
2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
2018.01.22 09:36:41 LOG4[6]: CERT: No matching host name found
2018.01.22 09:36:41 LOG4[6]: Rejected by CERT at depth=0: C=US, ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com
2018.01.22 09:36:41 LOG7[6]: TLS alert (write): fatal: certificate unknown
2018.01.22 09:36:41 LOG3[6]: SSL_connect: 14007086: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed
2018.01.22 09:36:41 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.01.22 09:36:41 LOG7[6]: Deallocating application specific data for session connect address
2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) closed
2018.01.22 09:36:41 LOG7[6]: Local descriptor (FD=8) closed
2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] finished (0 left)
Mit freundlichen Grüßen / Best regards
Gerrit Schmitz
CC-AD/PJ-MBB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180122/dd29c8ed/attachment.html>
More information about the stunnel-users
mailing list