[stunnel-users] I am having problems with the 4.5x-series also: Pan connects, nothing else happens.
Michal.Trojnara at mirt.net
Wed Jan 11 22:56:27 CET 2012
> $ uname -a
> Darwin SciFi.homeip.net 10.8.0 Darwin Kernel Version 10.8.0: Tue
> Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386
> i386 iMac6,1 Darwin
I couldn't reproduce your problem. It just works for me.
$ uname -a
Darwin PowerBook.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15
16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh
> I am fine while relegated to using stunnel-4.49, but we have a
> further issue, in that the "verify=<number>" option seems to reject
> the certs & what-not coming from these servers, for any <number>
> higher than 0 (yes I saw the maillist discussion about what 4 means
> there, and tried it also).
Are you sure you've put your peer certificates in /usr/local/var/lib/
stunnel/certs, and then executed c_rehash there? In most cases it's
better to use CAfile instead of CApath.
> I manually start stunnel on a login-root terminal window, this way:
> # stunnel /usr/local/etc/stunnel/stunnel.conf -sockets
You are supposed to use *either* stunnel.conf or -sockets as a
parameter. See the manual for details.
> key = /usr/local/etc/stunnel/stunnel.pem
There is no point in specifying your private key in client mode,
unless you also specify your certificate *and* configure remote
servers to perform authentication based on client certificates. In
your case (connecting some public services) it just doesn't make sense.
> sslVersion = all
> ciphers = ALL
It doesn't look very secure.
> chroot = /usr/local/var/lib/stunnel/
> setuid = nobody
> setgid = nogroup
For troubleshooting it's best to avoid these options.
> CApath = /certs
> CRLpath = /crls
Again it's better to use CAfile instead. Do you really use CRLs?
> Thanks for any help at all.
My troubleshooting tip:
Start with stable OpenSSL, and a minimal configuration:
foreground = yes
debug = 7
client = yes
accept = 12000
connect = news.giganews.com:563
accept = 12001
connect = ssl.astraweb.com:563
accept = 12002
connect = 220.127.116.11:563
Try to get it working. Useful Mac OS X diagnostic commands: dtruss,
Then add other options one by one.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the stunnel-users