<HTML>
<HEAD>
<TITLE>STunnel server handshake fails</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Thanks for the quick response, Leandro—not sure I’m replying to this correctly.<BR>
<BR>
Adding sslVersion = TLSv1 as you suggested did allow STunnel to connect with the server, and in the log it looked like everything was working—but the email client still registered an error and the message didn’t go through. So I just created a new GMail address for the scanner so I could use a vanilla SSL connection, and that’s working fine.<BR>
<BR>
Thanks again,<BR>
John<BR>
<BR>
</SPAN></FONT><FONT SIZE="6"><FONT FACE="Times, Times New Roman"><SPAN STYLE='font-size:24pt'><B>[stunnel-users] STunnel server handshake fails<BR>
</B></SPAN></FONT></FONT><FONT FACE="Times, Times New Roman"><B><SPAN STYLE='font-size:12pt'><BR>
Leandro Avil</SPAN></B><SPAN STYLE='font-size:12pt'>a<FONT COLOR="#2101EF"><U> leandro.avila at ymail.com</U></FONT> <BR>
<I>Fri Apr 8 06:32:48 CEST 201</I>1<BR>
Previous message: [st<FONT COLOR="#2101EF"><U>unnel-users] STunnel server handshake fails<BR>
Ne</U></FONT>xt message: [stunn<FONT COLOR="#2101EF"><U>el-users] stunnel through elb.. need packets sent semi-frequently<BR>
Messa</U></FONT>g<B>es sorted by: [ date ]</B> <FONT COLOR="#2101EF"><U>[ thread</U></FONT> <FONT COLOR="#2101EF"><U>] [ subjec</U></FONT>t<FONT COLOR="#2101EF"><U> ] [ author</U></FONT> <FONT COLOR="#2101EF"><U>]<BR>
Hello,<BR>
<BR>
</U></FONT>I </SPAN></FONT><FONT SIZE="2"><FONT FACE="Courier, Courier New"><SPAN STYLE='font-size:10pt'>think you probably want to use the sslVersion = TLSv1 setting in your configuration.<BR>
Instead of the options for OpenSSL<BR>
<BR>
Hope that helps<BR>
<BR>
-----------------<BR>
Leandro Avila<BR>
<BR>
<BR>
________________________________<BR>
From: John C. Kadyk <jckadyk at<FONT COLOR="#2101EF"><U> pacbell.net><BR>
To: stun</U></FONT>nel-us<FONT COLOR="#2101EF"><U>ers at stunnel.org<BR>
Sent: Thu</U></FONT>rsday, April 7, 2011 7:06 PM<BR>
Subject: Re: [stunnel-users] STunnel server handshake fails<BR>
<BR>
<BR>
STunnel server handshake fails I'm trying to set up STunnel so our non-SSL network scanner can email scans through our email server, which requires TLS. A desktop email client with the same server/port settings can send email OK.<BR>
<BR>
I think I have STunnel configured correctly, but there's a handshake failure when it tries to connect to the server. STunnel seems to be attempting an SSLv3 connection even though I turned that option off in the config file. I want to force it to use TLS but not sure how to do that. Any suggestions greatly appreciated.<BR>
<BR>
Here's the config file:<BR>
<BR>
cert = stunnel.pem<BR>
;key = stunnel.pem<BR>
<BR>
; Some performance tunings<BR>
socket = l:TCP_NODELAY=1<BR>
socket = r:TCP_NODELAY=1<BR>
<BR>
; Workaround for Eudora bug<BR>
;options = DONT_INSERT_EMPTY_FRAGMENTS<BR>
options = NO_SSLv2<BR>
options = NO_SSLv3<BR>
<BR>
; Authentication stuff<BR>
;verify = 2<BR>
; Don't forget to c_rehash CApath<BR>
;CApath = certs<BR>
; It's often easier to use CAfile<BR>
;CAfile = certs.pem<BR>
; Don't forget to c_rehash CRLpath<BR>
;CRLpath = crls<BR>
; Alternatively you can use CRLfile<BR>
;CRLfile = crls.pem<BR>
<BR>
; Some debugging stuff useful for troubleshooting<BR>
debug = 7<BR>
;output = stunnel.log<BR>
<BR>
; Use it for client mode<BR>
client = yes<BR>
<BR>
; Service-level configuration<BR>
<BR>
[pop3s]<BR>
accept = 995<BR>
connect = 110<BR>
<BR>
[imaps]<BR>
accept = 993<BR>
connect = 143<BR>
<BR>
[ssmtp]<BR>
accept = 1025<BR>
connect = mail022-1.exch022.serverdata.net:1025 <<a href="http://mai">http://mai</a><FONT COLOR="#2101EF"><U>l022-1.exch022.serverdata.net:1025> <BR>
<BR>
;[http</U></FONT>s]<BR>
;accept = 443<BR>
;connect = 80<BR>
;TIMEOUTclose = 0<BR>
<BR>
; vim:ft=dosini<BR>
<BR>
and here's the log:<BR>
<BR>
2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file stunnel.conf<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd<BR>
2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service pop3s<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service imaps<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded<BR>
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service ssmtp<BR>
2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful<BR>
2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of clients<BR>
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated (non-blocking mode)<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995 <<a href="http://0.0">http://0.0</a><FONT COLOR="#2101EF"><U>.0.0:995> <BR>
2011.04</U></FONT>.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136<BR>
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated (non-blocking mode)<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993 <<a href="http://0.0">http://0.0</a><FONT COLOR="#2101EF"><U>.0.0:993> <BR>
2011.04</U></FONT>.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124<BR>
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated (non-blocking mode)<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket<BR>
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025 <<a href="http://0.0">http://0.0</a><FONT COLOR="#2101EF"><U>.0.0:1025> <BR>
2011.04</U></FONT>.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148<BR>
2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with OpenSSL 1.0.0c 2 Dec 2010<BR>
2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6<BR>
2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated (non-blocking mode)<BR>
2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from 10.10.17.57:49968 <<a href="http://10">http://10</a>.<FONT COLOR="#2101EF"><U>10.17.57:49968> <BR>
2011.04</U></FONT>.07 16:41:17 LOG7[3744:2436]: Creating a new thread<BR>
2011.04.07 16:41:17 LOG7[3744:2436]: New thread created<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket<BR>
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from 10.10.17.57:49968 <<a href="http://10">http://10</a>.<FONT COLOR="#2101EF"><U>10.17.57:49968> <BR>
2011.04</U></FONT>.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated (non-blocking mode)<BR>
2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting 64.78.22.98:1025 <<a href="http://64">http://64</a>.<FONT COLOR="#2101EF"><U>78.22.98:1025> <BR>
2011.04</U></FONT>.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected 64.78.22.98:1025 <<a href="http://64">http://64</a>.<FONT COLOR="#2101EF"><U>78.22.98:1025> <BR>
2011.04</U></FONT>.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server from 10.10.17.249:4081 <<a href="http://10">http://10</a>.<FONT COLOR="#2101EF"><U>10.17.249:4081> <BR>
2011.04</U></FONT>.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect initialization<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client hello A<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake failure<BR>
2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number<BR>
2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<BR>
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left)<BR>
<BR>
Any suggestions greatly appreciated.<BR>
<BR>
Thanks!<BR>
John <BR>
_______________________________________________<BR>
stunnel-users mailing list<BR>
stunnel-us<FONT COLOR="#2101EF"><U>ers at stunnel.org<BR>
<a href="http://st">http://st</a></U></FONT>u<FONT COLOR="#2101EF"><U>nnel.mirt.net/mailman/listinfo/stunnel-users <BR>
Previous </U></FONT>m</SPAN></FONT></FONT><FONT FACE="Times, Times New Roman"><SPAN STYLE='font-size:12pt'>essage: [stunnel-users]<FONT COLOR="#2101EF"><U> STunnel server handshake fails<BR>
Next message: </U></FONT>[stunnel-users] st<FONT COLOR="#2101EF"><U>unnel through elb.. need packets sent semi-frequently<BR>
Messages sorted b</U></FONT>y<B>: [ date ] [ thread ] </B>[<FONT COLOR="#2101EF"><U> subject</U></FONT> <FONT COLOR="#2101EF"><U>] [ author</U></FONT> <FONT COLOR="#2101EF"><U>]<BR>
More info</U></FONT>r<FONT COLOR="#2101EF"><U>mation abo</U></FONT>ut<FONT COLOR="#2101EF"><U> the stunnel-users mailing list</U></FONT></SPAN></FONT>
</BODY>
</HTML>