There is a list of ciphers you need to list along with ssl options perhaps. Also try setting your sslVersion on both ends.<div><br>On Wednesday, January 2, 2013, Arun Kumar wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Brian,</div><div><br></div><div>Thank you for the inputs. I tried without client parameter & notice unknown protocol. 狢 am not sure which "protocol" to use in stunnel.conf in my case.</div><div><br></div>
comment out client = yes<div><br></div><div>restarted stunnel process.</div><div><br></div><div><div>ocm5-197-196:~ # dfm ldap find user1</div><div>Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=core,DC=dir,DC=telstra,DC=com': Can't contact LDAP server</div>
<div>Error: Failed to search for user1.</div><div><br></div><div><div>ocm5-197-196:~ # cat /root/stunnel.log</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Clients allowed=500</div><div>2013.01.02 19:31:43 LOG5[18156:46934667927072]: stunnel 4.54 on x86_64-unknown-linux-gnu platform</div>
<div>2013.01.02 19:31:43 LOG5[18156:46934667927072]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005</div><div>2013.01.02 19:31:43 LOG5[18156:46934667927072]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6</div>
<div>2013.01.02 19:31:43 LOG5[18156:46934667927072]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Compression not enabled</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Snagged 64 random bytes from /root/.rnd</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Wrote 1024 new random bytes to /root/.rnd</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: PRNG seeded successfully</div><div>2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap]</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004</div><div>2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap-ha]</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1</div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004</div><div>2013.01.02 19:31:43 LOG5[18156:46934667927072]: Configuration successful</div>
<div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap] (FD=7) bound to <a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a></div><div>2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap-ha] (FD=8) bound to <a href="http://0.0.0.0:8389" target="_blank">0.0.0.0:8389</a></div>
<div>2013.01.02 19:31:43 LOG7[18157:46934667927072]: Created pid file /var/run/stunnel.pid</div><div>2013.01.02 19:32:02 LOG7[18157:46934667927072]: Service [ldap] accepted (FD=3) from <a href="http://127.0.0.1:39760" target="_blank">127.0.0.1:39760</a></div>
<div>2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] started</div><div>2013.01.02 19:32:02 LOG5[18157:1073809728]: Service [ldap] accepted connection from <a href="http://127.0.0.1:39760" target="_blank">127.0.0.1:39760</a></div>
<div>2013.01.02 19:32:02 LOG7[18157:1073809728]: SSL state (accept): before/accept initialization</div><div>2013.01.02 19:32:02 LOG3[18157:1073809728]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol � <----------</div>
<div>2013.01.02 19:32:02 LOG5[18157:1073809728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket</div><div>2013.01.02 19:32:02 LOG7[18157:1073809728]: Local socket (FD=3) closed</div><div>2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] finished (0 left)</div>
</div><div><br></div><div>appreciate your help.</div><div><br></div><div>Warm Regards,</div><div>Arun kumar c</div><br><div>On Wed, Jan 2, 2013 at 7:29 PM, Brian Wilkins <span dir="ltr"><<a>bwilkins@gmail.com</a>></span> wrote:<br>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It thinks your server is a client. Remove client = yes. You need to have a client instance if stunnel and a server instance of stunnel. I am not too keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the traffic and then it gets down selected to unencrypted on the receiving end.<span><font color="#888888"><div>
<br></div></font></span><div><span><font color="#888888">Brian</font></span><div><div><span></span><br><br>On Wednesday, January 2, 2013, Arun Kumar wrote:<br><blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Team,<div><br></div><div>
I am configuring stunnel for the first time.</div><div>My Requirement: � � "NetApp DataFabricManager" application on SLES10 SP4 platform �<------�(LDAP over Stunnel)�-----> Windows 2003 Active Directory, for Active Directory user authentication.</div>
<div><br></div><div><br></div><div>Stunnel.conf:</div><div>-----------------------------------------------------------</div><div><div>setuid = root</div><div>setgid = root</div><div><br></div><div>client = yes</div><div>
<br>
</div><div>debug = 7</div><div>output = /root/stunnel.log</div><div><br></div><div>cert = /opt/crt_key.pem</div><div>key = /opt/crt_key.pem</div><div><br></div><div>pid = /var/run/stunnel.pid</div><div><br></div><div>verify = 3</div>
<div>CAfile = /opt/crt_key.pem</div><div><br></div><div>options = NO_SSLv2</div><div><br></div><div>[ldap]</div><div>accept = 389</div><div>connect = winad1-197-187:636</div><div><br></div><div>[ldap-ha]</div><div>accept = 8389</div>
<div>connect = winad2-197-189:636</div></div><div>-----------------------------------------------------------</div><div><br></div><div><div>ocm5-197-196:~ # dfm ldap list</div><div>Address � � � � � � � � � � � � � � � � � 蘯ort � Last Use � � � � � � � � � Last Failure</div>
<div>------------------------------------------ ------ -------------------------- --------------------------</div><div>127.0.0.1 � � � � � � � � � � � � � � � � �389 � �2013-01-02 14:01:52.000000</div><div>127.0.0.1 � � � � � � � � � � � � � � � � �8389 � 2013-01-02 13:49:35.000000</div>
<div>ocm5-197-196:~ #</div></div><div><br></div><div><br></div><div><div>ocm5-197-196:~ # dfm ldap find user1</div><div>Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact LDAP server</div>
<div>Error: Failed to search for user1.</div><div>ocm5-197-196:~ #</div></div><div><br></div><div>NOTE: If i add active directory server IP in the above list, instead of 127.0.0.1, ldap authentication works fine.�</div><div>
<br></div><div><div>ocm5-197-196:~ # cat /etc/services</div></div><div>...</div><div>.....</div><div>........</div><div><div>#### This is a Manual Entry made by root user for AD authentication services & Stunnel Integration ########</div>
<div>ldap-ha � � � � 8389/tcp � �# 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]</div><div>ldap-ha � � � � 8389/udp � �# 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]</div>
</div><div><br></div><div><br></div><div>ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf</div><div><br></div><div><br></div><div>stunnel.log:</div><div><br></div><div><div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG7[7102:47010476379680]: Clients allowed=500</div>
<div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on x86_64-unknown-linux-gnu platform</div><div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG5[7102:47010476379680]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005</div>
<div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6</div>
<div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG5[7102:47010476379680]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf</div><div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG7[7102:47010476379680]: Compression not enabled</div>
<div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes from /root/.rnd</div>
<div><a value="+12013010214">2013.01.02 14</a>:00:42 LOG7[7102:47010476379680]: Wrote 1024 new</div></div></blockquote></div></div></div></blockquote></div></div>
</blockquote></div><span></span>