
<p>Try specifying the ssl versions and options that you want or don't want explicitly.</p>

<div class="gmail_quote">On Jan 11, 2013 5:09 PM, "Brandon Glenn" <<a href="mailto:kocrachon@gmail.com">kocrachon@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">  I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error.</p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

SSL23_GET_CLIENT_HELLO:unknown protocol</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


Here is my config file.</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Some options used here may be inadequate for your particular configuration</p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; This sample file does *not* represent stunnel.conf defaults</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; Please consult the manual for detailed description of available options</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; * Global options                                                         *</p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Debugging stuff (may useful for troubleshooting)</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


;debug = 7</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;output = stunnel.log</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Disable FIPS mode to allow non-approved protocols and algorithms</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


fips = no</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; * Service defaults may also be specified in individual service sections  *</p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Certificate/key is needed in server mode and optional in client mode</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


cert = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;key = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Authentication stuff needs to be configured to prevent MITM attacks</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; It is not enabled by default!</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;verify = 2</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; Don't forget to c_rehash CApath</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;CApath = certs</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; It's often easier to use CAfile</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;CAfile = certs.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; Don't forget to c_rehash CRLpath</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;CRLpath = crls</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; Alternatively CRLfile can be used</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;CRLfile = crls.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">sslVersion = all</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Disable support for insecure SSLv2 protocol</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


options = NO_SSLv2</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Workaround for Eudora bug</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


;options = DONT_INSERT_EMPTY_FRAGMENTS</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; These options provide additional security at some performance degradation</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;options = SINGLE_ECDH_USE</p>

<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;options = SINGLE_DH_USE</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; **************************************************************************</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; * Service definitions (at least one service has to be defined)           *</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; **************************************************************************</p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

; The default certificate</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">cert = stunnel.pem</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Set client mode client = yes</p>

<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; GMail ssmtp settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

[ssmtp]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">accept = 25</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

connect = <a href="http://174.129.0.38:465/" style="color:rgb(17,85,204)" target="_blank">174.129.0.38:465</a></p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; GMail pop3s settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

[pop3s]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">accept = 110</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

connect = <a href="http://174.129.0.38:995/" style="color:rgb(17,85,204)" target="_blank">174.129.0.38:995</a></p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

; GMail imaps settings</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">[imaps]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


accept = 143</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">connect = <a href="http://174.129.0.38:993/" style="color:rgb(17,85,204)" target="_blank">174.129.0.38:993</a></p>


<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

; Example SSL front-end to a web server</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"> </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


;[https]</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;accept  = 443</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">

;connect = 80</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL</p>

<p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; Microsoft implementations do not use SSL close-notify alert and thus</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


; they are vulnerable to truncation attacks</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">;TIMEOUTclose = 0</p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">


 </p><p class="MsoNormal" style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">; vim:ft=dosini</p>

<br>_______________________________________________<br>

stunnel-users mailing list<br>

<a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>

<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>

<br></blockquote></div>