<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Weird, I tried and it works perfectly for me using your configuration and stunnel 5.48.<br></div><div><br></div><div><b>OCSPaia</b> = yes</div><div><br></div><div>2018.11.09 14:39:56 LOG6[0]: SNI: sending servername: <a href="http://outlook.office365.com">outlook.office365.com</a><br>2018.11.09 14:39:56 LOG6[0]: Peer certificate required<br>2018.11.09 14:39:56 LOG7[0]: TLS state (connect): before SSL initialization<br>2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello<br>2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello<br>2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello<br>2018.11.09 14:39:56 LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:39:56 LOG7[0]: OCSP: Ignoring root certificate<br>2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 14:39:56 LOG7[0]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder "<a href="http://ocsp.digicert.com">http://ocsp.digicert.com</a>"<br>2018.11.09 14:39:56 LOG6[0]: s_connect: connecting <a href="http://93.184.220.29:80">93.184.220.29:80</a><br>2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait <a href="http://93.184.220.29:80">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 14:39:56 LOG5[0]: s_connect: connected <a href="http://93.184.220.29:80">93.184.220.29:80</a><br>2018.11.09 14:39:56 LOG7[0]: OCSP: Connected <a href="http://ocsp.digicert.com:80">ocsp.digicert.com:80</a><br>2018.11.09 14:39:56 LOG7[0]: OCSP: Response received<br>2018.11.09 14:39:56 LOG6[0]: OCSP: Status: good<br>2018.11.09 14:39:56 LOG6[0]: OCSP: This update: Nov 9 00:00:00 2018 GMT<br>2018.11.09 14:39:56 LOG6[0]: OCSP: Next update: Nov 16 00:00:00 2018 GMT<br>2018.11.09 14:39:56 LOG5[0]: OCSP: Certificate accepted<br>2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 14:39:56 LOG7[0]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com">outlook.com</a><br>2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:39:56 LOG6[0]: CERT: Host name "<a href="http://outlook.office365.com">outlook.office365.com</a>" matched with "*.<a href="http://office365.com">office365.com</a>"<br>2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder "<a href="http://ocspx.digicert.com">http://ocspx.digicert.com</a>"<br>2018.11.09 14:39:56 LOG6[0]: s_connect: connecting <a href="http://93.184.220.29:80">93.184.220.29:80</a><br>2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait <a href="http://93.184.220.29:80">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 14:39:57 LOG5[0]: s_connect: connected <a href="http://93.184.220.29:80">93.184.220.29:80</a><br>2018.11.09 14:39:57 LOG7[0]: OCSP: Connected <a href="http://ocspx.digicert.com:80">ocspx.digicert.com:80</a><br>2018.11.09 14:39:57 LOG7[0]: OCSP: Response received<br>2018.11.09 14:39:57 LOG3[0]: OCSP: Responder error: 6: unauthorized<br>2018.11.09 14:39:57 LOG4[0]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com">outlook.com</a><br>2018.11.09 14:39:57 LOG7[0]: Remove session callback<br>2018.11.09 14:39:57 LOG7[0]: TLS alert (write): fatal: handshake failure<br>2018.11.09 14:39:57 LOG3[0]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed</div><div><br></div><div><br></div><div><b>OCSPaia</b> = no</div><div><br></div><div>2018.11.09 14:41:17 LOG6[0]: SNI: sending servername: <a href="http://outlook.office365.com">outlook.office365.com</a><br>2018.11.09 14:41:17 LOG6[0]: Peer certificate required<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): before SSL initialization<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello<br>2018.11.09 14:41:17 LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 14:41:17 LOG7[0]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 14:41:17 LOG7[0]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com">outlook.com</a><br>2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded<br>2018.11.09 14:41:17 LOG6[0]: CERT: Host name "<a href="http://outlook.office365.com">outlook.office365.com</a>" matched with "*.<a href="http://office365.com">office365.com</a>"<br>2018.11.09 14:41:17 LOG5[0]: Certificate accepted at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com">outlook.com</a><br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange<br>2018.11.09 14:41:17 LOG6[0]: Client certificate not requested<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server done<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec<br>2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read finished<br>2018.11.09 14:41:17 LOG7[0]: New session callback<br>2018.11.09 14:41:17 LOG7[0]: Peer certificate was cached (4683 bytes)<br>2018.11.09 14:41:17 LOG7[0]: 1 client connect(s) requested<br>2018.11.09 14:41:17 LOG7[0]: 1 client connect(s) succeeded<br>2018.11.09 14:41:17 LOG7[0]: 0 client renegotiation(s) requested<br>2018.11.09 14:41:17 LOG7[0]: 0 session reuse(s)<br>2018.11.09 14:41:17 LOG6[0]: TLS connected: new session negotiated<br>2018.11.09 14:41:17 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)<br>2018.11.09 14:41:17 LOG7[0]: Compression: null, expansion: null<br>2018.11.09 14:41:17 LOG6[0]: TLS socket closed (read hangup)<br>2018.11.09 14:41:17 LOG7[0]: Sent socket write shutdown<br>2018.11.09 14:41:17 LOG6[0]: Read socket closed (readsocket)<br>2018.11.09 14:41:17 LOG7[0]: Sending close_notify alert<br>2018.11.09 14:41:17 LOG7[0]: TLS alert (write): warning: close notify<br>2018.11.09 14:41:17 LOG6[0]: SSL_shutdown successfully sent close_notify alert<br>2018.11.09 14:41:17 LOG5[0]: Connection closed: 24 byte(s) sent to TLS, 386 byte(s) sent to socket<br>2018.11.09 14:41:17 LOG7[0]: Remote descriptor (FD=8) closed<br>2018.11.09 14:41:17 LOG7[0]: Local descriptor (FD=3) closed<br>2018.11.09 14:41:17 LOG7[0]: Service [imaps] finished (0 left)</div><div><br></div><div>Regards,</div><div>Flo<br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Nov 9, 2018 at 1:02 PM <<a href="mailto:milanimarco82@libero.it">milanimarco82@libero.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><p>Thanks for your suggestion, I just tried but nothing changed. </p><blockquote type="cite">Il 9 novembre 2018 alle 12.44 Flo Rance <<a href="mailto:trourance@gmail.com" target="_blank">trourance@gmail.com</a>> ha scritto: <br> <br><div dir="ltr"><div>Hi,</div><div><br></div><div>Damn, it seems that there's a serious issue with OCSP and microsoft certificates. <br></div><div><br></div><div> <br></div><div>You can try to put the option: <strong>OCSPaia</strong> = no to see if it fixes the issue, but it seems that it needs further investigations. <br></div><div><br></div><div><a href="https://www.stunnel.org/static/stunnel.html" target="_blank">https://www.stunnel.org/static/stunnel.html</a></div><div><br></div><div>Regards,</div><div>Flo</div></div><br><div class="m_-4047198601359941206ox-6fc29a9ed6-gmail_quote"><div dir="ltr">On Fri, Nov 9, 2018 at 12:36 PM < <a href="mailto:milanimarco82@libero.it" target="_blank">milanimarco82@libero.it</a>> wrote: <br></div><blockquote><u></u><div><p>Hello, </p><p>I'm encountering an issue while using sTunnel with an Office365 account. </p><p>sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration. </p><p>This is our configuration:</p><p>[pop3s]<br>client = yes<br>accept = <a href="http://127.0.0.1:2001" target="_blank">127.0.0.1:2001</a><br>connect = <a href="http://outlook.office365.com:995" target="_blank">outlook.office365.com:995</a><br>CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem<br>checkHost = <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a><br>verifyChain = yes<br>OCSPaia = yes</p><p>This is what we get in the log:</p><p>2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s)<br>2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=---<br>2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from <a href="http://127.0.0.1:49619" target="_blank">127.0.0.1:49619</a><br>2018.11.09 11:34:09 LOG7[main]: Creating a new thread<br>2018.11.09 11:34:09 LOG7[main]: New thread created<br>2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started<br>2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672)<br>2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket<br>2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from <a href="http://127.0.0.1:49619" target="_blank">127.0.0.1:49619</a><br>2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a><br>2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from <a href="http://172.31.20.23:49620" target="_blank">172.31.20.23:49620</a><br>2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668)<br>2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket<br>2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized<br>2018.11.09 11:34:09 LOG6[30]: SNI: sending servername: <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a><br>2018.11.09 11:34:09 LOG6[30]: Peer certificate required<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate<br>2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "<a href="http://ocsp.digicert.com" target="_blank">http://ocsp.digicert.com</a>"<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Connected <a href="http://ocsp.digicert.com:80" target="_blank">ocsp.digicert.com:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Response received<br>2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good<br>2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT<br>2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted<br>2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com" target="_blank">outlook.com</a><br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG6[30]: CERT: Host name "<a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a>" matched with "*.<a href="http://office365.com" target="_blank">office365.com</a>"<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "<a href="http://ocspx.digicert.com" target="_blank">http://ocspx.digicert.com</a>"<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Connected <a href="http://ocspx.digicert.com:80" target="_blank">ocspx.digicert.com:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Response received<br>2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized<br>2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com" target="_blank">outlook.com</a><br>2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure<br>2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed<br>2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket<br>2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address<br>2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed<br>2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed<br>2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)<br></p><p><br></p><p>Can you please help me?<br></p><p>Thanks in advance!</p></div>_______________________________________________ <br> stunnel-users mailing list <br> <a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a> <br> <a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a> <br></blockquote></div></blockquote></div>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="noreferrer" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
</blockquote></div>