<div dir="ltr"><div>Hi,</div><div><br></div><div>Damn, it seems that there's a serious issue with OCSP and microsoft certificates.<br></div><div><br></div><div></div><div>You can try to put the option: <b>OCSPaia</b> = no to see if it fixes the issue, but it seems that it needs further investigations.<br></div><div><br></div><div><a href="https://www.stunnel.org/static/stunnel.html" target="_blank">https://www.stunnel.org/static/stunnel.html</a></div><div><br></div><div>Regards,</div><div>Flo</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Nov 9, 2018 at 12:36 PM <<a href="mailto:milanimarco82@libero.it">milanimarco82@libero.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><p>Hello, </p><p>I'm encountering an issue while using sTunnel with an Office365 account. </p><p>sTunnel worked properly for a few months, while it gived an error with certificates since yesterday, whilst didn't change anything in the configuration. </p><p>This is our configuration:</p><p>[pop3s]<br>client = yes<br>accept = <a href="http://127.0.0.1:2001" target="_blank">127.0.0.1:2001</a><br>connect = <a href="http://outlook.office365.com:995" target="_blank">outlook.office365.com:995</a><br>CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem<br>checkHost = <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a><br>verifyChain = yes<br>OCSPaia = yes</p><p>This is what we get in the log:</p><p>2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s)<br>2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=---<br>2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from <a href="http://127.0.0.1:49619" target="_blank">127.0.0.1:49619</a><br>2018.11.09 11:34:09 LOG7[main]: Creating a new thread<br>2018.11.09 11:34:09 LOG7[main]: New thread created<br>2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started<br>2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672)<br>2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket<br>2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from <a href="http://127.0.0.1:49619" target="_blank">127.0.0.1:49619</a><br>2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://40.101.9.178:995" target="_blank">40.101.9.178:995</a><br>2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from <a href="http://172.31.20.23:49620" target="_blank">172.31.20.23:49620</a><br>2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668)<br>2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket<br>2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized<br>2018.11.09 11:34:09 LOG6[30]: SNI: sending servername: <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a><br>2018.11.09 11:34:09 LOG6[30]: Peer certificate required<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect initialization<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client hello A<br>2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello A<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate<br>2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US, O=DigiCert Inc, OU=<a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN=DigiCert Global Root CA<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "<a href="http://ocsp.digicert.com" target="_blank">http://ocsp.digicert.com</a>"<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Connected <a href="http://ocsp.digicert.com:80" target="_blank">ocsp.digicert.com:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Response received<br>2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good<br>2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT<br>2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted<br>2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1<br>2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com" target="_blank">outlook.com</a><br>2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded<br>2018.11.09 11:34:09 LOG6[30]: CERT: Host name "<a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a>" matched with "*.<a href="http://office365.com" target="_blank">office365.com</a>"<br>2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "<a href="http://ocspx.digicert.com" target="_blank">http://ocspx.digicert.com</a>"<br>2018.11.09 11:34:09 LOG6[30]: s_connect: connecting <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a>: waiting 10 seconds<br>2018.11.09 11:34:09 LOG5[30]: s_connect: connected <a href="http://93.184.220.29:80" target="_blank">93.184.220.29:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Connected <a href="http://ocspx.digicert.com:80" target="_blank">ocspx.digicert.com:80</a><br>2018.11.09 11:34:09 LOG7[30]: OCSP: Response received<br>2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized<br>2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<a href="http://outlook.com" target="_blank">outlook.com</a><br>2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure<br>2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed<br>2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket<br>2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for session connect address<br>2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed<br>2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed<br>2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)<br></p><p><br></p><p>Can you please help me?<br></p><p>Thanks in advance!</p></div>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="noreferrer" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
</blockquote></div>