 
            Hello All, Running Debian 6.0, stunnel4 and Pan 0.133 I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL. The problem I am running into is that Pan does not connect. I get the following error: Error reading from localhost. Connection reset by peer Checking with the following openssl command produced this error: root@triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119 CONNECTED(00000003) write:errno=104 Looking at the logs for stunnel I see many repetitions of this message: 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left) Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense. Here is my stunnel config: ; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail) ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log foreground = no ; Use it for client mode client = yes ; Service-level configuration [nntp] accept = localhost:119 connect = news.aliant.net:119 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini