[stunnel-users] ldaps error "unknown protocol"

Mike Partyka mike.partyka at jumpnode.com
Fri Apr 29 15:46:19 CEST 2005


Description of problem is as follows:

        I have a email server package called Scalix, which when
        installed came with openldap. On the same server i am also
        running Stunnel, which is already successfully ssl wrapping
        imap,pop, and smtp protocols. The ldap directory is very handy
        for an address book internally but we also have people that will
        be outside the corporate lan and to provide the directory
        securely would be desirable so i added the lines in the
        stunnel.conf to wrap ldap as well. I can see the stunnel daemon
        listening on port 636. But when i try to connect from any ssl
        aware mail client, such as evolution, or entourage, i get an
        error indicating failure to authenticate, which i know is not
        really the problem because the ldap directory is anonymous read
        access enabled. Debug logging gives more information about what
        is occurring, here is the conversion when attempting to connect:
        2005.04.28 12:15:05 LOG5[27926:1076812720]: ldaps connected from
        2005.04.28 12:15:05 LOG7[27926:1076812720]: SSL state (accept):
        before/accept initialization
        2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket:
        FD=14, DIR=read
        2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: ok
        2005.04.28 12:15:05 LOG3[27926:1076812720]: SSL_accept:
        140760FC: error:140760FC:SSL
        routines:SSL23_GET_CLIENT_HELLO:unknown protocol
        2005.04.28 12:15:05 LOG7[27926:1076812720]: ldaps finished (6
        Searching the archive is saw someone suggesting that either the
        ldap server or ldap client was not compiled with ssl support. I
        know the email clients i am trying to connect with are ssl
        compatible and maybe someone can set me straight here but i
        didn't think that the ldap server had to be ssl aware and that
        was the advantage of stunnel is that it can wrap services that
        are do not have ssl support? At any rate i believe the ldap
        server does have ssl support becuase i can see the binary
        omslapd (provided by Scalix, preceding "om" is there because
        Scalix is based on HP's Open Mail) links to the ssl library
        using the ldd command, here is the output, note the bolded line:
        msp1intmx01:~ # ldd /opt/scalix/bin/omslapd         linux-
        gate.so.1 =>  (0xffffe000)
                libom_er.so => /opt/scalix/lib/libom_er.so (0x40018000)
                libom_ext.so => /opt/scalix/lib/libom_ext.so
                libom_ldapth.so => /opt/scalix/lib/libom_ldapth.so
                libom_mdc.so => /opt/scalix/lib/libom_mdc.so
                libom_omldap.so => /opt/scalix/lib/libom_omldap.so
                libom_os.so => /opt/scalix/lib/libom_os.so (0x40079000)
                libom_sdl.so => /opt/scalix/lib/libom_sdl.so
                libom_str.so => /opt/scalix/lib/libom_str.so
                libpthread.so.0 => /lib/tls/libpthread.so.0 (0x400a9000)
                libc.so.6 => /lib/tls/libc.so.6 (0x400b9000)
                libom_cvc.so => /opt/scalix/lib/libom_cvc.so
                libom_go.so => /opt/scalix/lib/libom_go.so (0x401e2000)
                libom_t61.so => /opt/scalix/lib/libom_t61.so
                libom_tfl.so => /opt/scalix/lib/libom_tfl.so
                libom_gcl.so => /opt/scalix/lib/libom_gcl.so
                libom_ccs.so => /opt/scalix/lib/libom_ccs.so
                libdl.so.2 => /lib/libdl.so.2 (0x40203000)
                libom_cl.so => /opt/scalix/lib/libom_cl.so (0x40206000)
                libom_cust.so => /opt/scalix/lib/libom_cust.so
                libom_da.so => /opt/scalix/lib/libom_da.so (0x4021c000)
                libom_dit.so => /opt/scalix/lib/libom_dit.so
                libom_dr.so => /opt/scalix/lib/libom_dr.so (0x4024a000)
                libom_hash.so => /opt/scalix/lib/libom_hash.so
                libom_lng.so => /opt/scalix/lib/libom_lng.so
                libom_mes.so => /opt/scalix/lib/libom_mes.so
                libom_mim.so => /opt/scalix/lib/libom_mim.so
                libom_ml.so => /opt/scalix/lib/libom_ml.so (0x4029d000)
                libom_pam.so => /opt/scalix/lib/libom_pam.so
                libom_pwdl.so => /opt/scalix/lib/libom_pwdl.so
                libom_ul.so => /opt/scalix/lib/libom_ul.so (0x402b9000)
                libom_uni.so => /opt/scalix/lib/libom_uni.so
                libom_im.so => /opt/scalix/lib/libom_im.so (0x402e3000)
                libom_sfl.so => /opt/scalix/lib/libom_sfl.so
                libcrypt.so.1 => /lib/libcrypt.so.1 (0x4030c000)
                libom_sml.so => /opt/scalix/lib/libom_sml.so
                libom_tfo.so => /opt/scalix/lib/libom_tfo.so
                libom_enc.so => /opt/scalix/lib/libom_enc.so
                libom_lkf.so => /opt/scalix/lib/libom_lkf.so
                libom_nm.so => /opt/scalix/lib/libom_nm.so (0x4034b000)
                /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
                libom_uscv.so => /opt/scalix/lib/libom_uscv.so
                libom_fstr.so => /opt/scalix/lib/libom_fstr.so
                libom_gen.so => /opt/scalix/lib/libom_gen.so
                libom_xdse.so => /opt/scalix/lib/libom_xdse.so
                libom_acl.so => /opt/scalix/lib/libom_acl.so
                libom_cdl.so => /opt/scalix/lib/libom_cdl.so
                libom_drsc.so => /opt/scalix/lib/libom_drsc.so
                libom_inet.so => /opt/scalix/lib/libom_inet.so
                libom_vi.so => /opt/scalix/lib/libom_vi.so (0x40388000)
                libom_akt.so => /opt/scalix/lib/libom_akt.so
                libom_q.so => /opt/scalix/lib/libom_q.so (0x403a1000)
                libom_date.so => /opt/scalix/lib/libom_date.so
                libom_ssn.so => /opt/scalix/lib/libom_ssn.so
                libom_orname.so => /opt/scalix/lib/libom_orname.so
                libom_culb.so => /opt/scalix/lib/libom_culb.so
                libom_dstring.so => /opt/scalix/lib/libom_dstring.so
                libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x403b6000)
                libom_ufcv.so => /opt/scalix/lib/libom_ufcv.so
                libom_vista.so => /opt/scalix/lib/libom_vista.so
                libom_rda.so => /opt/scalix/lib/libom_rda.so
                libom_rdudp.so => /opt/scalix/lib/libom_rdudp.so
                libom_rsl.so => /opt/scalix/lib/libom_rsl.so
                libom_mp.so => /opt/scalix/lib/libom_mp.so (0x40456000)
                libom_mpl.so => /opt/scalix/lib/libom_mpl.so
                libom_msg.so => /opt/scalix/lib/libom_msg.so
                libom_qml.so => /opt/scalix/lib/libom_qml.so
                libom_tf.so => /opt/scalix/lib/libom_tf.so (0x40471000)
                libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7
                libom_fmem.so => /opt/scalix/lib/libom_fmem.so
                libom_acf.so => /opt/scalix/lib/libom_acf.so
                libom_cvr.so => /opt/scalix/lib/libom_cvr.so
                libom_ct.so => /opt/scalix/lib/libom_ct.so (0x40589000)
                libom_bb.so => /opt/scalix/lib/libom_bb.so (0x405cc000)
                libom_rtfl.so => /opt/scalix/lib/libom_rtfl.so
                libom_isl.so => /opt/scalix/lib/libom_isl.so
                libom_nf.so => /opt/scalix/lib/libom_nf.so (0x405fc000)
                libom_nfda.so => /opt/scalix/lib/libom_nfda.so
                libom_nsl.so => /opt/scalix/lib/libom_nsl.so
                libom_exual.so => /opt/scalix/lib/libom_exual.so

Stunnel version information is as follows:

        stunnel 4.05 on i686-suse-linux-gnu PTHREAD with OpenSSL 0.9.7d
        17 Mar 2004
        Global options
        cert            = /etc/stunnel/stunnel.pem
        ciphers         = ALL:!ADH:+RC4:@STRENGTH
        debug           = 5
        key             = /etc/stunnel/stunnel.pem
        pid             = /var/run/stunnel.pid
        RNDbytes        = 64
        RNDfile         = /dev/urandom
        RNDoverwrite    = yes
        session         = 300 seconds
        verify          = none
        Service-level options
        TIMEOUTbusy     = 300 seconds
        TIMEOUTclose    = 60 seconds
        TIMEOUTidle     = 43200 seconds

Stunnel is running in stand-alone mode and is being started without any
parameters that i am aware of, i just used the init script supplied SuSE
for their Enterprise 9 server product. 

Output of "stunnel -f -D 7 is:

        msp1intmx01:~ # stunnel -f -D 7
        2005.04.29 08:27:24 LOG3[3326:1076392064]: -f: No such file or
        directory (2)

Output of "stunnel -V is:

        msp1intmx01:~ # stunnel -V
        2005.04.29 08:30:49 LOG3[3368:1076392064]: -V: No such file or
        directory (2)

Output of "uname -a"

        msp1intmx01:~ # uname -a
        Linux msp1intmx01 2.6.5-7.151-smp #1 SMP Fri Mar 18 11:31:21 UTC
        2005 i686 i686 i386 GNU/Linux

Libc version is 2.3.3

Output of "gcc -v"

        msp1intmx01:~ # gcc -v
        Reading specs from /usr/lib/gcc-lib/i586-suse-linux/3.3.3/specs
        Configured with: ../configure --enable-threads=posix --
        prefix=/usr --with-local-prefix=/usr/local --
        infodir=/usr/share/info --mandir=/usr/share/man --enable-
        languages=c,c++,f77,objc,java,ada --disable-checking --
        libdir=/usr/lib --enable-libgcj --with-gxx-include-
        dir=/usr/include/g++ --with-slibdir=/lib --with-system-zlib --
        enable-shared --enable-__cxa_atexit i586-suse-linux
        Thread model: posix
        gcc version 3.3.3 (SuSE Linux)

Openssl version is:

        msp1intmx01:~ # openssl version
        OpenSSL 0.9.7d 17 Mar 2004


Michael W. Partyka
Jumpnode Systems, LLC
Systems Administrator
612.605.5056 Desk
651.208.5734 Cell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20050429/d5b2d7c2/attachment.html>

More information about the stunnel-users mailing list