[stunnel-users] server refuses connection by STARTTLS

• Previous message (by thread): [stunnel-users] https not working with debug level 4,5,6,7
• Next message (by thread): [stunnel-users] Stunnel and RTMPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I want to connect to SMTP server by STARTTLS, from MUA who does not support STARTTLS.
However, I cannot connect to the server with recent stunnel.

On Windows XP, my stunnel.conf is the following:
client=yes 
debug=notice
output=C:\logs\stunnel.log
service=stunnel
[smtp_server]
accept=127.0.0.1:10025
connect=smtp.example.com:587
protocol=smtp

stunnel version 4.27 or 4.29 is started as service, by
"C:\Network\stunnel\stunnel.exe" -service -install c:\home\turutani\INI\stunnel.conf

I cannot connect with OpenSSL distributed via stunnel.
Then I changed the OpenSSL DLL, and found that I can connect with OpenSSL
older than 0.9.8i, while that newer than 0.9.8j fails.
But it works by adding "sslVersion=all" or "sslVersion=SSLv2" to configuration file.

I also ran stunnel on FreeBSD, and found the same result about SSL version.

Here is a debug level log, with no "sslVersion=" or "sslVersion=SSLv3":
2010.01.08 09:50:06 LOG7[2372:3760]: RAND_status claims sufficient entropy for the PRNG
2010.01.08 09:50:06 LOG7[2372:3760]: PRNG seeded successfully
2010.01.08 09:50:06 LOG7[2372:3760]: SSL context initialized for service smtp_server
2010.01.08 09:50:06 LOG5[2372:3760]: stunnel 4.28 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009
2010.01.08 09:50:06 LOG5[2372:3760]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.01.08 09:50:06 LOG5[2372:2252]: No limit detected for the number of clients
2010.01.08 09:50:06 LOG7[2372:2252]: FD 236 in non-blocking mode
2010.01.08 09:50:06 LOG7[2372:2252]: SO_REUSEADDR option set on accept socket
2010.01.08 09:50:06 LOG7[2372:2252]: smtp_server bound to 127.0.0.1:10025
2010.01.08 09:50:34 LOG7[2372:2252]: smtp_server accepted FD=244 from 127.0.0.1:1953
2010.01.08 09:50:34 LOG7[2372:2252]: Creating a new thread
2010.01.08 09:50:34 LOG7[2372:2252]: New thread created
2010.01.08 09:50:34 LOG7[2372:1036]: smtp_server started
2010.01.08 09:50:34 LOG7[2372:1036]: FD 244 in non-blocking mode
2010.01.08 09:50:34 LOG5[2372:1036]: smtp_server accepted connection from 127.0.0.1:1953
2010.01.08 09:50:34 LOG7[2372:1036]: FD 268 in non-blocking mode
2010.01.08 09:50:34 LOG6[2372:1036]: connect_blocking: connecting 133.x.y.z:587
2010.01.08 09:50:34 LOG7[2372:1036]: connect_blocking: s_poll_wait 133.x.y.z:587: waiting 10 seconds
2010.01.08 09:50:34 LOG5[2372:1036]: connect_blocking: connected 133.x.y.z:587
2010.01.08 09:50:34 LOG5[2372:1036]: smtp_server connected remote server from 192.168.3.118:1954
2010.01.08 09:50:34 LOG7[2372:1036]: Remote FD=268 initialized
2010.01.08 09:50:34 LOG5[2372:1036]: Negotiations for smtp (client side) started
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 220 smtp.example.com ESMTP Postfix
2010.01.08 09:50:37 LOG7[2372:1036]:  -> 220 smtp.example.com ESMTP Postfix
2010.01.08 09:50:37 LOG7[2372:1036]:  -> EHLO localhost
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-smtp.example.com
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-PIPELINING
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-SIZE 51200000
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-VRFY
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-ETRN
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250-STARTTLS
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 250 8BITMIME
2010.01.08 09:50:37 LOG7[2372:1036]:  -> STARTTLS
2010.01.08 09:50:37 LOG7[2372:1036]:  <- 220 Ready to start TLS
2010.01.08 09:50:37 LOG5[2372:1036]: Protocol negotiations succeeded
2010.01.08 09:50:37 LOG7[2372:1036]: SSL state (connect): before/connect initialization
2010.01.08 09:50:37 LOG7[2372:1036]: SSL state (connect): SSLv3 write client hello A
2010.01.08 09:50:40 LOG3[2372:1036]: SSL_connect: Peer suddenly disconnected
2010.01.08 09:50:40 LOG5[2372:1036]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2010.01.08 09:50:40 LOG7[2372:1036]: smtp_server finished (0 left)

with "sslVersion=all",
2010.01.08 09:45:33 LOG7[2664:3880]: RAND_status claims sufficient entropy for the PRNG
2010.01.08 09:45:33 LOG7[2664:3880]: PRNG seeded successfully
2010.01.08 09:45:34 LOG7[2664:3880]: SSL context initialized for service smtp_server
2010.01.08 09:45:34 LOG5[2664:3880]: stunnel 4.28 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009
2010.01.08 09:45:34 LOG5[2664:3880]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.01.08 09:45:34 LOG5[2664:2408]: No limit detected for the number of clients
2010.01.08 09:45:34 LOG7[2664:2408]: FD 236 in non-blocking mode
2010.01.08 09:45:34 LOG7[2664:2408]: SO_REUSEADDR option set on accept socket
2010.01.08 09:45:34 LOG7[2664:2408]: smtp_server bound to 127.0.0.1:10025
2010.01.08 09:46:05 LOG7[2664:2408]: smtp_server accepted FD=244 from 127.0.0.1:1944
2010.01.08 09:46:05 LOG7[2664:2408]: Creating a new thread
2010.01.08 09:46:05 LOG7[2664:2408]: New thread created
2010.01.08 09:46:05 LOG7[2664:2968]: smtp_server started
2010.01.08 09:46:05 LOG7[2664:2968]: FD 244 in non-blocking mode
2010.01.08 09:46:05 LOG5[2664:2968]: smtp_server accepted connection from 127.0.0.1:1944
2010.01.08 09:46:05 LOG7[2664:2968]: FD 268 in non-blocking mode
2010.01.08 09:46:05 LOG6[2664:2968]: connect_blocking: connecting 133.x.y.z:587
2010.01.08 09:46:05 LOG7[2664:2968]: connect_blocking: s_poll_wait 133.x.y.z:587: waiting 10 seconds
2010.01.08 09:46:05 LOG5[2664:2968]: connect_blocking: connected 133.x.y.z:587
2010.01.08 09:46:05 LOG5[2664:2968]: smtp_server connected remote server from 192.168.3.118:1945
2010.01.08 09:46:05 LOG7[2664:2968]: Remote FD=268 initialized
2010.01.08 09:46:05 LOG5[2664:2968]: Negotiations for smtp (client side) started
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 220 smtp.example.com ESMTP Postfix
2010.01.08 09:46:05 LOG7[2664:2968]:  -> 220 smtp.example.com ESMTP Postfix
2010.01.08 09:46:05 LOG7[2664:2968]:  -> EHLO localhost
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-smtp.example.com
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-PIPELINING
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-SIZE 51200000
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-VRFY
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-ETRN
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250-STARTTLS
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 250 8BITMIME
2010.01.08 09:46:05 LOG7[2664:2968]:  -> STARTTLS
2010.01.08 09:46:05 LOG7[2664:2968]:  <- 220 Ready to start TLS
2010.01.08 09:46:05 LOG5[2664:2968]: Protocol negotiations succeeded
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): before/connect initialization
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv2/v3 write client hello A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 read server hello A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 read server certificate A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 read server key exchange A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 read server done A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 write client key exchange A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 write change cipher spec A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 write finished A
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 flush data
2010.01.08 09:46:05 LOG7[2664:2968]: SSL state (connect): SSLv3 read finished A
2010.01.08 09:46:05 LOG7[2664:2968]:    1 items in the session cache
2010.01.08 09:46:05 LOG7[2664:2968]:    1 client connects (SSL_connect())
2010.01.08 09:46:05 LOG7[2664:2968]:    1 client connects that finished
2010.01.08 09:46:05 LOG7[2664:2968]:    0 client renegotiations requested
2010.01.08 09:46:05 LOG7[2664:2968]:    0 server connects (SSL_accept())
2010.01.08 09:46:05 LOG7[2664:2968]:    0 server connects that finished
2010.01.08 09:46:05 LOG7[2664:2968]:    0 server renegotiations requested
2010.01.08 09:46:05 LOG7[2664:2968]:    0 session cache hits
2010.01.08 09:46:05 LOG7[2664:2968]:    0 external session cache hits
2010.01.08 09:46:05 LOG7[2664:2968]:    0 session cache misses
2010.01.08 09:46:05 LOG7[2664:2968]:    0 session cache timeouts
2010.01.08 09:46:05 LOG6[2664:2968]: SSL connected: new session negotiated
2010.01.08 09:46:05 LOG6[2664:2968]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
2010.01.08 09:46:05 LOG7[2664:2968]: SSL socket closed on SSL_read
2010.01.08 09:46:05 LOG7[2664:2968]: Socket write shutdown
2010.01.08 09:46:05 LOG5[2664:2968]: Connection closed: 625 bytes sent to SSL, 286 bytes sent to socket
2010.01.08 09:46:05 LOG7[2664:2968]: smtp_server finished (0 left)
2010.01.08 09:50:06 LOG7[2372:3760]: RAND_status claims sufficient entropy for the PRNG

with "sslVersion=SSLv2",
2010.01.08 09:50:50 LOG7[2692:3460]: RAND_status claims sufficient entropy for the PRNG
2010.01.08 09:50:50 LOG7[2692:3460]: PRNG seeded successfully
2010.01.08 09:50:50 LOG7[2692:3460]: SSL context initialized for service smtp_server
2010.01.08 09:50:50 LOG5[2692:3460]: stunnel 4.28 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009
2010.01.08 09:50:50 LOG5[2692:3460]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.01.08 09:50:50 LOG5[2692:2496]: No limit detected for the number of clients
2010.01.08 09:50:50 LOG7[2692:2496]: FD 236 in non-blocking mode
2010.01.08 09:50:50 LOG7[2692:2496]: SO_REUSEADDR option set on accept socket
2010.01.08 09:50:50 LOG7[2692:2496]: smtp_server bound to 127.0.0.1:10025
2010.01.08 09:51:04 LOG7[2692:2496]: smtp_server accepted FD=244 from 127.0.0.1:1955
2010.01.08 09:51:04 LOG7[2692:2496]: Creating a new thread
2010.01.08 09:51:04 LOG7[2692:2496]: New thread created
2010.01.08 09:51:04 LOG7[2692:2056]: smtp_server started
2010.01.08 09:51:04 LOG7[2692:2056]: FD 244 in non-blocking mode
2010.01.08 09:51:04 LOG5[2692:2056]: smtp_server accepted connection from 127.0.0.1:1955
2010.01.08 09:51:04 LOG7[2692:2056]: FD 268 in non-blocking mode
2010.01.08 09:51:04 LOG6[2692:2056]: connect_blocking: connecting 133.x.y.z:587
2010.01.08 09:51:04 LOG7[2692:2056]: connect_blocking: s_poll_wait 133.x.y.z:587: waiting 10 seconds
2010.01.08 09:51:04 LOG5[2692:2056]: connect_blocking: connected 133.x.y.z:587
2010.01.08 09:51:04 LOG5[2692:2056]: smtp_server connected remote server from 192.168.3.118:1956
2010.01.08 09:51:04 LOG7[2692:2056]: Remote FD=268 initialized
2010.01.08 09:51:04 LOG5[2692:2056]: Negotiations for smtp (client side) started
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 220 smtp.example.com ESMTP Postfix
2010.01.08 09:51:04 LOG7[2692:2056]:  -> 220 smtp.example.com ESMTP Postfix
2010.01.08 09:51:04 LOG7[2692:2056]:  -> EHLO localhost
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-smtp.example.com
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-PIPELINING
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-SIZE 51200000
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-VRFY
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-ETRN
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250-STARTTLS
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 250 8BITMIME
2010.01.08 09:51:04 LOG7[2692:2056]:  -> STARTTLS
2010.01.08 09:51:04 LOG7[2692:2056]:  <- 220 Ready to start TLS
2010.01.08 09:51:04 LOG5[2692:2056]: Protocol negotiations succeeded
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): before/connect initialization
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 write client hello A
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 read server hello A
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 write client master key A
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 client start encryption
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 write client finished A
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 read server verify A
2010.01.08 09:51:04 LOG7[2692:2056]: SSL state (connect): SSLv2 read server finished A
2010.01.08 09:51:04 LOG7[2692:2056]:    1 items in the session cache
2010.01.08 09:51:04 LOG7[2692:2056]:    1 client connects (SSL_connect())
2010.01.08 09:51:04 LOG7[2692:2056]:    1 client connects that finished
2010.01.08 09:51:04 LOG7[2692:2056]:    0 client renegotiations requested
2010.01.08 09:51:04 LOG7[2692:2056]:    0 server connects (SSL_accept())
2010.01.08 09:51:04 LOG7[2692:2056]:    0 server connects that finished
2010.01.08 09:51:04 LOG7[2692:2056]:    0 server renegotiations requested
2010.01.08 09:51:04 LOG7[2692:2056]:    0 session cache hits
2010.01.08 09:51:04 LOG7[2692:2056]:    0 external session cache hits
2010.01.08 09:51:04 LOG7[2692:2056]:    0 session cache misses
2010.01.08 09:51:04 LOG7[2692:2056]:    0 session cache timeouts
2010.01.08 09:51:04 LOG6[2692:2056]: SSL connected: new session negotiated
2010.01.08 09:51:04 LOG6[2692:2056]: Negotiated ciphers: DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 
2010.01.08 09:51:04 LOG7[2692:2056]: SSL closed on SSL_read
2010.01.08 09:51:04 LOG7[2692:2056]: Socket write shutdown
2010.01.08 09:51:04 LOG7[2692:2056]: Socket closed on read
2010.01.08 09:51:04 LOG7[2692:2056]: SSL write shutdown
2010.01.08 09:51:04 LOG5[2692:2056]: Connection closed: 626 bytes sent to SSL, 286 bytes sent to socket
2010.01.08 09:51:04 LOG7[2692:2056]: smtp_server finished (0 left)

However, with OpenSSL older than 0.9.8i it can connect without "sslVersion=all" or
with "sslVersion=SSLv3", and log tells SSLv3 was used.

Why stunnel cannot connect with OpenSSL newer than 0.9.8j ?


--- 
Tsurutani Naoki
turutani at scphys.kyoto-u.ac.jp

• Previous message (by thread): [stunnel-users] https not working with debug level 4,5,6,7
• Next message (by thread): [stunnel-users] Stunnel and RTMPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]