[stunnel-users] STunnel server handshake fails

John C. Kadyk jckadyk at pacbell.net
Fri Apr 8 02:06:26 CEST 2011


I'm trying to set up STunnel so our non-SSL network scanner can email scans
through our email server, which requires TLS. A desktop email client with
the same server/port settings can send email OK.

I think I have STunnel configured correctly, but there's a handshake failure
when it tries to connect to the server. STunnel seems to be attempting an
SSLv3 connection even though I turned that option off in the config file. I
want to force it to use TLS but not sure how to do that. Any suggestions
greatly appreciated.

Here's the config file:

cert = stunnel.pem
;key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
;output = stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[ssmtp]
accept  = 1025
connect = mail022-1.exch022.serverdata.net:1025
<http://mail022-1.exch022.serverdata.net:1025>

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

and here's the log:

2011.04.07 16:41:04 LOG5[3744:516]: Reading configuration from file
stunnel.conf
2011.04.07 16:41:04 LOG7[3744:516]: Snagged 64 random bytes from C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: Wrote 1024 new random bytes to C:/.rnd
2011.04.07 16:41:04 LOG7[3744:516]: PRNG seeded successfully
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
pop3s
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
imaps
2011.04.07 16:41:04 LOG7[3744:516]: Configuration SSL options: 0x03000000
2011.04.07 16:41:04 LOG7[3744:516]: SSL options set: 0x03000004
2011.04.07 16:41:04 LOG7[3744:516]: Certificate: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Certificate loaded
2011.04.07 16:41:04 LOG7[3744:516]: Key file: stunnel.pem
2011.04.07 16:41:04 LOG7[3744:516]: Private key loaded
2011.04.07 16:41:04 LOG7[3744:516]: SSL context initialized for service
ssmtp
2011.04.07 16:41:04 LOG5[3744:516]: Configuration successful
2011.04.07 16:41:04 LOG5[3744:516]: No limit detected for the number of
clients
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=136 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s bound to 0.0.0.0:995
<http://0.0.0.0:995>
2011.04.07 16:41:04 LOG7[3744:516]: Service pop3s opened FD=136
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=124 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps bound to 0.0.0.0:993
<http://0.0.0.0:993>
2011.04.07 16:41:04 LOG7[3744:516]: Service imaps opened FD=124
2011.04.07 16:41:04 LOG7[3744:516]: accept socket: FD=148 allocated
(non-blocking mode)
2011.04.07 16:41:04 LOG7[3744:516]: Option SO_REUSEADDR set on accept socket
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp bound to 0.0.0.0:1025
<http://0.0.0.0:1025>
2011.04.07 16:41:04 LOG7[3744:516]: Service ssmtp opened FD=148
2011.04.07 16:41:04 LOG5[3744:516]: stunnel 4.35 on x86-pc-mingw32-gnu with
OpenSSL 1.0.0c 2 Dec 2010
2011.04.07 16:41:04 LOG5[3744:516]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2011.04.07 16:41:17 LOG7[3744:2436]: local socket: FD=232 allocated
(non-blocking mode)
2011.04.07 16:41:17 LOG7[3744:2436]: Service ssmtp accepted FD=232 from
10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:2436]: Creating a new thread
2011.04.07 16:41:17 LOG7[3744:2436]: New thread created
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp started
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on local socket
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp accepted connection from
10.10.17.57:49968 <http://10.10.17.57:49968>
2011.04.07 16:41:17 LOG7[3744:4012]: remote socket: FD=268 allocated
(non-blocking mode)
2011.04.07 16:41:17 LOG6[3744:4012]: connect_blocking: connecting
64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: connect_blocking: connected
64.78.22.98:1025 <http://64.78.22.98:1025>
2011.04.07 16:41:17 LOG5[3744:4012]: Service ssmtp connected remote server
from 10.10.17.249:4081 <http://10.10.17.249:4081>
2011.04.07 16:41:17 LOG7[3744:4012]: Remote FD=268 initialized
2011.04.07 16:41:17 LOG7[3744:4012]: Option TCP_NODELAY set on remote socket
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): before/connect
initialization
2011.04.07 16:41:17 LOG7[3744:4012]: SSL state (connect): SSLv3 write client
hello A
2011.04.07 16:41:17 LOG7[3744:4012]: SSL alert (write): fatal: handshake
failure
2011.04.07 16:41:17 LOG3[3744:4012]: SSL_connect: 1408F10B:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2011.04.07 16:41:17 LOG5[3744:4012]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket
2011.04.07 16:41:17 LOG7[3744:4012]: Service ssmtp finished (0 left)

Any suggestions greatly appreciated.

Thanks!
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110407/b7b466c0/attachment.html>


More information about the stunnel-users mailing list