[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol

Leandro Avila leandro.avila at ymail.com
Tue Jun 26 05:05:27 CEST 2012


Mike,

Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563
Instead of Port 119.

Hope this helps
 
-----------------
Leandro Avila


----- Original Message -----
From: mike <mgbutler at nbnet.nb.ca>
To: stunnel-users at stunnel.org
Cc: 
Sent: Monday, June 25, 2012 12:15 PM
Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol

Hello All,
Running Debian 6.0, stunnel4 and Pan 0.133

I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.

The problem I am running into is that Pan does not connect. I get the following error:

    Error reading from localhost. Connection reset by peer

Checking with the following openssl command produced this error:
    root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119
    CONNECTED(00000003)
    write:errno=104

Looking at the logs for stunnel I see many repetitions of this message:
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process
2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451
2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119
2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds
2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119
2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455
2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization
2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A
2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)

Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.

Here is my stunnel config:

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
foreground = no


; Use it for client mode
client = yes

; Service-level configuration

[nntp]
accept  = localhost:119
connect = news.aliant.net:119

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users




More information about the stunnel-users mailing list