[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
mike
mgbutler at nbnet.nb.ca
Tue Jun 26 23:08:24 CEST 2012
So I made a couple changes in my config. I disabled "client=yes" and
created a certificate key.
Now when I run this command: openssl s_client -ssl3 -connect localhost:119
I get a hopeful message that shows my certificate and ends like this:
SSL handshake has read 969 bytes and written 253 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
9FBB246F77D9951629DE4E506B82B967B47CA3AFD0E8F792D44159A9016E3B16
Session-ID-ctx:
Master-Key:
35BF62692EECE0641DD0E35EC2927757751E576A6DAF27B857FEDC8D0B47C05AB6854784B5C450739545E0DEDC3A3FA8
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1340744705
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
200 NNRP news.aliant.net Service Ready - support at aliant.net (posting ok)
So everything looks good. But when I attempt to connect in Pan, it never
connects and my stunnel log looks like this:
2012.06.26 18:07:45 LOG7[475:3074374512]: SSL state (accept):
before/accept initialization
2012.06.26 18:07:55 LOG3[475:3074513776]: SSL_accept: Peer suddenly
disconnected
2012.06.26 18:07:55 LOG5[475:3074513776]: Connection reset: 0 bytes sent
to SSL, 0 bytes sent to socket
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp finished (3 left)
2012.06.26 18:07:55 LOG7[475:3074758864]: nntp accepted FD=13 from
127.0.0.1:36457
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp started
2012.06.26 18:07:55 LOG7[475:3074513776]: FD 13 in non-blocking mode
2012.06.26 18:07:55 LOG7[475:3074513776]: Waiting for a libwrap process
2012.06.26 18:07:55 LOG7[475:3074513776]: Acquired libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: Releasing libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: Released libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp permitted by libwrap from
127.0.0.1:36457
2012.06.26 18:07:55 LOG5[475:3074513776]: nntp accepted connection from
127.0.0.1:36457
I'm stumped - anyone got any ideas?
On 12-06-26 04:10 PM, mike wrote:
> Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My
> nntp server definitely uses port 119. I followed the set up for this
> from these instructions almost to the letter:
> http://ubuntuforums.org/showthread.php?t=653246
>
> and i can't get this to work with ssl at all.
>
> -Mike
>
>
> On 12-06-26 12:05 AM, Leandro Avila wrote:
>> Mike,
>>
>> Maybe you can double check the server settings with the server
>> operator. NNTPS (NNTP over SSL) usually is run on TCP port 563
>> Instead of Port 119.
>>
>> Hope this helps
>> -----------------
>> Leandro Avila
>>
>>
>> ----- Original Message -----
>> From: mike <mgbutler at nbnet.nb.ca>
>> To: stunnel-users at stunnel.org
>> Cc:
>> Sent: Monday, June 25, 2012 12:15 PM
>> Subject: [stunnel-users] Stunnel, Pan and the
>> SSL23_GET_SERVER_HELLO:unknown protocol
>>
>> Hello All,
>> Running Debian 6.0, stunnel4 and Pan 0.133
>>
>> I have set up Pan and installed stunnel so that I can use ssl with
>> nntp. Installing Pan and stunnel was easy. I've edited Pan to use
>> localhost:119 and edited my config file in stunnel to point to my
>> nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
>>
>> The problem I am running into is that Pan does not connect. I get the
>> following error:
>>
>> Error reading from localhost. Connection reset by peer
>>
>> Checking with the following openssl command produced this error:
>> root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect
>> localhost:119
>> CONNECTED(00000003)
>> write:errno=104
>>
>> Looking at the logs for stunnel I see many repetitions of this message:
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on
>> local socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap
>> process
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap
>> from 127.0.0.1:59451
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection
>> from 127.0.0.1:59451
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
>> 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking:
>> connecting 209.197.15.238:119
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking:
>> s_poll_wait 209.197.15.238:119: waiting 10 seconds
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking:
>> connected 209.197.15.238:119
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote
>> server from 192.168.2.56:51455
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on
>> remote socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect):
>> before/connect initialization
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect):
>> SSLv2/v3 write client hello A
>> 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC:
>> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes
>> sent to SSL, 0 bytes sent to socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
>>
>> Anyone know what is missing? It almost looks like it cant talk in
>> either SSLv2 or v3 which makes no sense.
>>
>> Here is my stunnel config:
>>
>> ; Sample stunnel configuration file by Michal Trojnara 2002-2009
>> ; Some options used here may not be adequate for your particular
>> configuration
>> ; Please make sure you understand them (especially the effect of the
>> chroot jail)
>>
>> ; Certificate/key is needed in server mode and optional in client mode
>> ;cert = /etc/ssl/certs/stunnel.pem
>> ;key = /etc/ssl/certs/stunnel.pem
>>
>> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
>> sslVersion = all
>>
>> ; Some security enhancements for UNIX systems - comment them out on
>> Win32
>> chroot = /var/lib/stunnel4/
>> setuid = stunnel4
>> setgid = stunnel4
>> ; PID is created inside the chroot jail
>> pid = /stunnel4.pid
>>
>> ; Some performance tunings
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ;compression = zlib
>>
>> ; Workaround for Eudora bug
>> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>>
>> ; Authentication stuff
>> ;verify = 2
>> ; Don't forget to c_rehash CApath
>> ; CApath is located inside chroot jail
>> ;CApath = /certs
>> ; It's often easier to use CAfile
>> ;CAfile = /etc/stunnel/certs.pem
>> ; Don't forget to c_rehash CRLpath
>> ; CRLpath is located inside chroot jail
>> ;CRLpath = /crls
>> ; Alternatively you can use CRLfile
>> ;CRLfile = /etc/stunnel/crls.pem
>>
>> ; Some debugging stuff useful for troubleshooting
>> debug = 7
>> output = /var/log/stunnel4/stunnel.log
>> foreground = no
>>
>>
>> ; Use it for client mode
>> client = yes
>>
>> ; Service-level configuration
>>
>> [nntp]
>> accept = localhost:119
>> connect = news.aliant.net:119
>>
>> ;[https]
>> ;accept = 443
>> ;connect = 80
>> ;TIMEOUTclose = 0
>>
>> ; vim:ft=dosini
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
More information about the stunnel-users
mailing list