[stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol

• Previous message (by thread): [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
• Next message (by thread): [stunnel-users] Confused about stunnel + haproxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike,

Your initial configuration was fine I think. Your side of the connection makes your stunnel a client.
So you need the client = yes option for that.

What I meant to say on my earlier message is that the other side of the connection, that is the server at 

news.aliant.net should also be ready to accept SSL. In this case news.aliant.net does not seem to support SSL.

So your stunnel is working properly trying to establish a connection using SSL but the server refuses because
it does not use SSL. Hence, the need to check with the operator/owner of news.aliant.net and ask them if their
configuration supports SSL.

I hope this makes more sense.

Thanks

 
-----------------
Leandro Avila


----- Original Message -----
From: mike <mgbutler at nbnet.nb.ca>
To: stunnel-users at stunnel.org
Cc: 
Sent: Tuesday, June 26, 2012 4:08 PM
Subject: Re: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol

So I made a couple changes in my config. I disabled "client=yes" and created a certificate key.

Now when I run this command: openssl s_client -ssl3 -connect localhost:119

I get a hopeful message that shows my certificate and ends like this:
SSL handshake has read 969 bytes and written 253 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 9FBB246F77D9951629DE4E506B82B967B47CA3AFD0E8F792D44159A9016E3B16
    Session-ID-ctx:
    Master-Key: 35BF62692EECE0641DD0E35EC2927757751E576A6DAF27B857FEDC8D0B47C05AB6854784B5C450739545E0DEDC3A3FA8
    Key-Arg   : None
    Compression: 1 (zlib compression)
    Start Time: 1340744705
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
200 NNRP news.aliant.net Service Ready - support at aliant.net (posting ok)


So everything looks good. But when I attempt to connect in Pan, it never connects and my stunnel log looks like this:
2012.06.26 18:07:45 LOG7[475:3074374512]: SSL state (accept): before/accept initialization
2012.06.26 18:07:55 LOG3[475:3074513776]: SSL_accept: Peer suddenly disconnected
2012.06.26 18:07:55 LOG5[475:3074513776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp finished (3 left)
2012.06.26 18:07:55 LOG7[475:3074758864]: nntp accepted FD=13 from 127.0.0.1:36457
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp started
2012.06.26 18:07:55 LOG7[475:3074513776]: FD 13 in non-blocking mode
2012.06.26 18:07:55 LOG7[475:3074513776]: Waiting for a libwrap process
2012.06.26 18:07:55 LOG7[475:3074513776]: Acquired libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: Releasing libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: Released libwrap process #0
2012.06.26 18:07:55 LOG7[475:3074513776]: nntp permitted by libwrap from 127.0.0.1:36457
2012.06.26 18:07:55 LOG5[475:3074513776]: nntp accepted connection from 127.0.0.1:36457

I'm stumped - anyone got any ideas?

On 12-06-26 04:10 PM, mike wrote:
> Thanks Leandro. But doesn't stunnel allow me to use ssl for nntp? My nntp server definitely uses port 119. I followed the set up for this from these instructions almost to the letter:
> http://ubuntuforums.org/showthread.php?t=653246
> 
> and i can't get this to work with ssl at all.
> 
> -Mike
> 
> 
> On 12-06-26 12:05 AM, Leandro Avila wrote:
>> Mike,
>> 
>> Maybe you can double check the server settings with the server operator. NNTPS (NNTP over SSL) usually is run on TCP port 563
>> Instead of Port 119.
>> 
>> Hope this helps
>>   -----------------
>> Leandro Avila
>> 
>> 
>> ----- Original Message -----
>> From: mike <mgbutler at nbnet.nb.ca>
>> To: stunnel-users at stunnel.org
>> Cc:
>> Sent: Monday, June 25, 2012 12:15 PM
>> Subject: [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
>> 
>> Hello All,
>> Running Debian 6.0, stunnel4 and Pan 0.133
>> 
>> I have set up Pan and installed stunnel so that I can use ssl with nntp. Installing Pan and stunnel was easy. I've edited Pan to use localhost:119 and edited my config file in stunnel to point to my nntp server. I have allowed nntp in my hosts.allow for ALL:ALL.
>> 
>> The problem I am running into is that Pan does not connect. I get the following error:
>> 
>>      Error reading from localhost. Connection reset by peer
>> 
>> Checking with the following openssl command produced this error:
>>      root at triglav:/etc/stunnel# openssl s_client -ssl3 -connect localhost:119
>>      CONNECTED(00000003)
>>      write:errno=104
>> 
>> Looking at the logs for stunnel I see many repetitions of this message:
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp started
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 13 in non-blocking mode
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on local socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Waiting for a libwrap process
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Acquired libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Releasing libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Released libwrap process #0
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp permitted by libwrap from 127.0.0.1:59451
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp accepted connection from 127.0.0.1:59451
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: FD 14 in non-blocking mode
>> 2012.06.25 14:18:26 LOG6[16355:3074153328]: connect_blocking: connecting 209.197.15.238:119
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: connect_blocking: s_poll_wait 209.197.15.238:119: waiting 10 seconds
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: connect_blocking: connected 209.197.15.238:119
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: nntp connected remote server from 192.168.2.56:51455
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: Remote FD=14 initialized
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: TCP_NODELAY option set on remote socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): before/connect initialization
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: SSL state (connect): SSLv2/v3 write client hello A
>> 2012.06.25 14:18:26 LOG3[16355:3074153328]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
>> 2012.06.25 14:18:26 LOG5[16355:3074153328]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
>> 2012.06.25 14:18:26 LOG7[16355:3074153328]: nntp finished (0 left)
>> 
>> Anyone know what is missing? It almost looks like it cant talk in either SSLv2 or v3 which makes no sense.
>> 
>> Here is my stunnel config:
>> 
>> ; Sample stunnel configuration file by Michal Trojnara 2002-2009
>> ; Some options used here may not be adequate for your particular configuration
>> ; Please make sure you understand them (especially the effect of the chroot jail)
>> 
>> ; Certificate/key is needed in server mode and optional in client mode
>> ;cert = /etc/ssl/certs/stunnel.pem
>> ;key = /etc/ssl/certs/stunnel.pem
>> 
>> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
>> sslVersion = all
>> 
>> ; Some security enhancements for UNIX systems - comment them out on Win32
>> chroot = /var/lib/stunnel4/
>> setuid = stunnel4
>> setgid = stunnel4
>> ; PID is created inside the chroot jail
>> pid = /stunnel4.pid
>> 
>> ; Some performance tunings
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> ;compression = zlib
>> 
>> ; Workaround for Eudora bug
>> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>> 
>> ; Authentication stuff
>> ;verify = 2
>> ; Don't forget to c_rehash CApath
>> ; CApath is located inside chroot jail
>> ;CApath = /certs
>> ; It's often easier to use CAfile
>> ;CAfile = /etc/stunnel/certs.pem
>> ; Don't forget to c_rehash CRLpath
>> ; CRLpath is located inside chroot jail
>> ;CRLpath = /crls
>> ; Alternatively you can use CRLfile
>> ;CRLfile = /etc/stunnel/crls.pem
>> 
>> ; Some debugging stuff useful for troubleshooting
>> debug = 7
>> output = /var/log/stunnel4/stunnel.log
>> foreground = no
>> 
>> 
>> ; Use it for client mode
>> client = yes
>> 
>> ; Service-level configuration
>> 
>> [nntp]
>> accept  = localhost:119
>> connect = news.aliant.net:119
>> 
>> ;[https]
>> ;accept  = 443
>> ;connect = 80
>> ;TIMEOUTclose = 0
>> 
>> ; vim:ft=dosini
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>> 
>> 
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> 


_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

• Previous message (by thread): [stunnel-users] Stunnel, Pan and the SSL23_GET_SERVER_HELLO:unknown protocol
• Next message (by thread): [stunnel-users] Confused about stunnel + haproxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]