[stunnel-users] Fwd: Do Not Make Stunnel on El Capitan

Josealf.rm josealf at rocketmail.com
Fri Jan 15 12:01:29 CET 2016


Takeo,

Are you setting the Ca path in your stunnel config? 
Did you create the hash links to your Ca certificates?

You may want to post your sanitized stunnel config for review.

Regards
Jose

Enviado desde mi iPhone

> El 14 ene 2016, a las 23:53, WATANABE Takeo <take at kasaneiro.jp> escribió:
> 
> Hi Thireus.
> 
> Thank you for your advice.
> In its thanks to the installation of the SSL build and Stunnel it went well.
> Swollen properly also server and connection with TLSv1 (OpenSSL_test)
> 
> However, in Cocoa Emacs 25.1.50 on Mew 6.7,
> if you try to use as POP3S and SMTPS,
> it is not Halle session is an error in the flow,
> such as the accompanying text (Mew_debug).
> 
> Of course, in Mew settings, if you disable the SMTPS and POP3S,
> but you can normally e-mail reading and writing.
> But, then, there is no sense in which you installed Stunnel.
> How do you good to deal with this error?
> 
> (Mew) E-mail software that runs on top of Emacs.
> Using Stunnel, thereby realizing a POP3S and SMTPS.
> 
> 
> 
> on Sat, 2 Jan 2016 20:11:41 +0000
> Thireus <thireus at gmail.com> wrote: 
> 
>> Hi Takeo,
>> 
>> These are my raw notes you can use to compile OpenSSL and stunnel (OpenSSL static lib, no SSLv3).
>> 
>> ------------------------
>> 
>> bash
>> 
>> cd ~/Downloads && wget https://github.com/openssl/openssl/archive/OpenSSL_1_0_2e.tar.gz && \
>> tar xvf OpenSSL_1_0_2e.tar.gz && \
>> cd ~/Downloads/openssl-OpenSSL_1_0_2e && \
>> ./Configure darwin64-x86_64-cc threads -fPIC zlib no-dso no-ssl3 --prefix=~/Downloads/openssl-built/ --openssldir=~/Downloads/openssl-built/ssl && \
>> make depend
>> make && make install
>> 
>> cd ~/Downloads && rm -rf stunnel-* && \
>> wget https://www.stunnel.org/downloads/stunnel-5.28.tar.gz && \
>> tar xvf stunnel-5.28.tar.gz  && \
>> cd ~/Downloads/stunnel-5.28 && \
>> ./configure --with-ssl=~/Downloads/openssl-built --enable-static --disable-shared && \
>> make && sudo make install
>> 
>> /usr/local/bin/stunnel -version
>> 
>> ------------------------
>> 
>> Cheers,
>> 
>> Thireus (thireus at gmail.com <mailto:thireus at gmail.com>), 
>> IT Security Engineer Consultant.
>> http://blog.thireus.com <http://blog.thireus.com/>
>>> Le 2 janv. 2016 à 20:00, Michał Trojnara <Michal.Trojnara at mirt.net> a écrit :
>>> 
>>> Hi WATANABE, Takeo,
>>> 
>>> I've heard that El Capitan no longer installs OpenSSL headers. You may need to install OpenSSL (either directly from source, or using a package manager).
>>> 
>>> Mike
>>> 
>>> 
>>> 
>>> 
>>> -------- Original message --------
>>> Subject:[stunnel-users] Do Not Make Stunnel on El Capitan
>>> From:WATANABE Takeo <take at kasaneiro.jp>
>>> To:stunnel-users at stunnel.org
>>> Cc:
>>> 
>>> 
>>> Dear all.
>>> 
>>> Hi. My name is WATANABE, Takeo in Japan.
>>> There is a thing that is very troubled,
>>> it will post to this ML.
>>> 
>>> It is in OS X El Capitan(10.11.x),
>>> it is stunnel of make it is that does not pass.
>>> The rootkill mechanism I think is causing,
>>> but tried again to disable this,
>>> even doing several times, not as make is.
>>> 
>>> Even latest Stunnel, make will fail.
>>> 
>>> Where everyone is, what you can well Build.
>>> 
>>> If you have person there know what measures
>>> and successes such as a, please tell me.
>>> Warm Regards.
>>> 
>>> Sincerely yours.
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> <SSL/TLS: >
> 2016.01.15 13:20:03 LOG7[ui]: Clients allowed=125
> 2016.01.15 13:20:03 LOG7[cron]: Cron thread initialized
> 2016.01.15 13:20:03 LOG5[ui]: stunnel 5.29 on x86_64-apple-darwin15.2.0 platform
> 2016.01.15 13:20:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.2e 3 Dec 2015
> 2016.01.15 13:20:03 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 2016.01.15 13:20:03 LOG7[ui]: errno: (*__error())
> 2016.01.15 13:20:03 LOG5[ui]: Reading configuration from file /private/var/folders/wk/4j5vw5vn33v4dd7l8yljm7f40000gn/T/take31865yNH/mew31865v3S
> 2016.01.15 13:20:03 LOG5[ui]: UTF-8 byte order mark not detected
> 2016.01.15 13:20:03 LOG5[ui]: FIPS mode disabled
> 2016.01.15 13:20:03 LOG7[ui]: Compression disabled
> 2016.01.15 13:20:03 LOG6[ui]: Cannot retrieve any random data from /Users/take/.rnd
> 2016.01.15 13:20:03 LOG7[ui]: Wrote 0 new random bytes to /Users/take/.rnd
> 2016.01.15 13:20:03 LOG7[ui]: PRNG seeded successfully
> 2016.01.15 13:20:03 LOG6[ui]: Initializing service [8805]
> 2016.01.15 13:20:04 LOG7[ui]: No 
> 
> <SSL/TLS: >
> certificate or private key specified
> 2016.01.15 13:20:04 LOG4[ui]: Service [8805] needs authentication to prevent MITM attacks
> 2016.01.15 13:20:04 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000)
> 2016.01.15 13:20:04 LOG5[ui]: Configuration successful
> 2016.01.15 13:20:04 LOG7[ui]: Listening file descriptor created (FD=8)
> 2016.01.15 13:20:04 LOG7[ui]: Service [8805] (FD=8) bound to 127.0.0.1:8805
> 2016.01.15 13:20:04 LOG7[ui]: No pid file being created
> 
> 
> <SSL/TLS: >
> 2016.01.15 13:20:04 LOG7[ui]: Found 1 ready file descriptor(s)
> 2016.01.15 13:20:04 LOG7[ui]: FD=4 events=0x1 revents=0x0
> 2016.01.15 13:20:04 LOG7[ui]: FD=8 events=0x1 revents=0x1
> 2016.01.15 13:20:04 LOG7[ui]: Service [8805] accepted (FD=3) from 127.0.0.1:60895
> 2016.01.15 13:20:04 LOG7[0]: Service [8805] started
> 2016.01.15 13:20:04 LOG5[0]: Service [8805] accepted connection from 127.0.0.1:60895
> 2016.01.15 13:20:04 LOG6[0]: s_connect: connecting 202.189.178.66:110
> 2016.01.15 13:20:04 LOG7[0]: s_connect: s_poll_wait 202.189.178.66:110: waiting 10 seconds
> 2016.01.15 13:20:04 LOG5[0]: s_connect: connected 202.189.178.66:110
> 2016.01.15 13:20:04 LOG5[0]: Service [8805] connected remote server from 192.168.131.70:60896
> 2016.01.15 13:20:04 LOG7[0]: Remote descriptor (FD=16) initialized
> 
> 
> <SSL/TLS: >
> 2016.01.15 13:20:04 LOG7[0]:  <- +OK Dovecot ready. <1e47.25baee.56987374.WakidhB/9uMrIWPojhP5Lw==@wx06.wadax.ne.jp>
> 2016.01.15 13:20:04 LOG7[0]:  -> +OK Dovecot ready. <1e47.25baee.56987374.WakidhB/9uMrIWPojhP5Lw==@wx06.wadax.ne.jp>
> 2016.01.15 13:20:04 LOG7[0]:  -> STLS
> 2016.01.15 13:20:04 LOG7[0]:  <- +OK Begin TLS negotiation now.
> 2016.01.15 13:20:04 LOG6[0]: SNI: sending servername: wx06.wadax.ne.jp
> 2016.01.15 13:20:04 LOG7[0]: SSL state (connect): before/connect initialization
> 
> 
> <SSL/TLS: >
> 2016.01.15 13:20:04 LOG7[0]: Verification started at depth=1: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
> 2016.01.15 13:20:04 LOG4[0]: CERT: Pre-verification error: unable to get local issuer certificate
> 2016.01.15 13:20:04 LOG4[0]: Rejected by CERT at depth=1: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
> 2016.01.15 13:20:04 LOG7[0]: SSL alert (write): fatal: unknown CA
> 2016.01.15 13:20:04 LOG3[0]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
> 2016.01.15 13:20:04 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
> 2016.01.15 13:20:04 LOG7[0]: Deallocating application specific data for addr index
> 2016.01.15 13:20:04 LOG7[0]: Remote descriptor (FD=16) closed
> 2016.01.15 13:20:04 LOG7[0]: Local descriptor (FD=3) closed
> 2016.01.15 13:20:04 LOG7[0]: Service [8805] finished (0 left)
> 
> % openssl s_client -connect wx06.wadax.ne.jp:995 -CApath ~/.certs/
> CONNECTED(00000003)
> depth=2 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> verify return:1
> depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
> verify return:1
> depth=0 /C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
> verify return:1
> ---
> Certificate chain
> 0 s:/C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
>   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
> 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
>   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIE+zCCA+OgAwIBAgISESFZQ0yRqyxamnso7LXiJFTtMA0GCSqGSIb3DQEBCwUA
> MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
> VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
> RzIwHhcNMTUxMTI2MDAxODE0WhcNMTcwMTIxMDMxNzEzWjBLMQswCQYDVQQGEwJK
> UDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRkwFwYDVQQDDBB3
> eDA2LndhZGF4Lm5lLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
> xkZGKi1LOhEapE0hM2qqTVm5boWGYhrj6NanBC/FmvqOVjD8JBNDHgASO9ErtCoV
> GeBOBG+yCmZa9JoGOVAFhZyYVJEJzYJpewfmQZUPIK7kgn9EUNBQ5SLRO7TeoH5U
> 0qTLVDE8O5399gv1igqLw63XVB4koVWJJPjqK8ow+6ZPQl8Iqc26kCa7ZLlsz/0A
> TjGF+gSR6gRMrU8/njA1JJhcTylqs313w/OuHZvV2/v2aPUPU4K5zeCotTJUJ0UG
> w0UOvzFFyylMbTw0DMZZdVrk+SiK6eZIa48L8551ghyhXfjMNlognmHD/e2Lmr08
> IYs3PDeijLWU4N3gP6j+fQIDAQABo4IBwjCCAb4wDgYDVR0PAQH/BAQDAgWgMEkG
> A1UdIARCMEAwPgYGZ4EMAQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmds
> b2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMBsGA1UdEQQUMBKCEHd4MDYud2FkYXgu
> bmUuanAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
> QwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n
> c2RvbWFpbnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUF
> BzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFp
> bnZhbHNoYTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2Jh
> bHNpZ24uY29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBRv9rS13D5CKae4
> ajJTx+VNR0nKmDAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkq
> hkiG9w0BAQsFAAOCAQEAV+UmsKrp+hJ7L3Rg5CNX1OEU3GAjXimw03Y/DIeeYax8
> GfJsWdA7DET/F+3HvafJzYvsYG3fU0WFsdCthzcM1J8cnXXUmW7Vce2LJ6vkbgh3
> LAymC5PmGauKu1pNkOUfjwzGEfvnkNk5NuOWsvsvWAHiPsbktvUzI71qL525BRIK
> qOOyutNxtWipz7GDG0Az7AweAFzHe+Lp9BRTiD2x5AuwmKp3nPFta6IKJoWAlBeS
> diPUhCshr7xh1uW5d5Wf3Yt3I5NyoA3PCM7UZ3vLAjWYCFYH4i6GkvDP0loK4F6+
> d+BT02RcFWW5Wia0M81ddho/J2BBrw9LryRUsHFnpA==
> -----END CERTIFICATE-----
> subject=/C=JP/OU=Domain Control Validated/CN=wx06.wadax.ne.jp
> issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3108 bytes and written 328 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : TLSv1
>    Cipher    : DHE-RSA-AES256-SHA
>    Session-ID: 58E3F4BFB0EEA77521D6AA0D7EF70195C0067FD1F8591937F455EC3A9A32CE81
>    Session-ID-ctx:
>    Master-Key: F29342FEFFB92FB1640458764F17B08E0AED3D1097E949839DDBC03EC240AAABCB459830154AB462778A23BB0D25C036
>    Key-Arg   : None
>    Start Time: 1452832568
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
> ---
> +OK Dovecot ready. <1e47.25c871.56987738.4lO0a+ARGzYpAD9PyJhGJg==@wx06.wadax.ne.jp>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


More information about the stunnel-users mailing list