[stunnel-users] checkHost: No matching host name found

Schmitz Gerrit (CC-AD/PJ-MBB) Gerrit.Schmitz at de.bosch.com
Mon Jan 22 13:08:04 CET 2018


Hello everybody,
I’m trying to get of the Gmail-POP3 working but run into an error message which seems to be related to checkHost, since commenting it out it enables the connection to be established ☹ The service is configured as follows:

[gmail-pop3]

client = yes

accept = 127.0.0.1:110

connect = pop.gmail.com:995

checkHost = pop.gmail.com

verifyChain = yes

CApath = /etc/ssl/certs/

I also found Parker (https://www.stunnel.org/pipermail/stunnel-users/2018-January/005902.html) running the same version as me but his platform is different from mine (Alpine, LibreSSL). Could this be the reason?

Here the startup and connection portion of my log:

2018.01.22 08:58:13 LOG7[ui]: Clients allowed=512000

2018.01.22 08:58:13 LOG5[ui]: stunnel 5.44 on x86_64-alpine-linux-musl platform

2018.01.22 08:58:13 LOG5[ui]: Compiled/running with LibreSSL 2.6.3

2018.01.22 08:58:13 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,SNI

2018.01.22 08:58:13 LOG7[ui]: errno: (*__errno_location())

2018.01.22 08:58:13 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf

2018.01.22 08:58:13 LOG5[ui]: UTF-8 byte order mark not detected

2018.01.22 08:58:13 LOG7[ui]: Snagged 64 random bytes from /dev/urandom

2018.01.22 08:58:13 LOG7[ui]: PRNG seeded successfully

2018.01.22 08:58:13 LOG6[ui]: Initializing service [redis]

2018.01.22 08:58:13 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2

2018.01.22 08:58:13 LOG7[ui]: TLS options: 0x00000004 (+0x00000000, -0x00000000)

2018.01.22 08:58:13 LOG7[ui]: No certificate or private key specified

2018.01.22 08:58:13 LOG5[ui]: Configuration successful

2018.01.22 08:58:13 LOG7[ui]: Binding service [redis]

2018.01.22 08:58:13 LOG7[ui]: Listening file descriptor created (FD=7)

2018.01.22 08:58:13 LOG7[ui]: Option SO_REUSEADDR set on accept socket

2018.01.22 08:58:13 LOG7[ui]: Service [redis] (FD=7) bound to 0.0.0.0:6379

2018.01.22 08:58:13 LOG7[ui]: No pid file being created

2018.01.22 08:58:13 LOG7[cron]: Cron thread initialized

2018.01.22 09:36:41 LOG7[ui]: Found 1 ready file descriptor(s)

2018.01.22 09:36:41 LOG7[ui]: FD=4 events=0x2001 revents=0x0

2018.01.22 09:36:41 LOG7[ui]: FD=3 events=0x2001 revents=0x0

2018.01.22 09:36:41 LOG7[ui]: FD=7 events=0x2001 revents=0x1

2018.01.22 09:36:41 LOG7[ui]: Service [gmail-pop3] accepted (FD=8) from 127.0.0.1:42040

2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] started

2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on local socket

2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] accepted connection from 127.0.0.1:42040

2018.01.22 09:36:41 LOG6[6]: failover: round-robin, starting at entry #2

2018.01.22 09:36:41 LOG6[6]: s_connect: connecting 2a00:1450:4013:c00::6c:995

2018.01.22 09:36:41 LOG3[6]: s_connect: connect 2a00:1450:4013:c00::6c:995: Network unreachable (101)

2018.01.22 09:36:41 LOG6[6]: s_connect: connecting 108.177.119.108:995

2018.01.22 09:36:41 LOG7[6]: s_connect: s_poll_wait 108.177.119.108:995: waiting 10 seconds

2018.01.22 09:36:41 LOG5[6]: s_connect: connected 108.177.119.108:995

2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] connected remote server from 10.244.0.21:51954

2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on remote socket

2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) initialized

2018.01.22 09:36:41 LOG6[6]: SNI: sending servername: pop.gmail.com

2018.01.22 09:36:41 LOG6[6]: Peer certificate required

2018.01.22 09:36:41 LOG7[6]: TLS state (connect): before/connect initialization

2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 write client hello A

2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 read server hello A

2018.01.22 09:36:41 LOG7[6]: Verification started at depth=2: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded

2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=2: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

2018.01.22 09:36:41 LOG7[6]: Verification started at depth=1: C=US, O=Google Trust Services, CN=Google Internet Authority G3

2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded

2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=1: C=US, O=Google Trust Services, CN=Google Internet Authority G3

2018.01.22 09:36:41 LOG7[6]: Verification started at depth=0: C=US, ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com

2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded

2018.01.22 09:36:41 LOG4[6]: CERT: No matching host name found

2018.01.22 09:36:41 LOG4[6]: Rejected by CERT at depth=0: C=US, ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com

2018.01.22 09:36:41 LOG7[6]: TLS alert (write): fatal: certificate unknown

2018.01.22 09:36:41 LOG3[6]: SSL_connect: 14007086: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed

2018.01.22 09:36:41 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

2018.01.22 09:36:41 LOG7[6]: Deallocating application specific data for session connect address

2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) closed

2018.01.22 09:36:41 LOG7[6]: Local descriptor (FD=8) closed

2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] finished (0 left)


Mit freundlichen Grüßen / Best regards

Gerrit Schmitz
CC-AD/PJ-MBB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180122/dd29c8ed/attachment.html>


More information about the stunnel-users mailing list