[stunnel-users] checkHost: No matching host name found

• Previous message (by thread): [stunnel-users] checkHost: No matching host name found
• Next message (by thread): [stunnel-users] stunnel + mjpeg_streamer issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Maybe because stunnel is compiled with LibreSSL instead of OpenSSL.

And the checkHost requires OpenSSL 1.0.2 or later:
https://www.stunnel.org/static/stunnel.html

Regards,
Florian

On Mon, Jan 22, 2018 at 1:08 PM, Schmitz Gerrit (CC-AD/PJ-MBB) <
Gerrit.Schmitz at de.bosch.com> wrote:

> Hello everybody,
>
> I’m trying to get of the Gmail-POP3 working but run into an error message
> which seems to be related to checkHost, since commenting it out it enables
> the connection to be established ☹ The service is configured as follows:
>
> [gmail-pop3]
>
> client = yes
>
> accept = 127.0.0.1:110
>
> connect = pop.gmail.com:995
>
> checkHost = pop.gmail.com
>
> verifyChain = yes
>
> CApath = /etc/ssl/certs/
>
>
>
> I also found Parker (https://www.stunnel.org/pipermail/stunnel-users/2018-
> January/005902.html) running the same version as me but his platform is
> different from mine (Alpine, LibreSSL). Could this be the reason?
>
>
>
> Here the startup and connection portion of my log:
>
> 2018.01.22 08:58:13 LOG7[ui]: Clients allowed=512000
>
> 2018.01.22 08:58:13 LOG5[ui]: stunnel 5.44 on x86_64-alpine-linux-musl
> platform
>
> 2018.01.22 08:58:13 LOG5[ui]: Compiled/running with LibreSSL 2.6.3
>
> 2018.01.22 08:58:13 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6
> TLS:ENGINE,OCSP,SNI
>
> 2018.01.22 08:58:13 LOG7[ui]: errno: (*__errno_location())
>
> 2018.01.22 08:58:13 LOG5[ui]: Reading configuration from file
> /etc/stunnel/stunnel.conf
>
> 2018.01.22 08:58:13 LOG5[ui]: UTF-8 byte order mark not detected
>
> 2018.01.22 08:58:13 LOG7[ui]: Snagged 64 random bytes from /dev/urandom
>
> 2018.01.22 08:58:13 LOG7[ui]: PRNG seeded successfully
>
> 2018.01.22 08:58:13 LOG6[ui]: Initializing service [redis]
>
> 2018.01.22 08:58:13 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
>
> 2018.01.22 08:58:13 LOG7[ui]: TLS options: 0x00000004 (+0x00000000,
> -0x00000000)
>
> 2018.01.22 08:58:13 LOG7[ui]: No certificate or private key specified
>
> 2018.01.22 08:58:13 LOG5[ui]: Configuration successful
>
> 2018.01.22 08:58:13 LOG7[ui]: Binding service [redis]
>
> 2018.01.22 08:58:13 LOG7[ui]: Listening file descriptor created (FD=7)
>
> 2018.01.22 08:58:13 LOG7[ui]: Option SO_REUSEADDR set on accept socket
>
> 2018.01.22 08:58:13 LOG7[ui]: Service [redis] (FD=7) bound to 0.0.0.0:6379
>
> 2018.01.22 08:58:13 LOG7[ui]: No pid file being created
>
> 2018.01.22 08:58:13 LOG7[cron]: Cron thread initialized
>
> 2018.01.22 09:36:41 LOG7[ui]: Found 1 ready file descriptor(s)
>
> 2018.01.22 09:36:41 LOG7[ui]: FD=4 events=0x2001 revents=0x0
>
> 2018.01.22 09:36:41 LOG7[ui]: FD=3 events=0x2001 revents=0x0
>
> 2018.01.22 09:36:41 LOG7[ui]: FD=7 events=0x2001 revents=0x1
>
> 2018.01.22 09:36:41 LOG7[ui]: Service [gmail-pop3] accepted (FD=8) from
> 127.0.0.1:42040
>
> 2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] started
>
> 2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on local socket
>
> 2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] accepted connection from
> 127.0.0.1:42040
>
> 2018.01.22 09:36:41 LOG6[6]: failover: round-robin, starting at entry #2
>
> 2018.01.22 09:36:41 LOG6[6]: s_connect: connecting
> 2a00:1450:4013:c00::6c:995
>
> 2018.01.22 09:36:41 LOG3[6]: s_connect: connect
> 2a00:1450:4013:c00::6c:995: Network unreachable (101)
>
> 2018.01.22 09:36:41 LOG6[6]: s_connect: connecting 108.177.119.108:995
>
> 2018.01.22 09:36:41 LOG7[6]: s_connect: s_poll_wait 108.177.119.108:995:
> waiting 10 seconds
>
> 2018.01.22 09:36:41 LOG5[6]: s_connect: connected 108.177.119.108:995
>
> 2018.01.22 09:36:41 LOG5[6]: Service [gmail-pop3] connected remote server
> from 10.244.0.21:51954
>
> 2018.01.22 09:36:41 LOG7[6]: Option TCP_NODELAY set on remote socket
>
> 2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) initialized
>
> 2018.01.22 09:36:41 LOG6[6]: SNI: sending servername: pop.gmail.com
>
> 2018.01.22 09:36:41 LOG6[6]: Peer certificate required
>
> 2018.01.22 09:36:41 LOG7[6]: TLS state (connect): before/connect
> initialization
>
> 2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 write client hello
> A
>
> 2018.01.22 09:36:41 LOG7[6]: TLS state (connect): SSLv3 read server hello A
>
> 2018.01.22 09:36:41 LOG7[6]: Verification started at depth=2:
> OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
>
> 2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
>
> 2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=2:
> OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
>
> 2018.01.22 09:36:41 LOG7[6]: Verification started at depth=1: C=US,
> O=Google Trust Services, CN=Google Internet Authority G3
>
> 2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
>
> 2018.01.22 09:36:41 LOG6[6]: Certificate accepted at depth=1: C=US,
> O=Google Trust Services, CN=Google Internet Authority G3
>
> 2018.01.22 09:36:41 LOG7[6]: Verification started at depth=0: C=US,
> ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com
>
> 2018.01.22 09:36:41 LOG7[6]: CERT: Pre-verification succeeded
>
> 2018.01.22 09:36:41 LOG4[6]: CERT: No matching host name found
>
> 2018.01.22 09:36:41 LOG4[6]: Rejected by CERT at depth=0: C=US,
> ST=California, L=Mountain View, O=Google Inc, CN=pop.gmail.com
>
> 2018.01.22 09:36:41 LOG7[6]: TLS alert (write): fatal: certificate unknown
>
> 2018.01.22 09:36:41 LOG3[6]: SSL_connect: 14007086: error:14007086:SSL
> routines:CONNECT_CR_CERT:certificate verify failed
>
> 2018.01.22 09:36:41 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0
> byte(s) sent to socket
>
> 2018.01.22 09:36:41 LOG7[6]: Deallocating application specific data for
> session connect address
>
> 2018.01.22 09:36:41 LOG7[6]: Remote descriptor (FD=9) closed
>
> 2018.01.22 09:36:41 LOG7[6]: Local descriptor (FD=8) closed
>
> 2018.01.22 09:36:41 LOG7[6]: Service [gmail-pop3] finished (0 left)
>
>
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
>
> *Gerrit Schmitz*
>
> *CC-AD/PJ-MBB*
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180122/36fe0cdc/attachment.html>

• Previous message (by thread): [stunnel-users] checkHost: No matching host name found
• Next message (by thread): [stunnel-users] stunnel + mjpeg_streamer issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]