[stunnel-users] Issue with Office365 certificates

Flo Rance trourance at gmail.com
Fri Nov 9 14:44:32 CET 2018


Weird, I tried and it works perfectly for me using your configuration and
stunnel 5.48.

*OCSPaia* = yes

2018.11.09 14:39:56 LOG6[0]: SNI: sending servername: outlook.office365.com
2018.11.09 14:39:56 LOG6[0]: Peer certificate required
2018.11.09 14:39:56 LOG7[0]: TLS state (connect): before SSL initialization
2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.11.09 14:39:56 LOG7[0]: TLS state (connect): SSLv3/TLS read server
hello
2018.11.09 14:39:56 LOG7[0]: Verification started at depth=2: C=US,
O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:39:56 LOG7[0]: OCSP: Ignoring root certificate
2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=2: C=US,
O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
2018.11.09 14:39:56 LOG7[0]: Verification started at depth=1: C=US,
O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder "
http://ocsp.digicert.com"
2018.11.09 14:39:56 LOG6[0]: s_connect: connecting 93.184.220.29:80
2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait 93.184.220.29:80:
waiting 10 seconds
2018.11.09 14:39:56 LOG5[0]: s_connect: connected 93.184.220.29:80
2018.11.09 14:39:56 LOG7[0]: OCSP: Connected ocsp.digicert.com:80
2018.11.09 14:39:56 LOG7[0]: OCSP: Response received
2018.11.09 14:39:56 LOG6[0]: OCSP: Status: good
2018.11.09 14:39:56 LOG6[0]: OCSP: This update: Nov  9 00:00:00 2018 GMT
2018.11.09 14:39:56 LOG6[0]: OCSP: Next update: Nov 16 00:00:00 2018 GMT
2018.11.09 14:39:56 LOG5[0]: OCSP: Certificate accepted
2018.11.09 14:39:56 LOG6[0]: Certificate accepted at depth=1: C=US,
O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
2018.11.09 14:39:56 LOG7[0]: Verification started at depth=0: C=US,
ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
2018.11.09 14:39:56 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:39:56 LOG6[0]: CERT: Host name "outlook.office365.com"
matched with "*.office365.com"
2018.11.09 14:39:56 LOG5[0]: OCSP: Connecting the AIA responder "
http://ocspx.digicert.com"
2018.11.09 14:39:56 LOG6[0]: s_connect: connecting 93.184.220.29:80
2018.11.09 14:39:56 LOG7[0]: s_connect: s_poll_wait 93.184.220.29:80:
waiting 10 seconds
2018.11.09 14:39:57 LOG5[0]: s_connect: connected 93.184.220.29:80
2018.11.09 14:39:57 LOG7[0]: OCSP: Connected ocspx.digicert.com:80
2018.11.09 14:39:57 LOG7[0]: OCSP: Response received
2018.11.09 14:39:57 LOG3[0]: OCSP: Responder error: 6: unauthorized
2018.11.09 14:39:57 LOG4[0]: Rejected by OCSP at depth=0: C=US,
ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
2018.11.09 14:39:57 LOG7[0]: Remove session callback
2018.11.09 14:39:57 LOG7[0]: TLS alert (write): fatal: handshake failure
2018.11.09 14:39:57 LOG3[0]: SSL_connect: 1416F086: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed


*OCSPaia* = no

2018.11.09 14:41:17 LOG6[0]: SNI: sending servername: outlook.office365.com
2018.11.09 14:41:17 LOG6[0]: Peer certificate required
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): before SSL initialization
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server
hello
2018.11.09 14:41:17 LOG7[0]: Verification started at depth=2: C=US,
O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=2: C=US,
O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
2018.11.09 14:41:17 LOG7[0]: Verification started at depth=1: C=US,
O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:41:17 LOG6[0]: Certificate accepted at depth=1: C=US,
O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
2018.11.09 14:41:17 LOG7[0]: Verification started at depth=0: C=US,
ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
2018.11.09 14:41:17 LOG7[0]: CERT: Pre-verification succeeded
2018.11.09 14:41:17 LOG6[0]: CERT: Host name "outlook.office365.com"
matched with "*.office365.com"
2018.11.09 14:41:17 LOG5[0]: Certificate accepted at depth=0: C=US,
ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server
certificate
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server key
exchange
2018.11.09 14:41:17 LOG6[0]: Client certificate not requested
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server done
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client
key exchange
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write change
cipher spec
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read change
cipher spec
2018.11.09 14:41:17 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2018.11.09 14:41:17 LOG7[0]: New session callback
2018.11.09 14:41:17 LOG7[0]: Peer certificate was cached (4683 bytes)
2018.11.09 14:41:17 LOG7[0]:      1 client connect(s) requested
2018.11.09 14:41:17 LOG7[0]:      1 client connect(s) succeeded
2018.11.09 14:41:17 LOG7[0]:      0 client renegotiation(s) requested
2018.11.09 14:41:17 LOG7[0]:      0 session reuse(s)
2018.11.09 14:41:17 LOG6[0]: TLS connected: new session negotiated
2018.11.09 14:41:17 LOG6[0]: TLSv1.2 ciphersuite:
ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2018.11.09 14:41:17 LOG7[0]: Compression: null, expansion: null
2018.11.09 14:41:17 LOG6[0]: TLS socket closed (read hangup)
2018.11.09 14:41:17 LOG7[0]: Sent socket write shutdown
2018.11.09 14:41:17 LOG6[0]: Read socket closed (readsocket)
2018.11.09 14:41:17 LOG7[0]: Sending close_notify alert
2018.11.09 14:41:17 LOG7[0]: TLS alert (write): warning: close notify
2018.11.09 14:41:17 LOG6[0]: SSL_shutdown successfully sent close_notify
alert
2018.11.09 14:41:17 LOG5[0]: Connection closed: 24 byte(s) sent to TLS, 386
byte(s) sent to socket
2018.11.09 14:41:17 LOG7[0]: Remote descriptor (FD=8) closed
2018.11.09 14:41:17 LOG7[0]: Local descriptor (FD=3) closed
2018.11.09 14:41:17 LOG7[0]: Service [imaps] finished (0 left)

Regards,
Flo

On Fri, Nov 9, 2018 at 1:02 PM <milanimarco82 at libero.it> wrote:

> Thanks for your suggestion, I just tried but nothing changed.
>
> Il 9 novembre 2018 alle 12.44 Flo Rance <trourance at gmail.com> ha scritto:
>
> Hi,
>
> Damn, it seems that there's a serious issue with OCSP and microsoft
> certificates.
>
>
> You can try to put the option: *OCSPaia* = no to see if it fixes the
> issue, but it seems that it needs further investigations.
>
> https://www.stunnel.org/static/stunnel.html
>
> Regards,
> Flo
>
> On Fri, Nov 9, 2018 at 12:36 PM < milanimarco82 at libero.it> wrote:
>
> Hello,
>
> I'm encountering an issue while using sTunnel with an Office365 account.
>
> sTunnel worked properly for a few months, while it gived an error with
> certificates since yesterday, whilst didn't change anything in the
> configuration.
>
> This is our configuration:
>
> [pop3s]
> client = yes
> accept = 127.0.0.1:2001
> connect = outlook.office365.com:995
> CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem
> checkHost = outlook.office365.com
> verifyChain = yes
> OCSPaia = yes
>
> This is what we get in the log:
>
> 2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s)
> 2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=---
> 2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) from
> 127.0.0.1:49619
> 2018.11.09 11:34:09 LOG7[main]: Creating a new thread
> 2018.11.09 11:34:09 LOG7[main]: New thread created
> 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started
> 2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672)
> 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket
> 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection from
> 127.0.0.1:49619
> 2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry #0
> 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 40.101.9.178:995
> 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 40.101.9.178:995:
> waiting 10 seconds
> 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 40.101.9.178:995
> 2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote server from
> 172.31.20.23:49620
> 2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668)
> 2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote socket
> 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized
> 2018.11.09 11:34:09 LOG6[30]: SNI: sending servername:
> outlook.office365.com
> 2018.11.09 11:34:09 LOG6[30]: Peer certificate required
> 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect
> initialization
> 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write client
> hello A
> 2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read server hello
> A
> 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: C=US,
> O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
> 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> 2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate
> 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: C=US,
> O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
> 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: C=US,
> O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
> 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "
> http://ocsp.digicert.com"
> 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80
> 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80:
> waiting 10 seconds
> 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80
> 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocsp.digicert.com:80
> 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received
> 2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good
> 2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 2018 GMT
> 2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 2018 GMT
> 2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted
> 2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: C=US,
> O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
> 2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: C=US,
> ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
> 2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> 2018.11.09 11:34:09 LOG6[30]: CERT: Host name "outlook.office365.com"
> matched with "*.office365.com"
> 2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder "
> http://ocspx.digicert.com"
> 2018.11.09 11:34:09 LOG6[30]: s_connect: connecting 93.184.220.29:80
> 2018.11.09 11:34:09 LOG7[30]: s_connect: s_poll_wait 93.184.220.29:80:
> waiting 10 seconds
> 2018.11.09 11:34:09 LOG5[30]: s_connect: connected 93.184.220.29:80
> 2018.11.09 11:34:09 LOG7[30]: OCSP: Connected ocspx.digicert.com:80
> 2018.11.09 11:34:09 LOG7[30]: OCSP: Response received
> 2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized
> 2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US,
> ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com
> 2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake failure
> 2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed
> 2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0
> byte(s) sent to socket
> 2018.11.09 11:34:09 LOG7[30]: Deallocating application specific data for
> session connect address
> 2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed
> 2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed
> 2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)
>
>
> Can you please help me?
>
> Thanks in advance!
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181109/9c643e3f/attachment.html>


More information about the stunnel-users mailing list