Nick Name
2014-05-02 23:19:34 UTC
The only way I can get stunnel to work is to comment out the
"verify = " line. If I uncomment it, I get this in my
stunnel.log:
2014.05.02 19:06:00 LOG5[1108]: Reading configuration from
file stunnel.conf
2014.05.02 19:06:00 LOG5[1108]: FIPS mode disabled
2014.05.02 19:06:00 LOG6[1108]: Compression enabled: 2
algorithm(s)
2014.05.02 19:06:00 LOG7[1108]: Snagged 64 random bytes from
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: Wrote 0 new random bytes to
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: PRNG seeded successfully
2014.05.02 19:06:00 LOG6[1108]: Initializing service [nntps]
2014.05.02 19:06:00 LOG7[1108]: No private key specified
2014.05.02 19:06:00 LOG3[1108]: Error loading verify
certificates from certs.pem
2014.05.02 19:06:00 LOG3[1108]: error queue: B084002:
error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
2014.05.02 19:06:00 LOG3[1108]: error queue: 2006D080:
error:2006D080:BIO routines:BIO_new_file:no such file
2014.05.02 19:06:00 LOG3[1108]:
SSL_CTX_load_verify_locations: 2001002:
error:02001002:system library:fopen:No such file or directory
2014.05.02 19:06:00 LOG3[1108]: Service [nntps]: Failed to
initialize SSL context
2014.05.02 19:06:00 LOG3[1108]: Failed to reload the
configuration file
2014.05.02 19:06:00 LOG7[1108]: Signal pipe is empty
I use stunnel in client mode only, not as a server.
Here's what my stunnel.conf looks like when it works:
; Sample stunnel configuration file for Win32 by Michal
Trojnara 2002-2012
; Some options used here may be inadequate for your
particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of
available options
;
**************************************************************************
; * Global options
*
;
**************************************************************************
compression = zlib
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = C:\logs\stunnel\stunnel.log
; Disable FIPS mode to allow non-approved protocols and
algorithms
;fips = no
;
**************************************************************************
; * Service defaults may also be specified in individual
service sections *
;
**************************************************************************
; Certificate/key is needed in server mode and optional in
client mode
;cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent
MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
;options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some
performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
;
**************************************************************************
; * Service definitions (at least one service has to be
defined) *
;
**************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in
Microsoft SSL
; Microsoft implementations do not use SSL close-notify
alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
[nntps]
client = yes
accept = 119
connect = secure-us.news.easynews.com:80
"verify = " line. If I uncomment it, I get this in my
stunnel.log:
2014.05.02 19:06:00 LOG5[1108]: Reading configuration from
file stunnel.conf
2014.05.02 19:06:00 LOG5[1108]: FIPS mode disabled
2014.05.02 19:06:00 LOG6[1108]: Compression enabled: 2
algorithm(s)
2014.05.02 19:06:00 LOG7[1108]: Snagged 64 random bytes from
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: Wrote 0 new random bytes to
C:/.rnd
2014.05.02 19:06:00 LOG7[1108]: PRNG seeded successfully
2014.05.02 19:06:00 LOG6[1108]: Initializing service [nntps]
2014.05.02 19:06:00 LOG7[1108]: No private key specified
2014.05.02 19:06:00 LOG3[1108]: Error loading verify
certificates from certs.pem
2014.05.02 19:06:00 LOG3[1108]: error queue: B084002:
error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
2014.05.02 19:06:00 LOG3[1108]: error queue: 2006D080:
error:2006D080:BIO routines:BIO_new_file:no such file
2014.05.02 19:06:00 LOG3[1108]:
SSL_CTX_load_verify_locations: 2001002:
error:02001002:system library:fopen:No such file or directory
2014.05.02 19:06:00 LOG3[1108]: Service [nntps]: Failed to
initialize SSL context
2014.05.02 19:06:00 LOG3[1108]: Failed to reload the
configuration file
2014.05.02 19:06:00 LOG7[1108]: Signal pipe is empty
I use stunnel in client mode only, not as a server.
Here's what my stunnel.conf looks like when it works:
; Sample stunnel configuration file for Win32 by Michal
Trojnara 2002-2012
; Some options used here may be inadequate for your
particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of
available options
;
**************************************************************************
; * Global options
*
;
**************************************************************************
compression = zlib
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = C:\logs\stunnel\stunnel.log
; Disable FIPS mode to allow non-approved protocols and
algorithms
;fips = no
;
**************************************************************************
; * Service defaults may also be specified in individual
service sections *
;
**************************************************************************
; Certificate/key is needed in server mode and optional in
client mode
;cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent
MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
;options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some
performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
;
**************************************************************************
; * Service definitions (at least one service has to be
defined) *
;
**************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in
Microsoft SSL
; Microsoft implementations do not use SSL close-notify
alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
[nntps]
client = yes
accept = 119
connect = secure-us.news.easynews.com:80