I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error. SSL23_GET_CLIENT_HELLO:unknown protocol Here is my config file. ; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may useful for troubleshooting) ;debug = 7 ;output = stunnel.log ; Disable FIPS mode to allow non-approved protocols and algorithms fips = no ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode cert = stunnel.pem ;key = stunnel.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem sslVersion = all ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** ; The default certificate cert = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Set client mode client = yes ; GMail ssmtp settings [ssmtp] accept = 25 connect = 174.129.0.38:465 ; GMail pop3s settings [pop3s] accept = 110 connect = 174.129.0.38:995 ; GMail imaps settings [imaps] accept = 143 connect = 174.129.0.38:993 ; Example SSL front-end to a web server ;[https] ;accept = 443 ;connect = 80 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL ; Microsoft implementations do not use SSL close-notify alert and thus ; they are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; vim:ft=dosini
Try specifying the ssl versions and options that you want or don't want explicitly. On Jan 11, 2013 5:09 PM, "Brandon Glenn" <kocrachon@gmail.com> wrote:
I am currently trying to setup stunnel to help me send emails from a program that sends alerts but does not use SSL, to a cloud email service that I use that requires SSL. I have the configuration setup trying to find out where the error is, and I am down to this last error.
SSL23_GET_CLIENT_HELLO:unknown protocol
Here is my config file.
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
sslVersion = all
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (at least one service has to be defined) *
; **************************************************************************
; The default certificate
cert = stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Set client mode client = yes
; GMail ssmtp settings
[ssmtp]
accept = 25
connect = 174.129.0.38:465
; GMail pop3s settings
[pop3s]
accept = 110
connect = 174.129.0.38:995
; GMail imaps settings
[imaps]
accept = 143
connect = 174.129.0.38:993
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
participants (2)
-
Brandon Glenn -
Brian Wilkins