-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.11 of stunnel. The ChangeLog entry: Version 5.11, 2015.03.11, urgency: LOW: * New features - OpenSSL DLLs updated to version 1.0.2. - Removed dereferences of internal OpenSSL data structures. - PSK key lookup algorithm performance improved from O(N) (linear) to O(log N) (logarithmic). * Bugfixes - Fixed peer certificate list in the main window on Win32 (thx to @fyer for reporting it). - Fixed console logging in tstunnel.exe. - _tputenv_s() replaced with more portable _tputenv() on Win32. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 71a8bc37e58e34509b0267ade02292994c7a127f14d6e5ba03081db695edff8c stunnel-5.11.tar.gz 3511a4bf27bcffdb69c3b2b2d5989d0b1d7b033a28f0c8d53cdd622555326487 stunnel-5.11-installer.exe ccebef146d5c28854aa538e2ff8f7d1d1eb822d2ab51689aa88d39a1c3026776 stunnel-5.11-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVAG9SAAoJEC78f/DUFuAUT2YP+weeIxK38dCe5O49Tj/2Yh5p msWRsK3JPcLe9uFobCYfpuSvm5+rWKAF+tOBjPkKL024z1V9XTFca4aRK+0EJWdp 8ndM0HBKW9LzlQZ7IR1jIV23BWwKnBJi3D4xpTVFgxFHn6fO/WJzggOBSLsp299o pE643meivz8O182b54EhD4shLCm5XTtrltYSoi0fVMZ2MIBH4LoLVTknF3pH4St1 GrqAcV+5KgsMInRtJjtgkCDPsVYbCYze+8U+Lq1wehdZ/8n90rCsPqLvzDtff76O 99ohHSIPyhnZM5C1VWb1XADIrdsXoaS5hjcWv2ujS8h4zSW4wcugYC+LRTrDqrOo OaRuHvPF/vdHu8Jok+roxHh7IKxBSJ/W58+ubjwKVYRP+JRKn6JkK4FRcMVy9kMM HRFr/o1rzXk0O6epogSLuGT/mSJhy+o/VV781Ce5d+QkUswviVT6WSAjvT3/3VMM odkm2t7JIpvC06naVjjKzMg84BLLW8Phuyp3+6LBCqoTRj7FbjsRd1pSFYn3D/3L GMWt1kZ6YHam2mWE0j9AlW9hOyfbqlsgX4nux1x6ckUs0KvRMm34RONaECqV/VuU swf0PciswFa3739Ln3O47uDHVfPviW/CT4+HHMVXN7xmqMSnWqYkh9/oE05mNLFY xtbFUaOMt1K0phJkBsx9 =u9oG -----END PGP SIGNATURE-----
Hi, This version can't connect to Hotmail/Live/Outlook POP3 with the same configuration as 5.10. Under Windows 2000, but happens in XP too. LOG3[1220]: SSL_connect: Peer suddenly disconnected LOG5[1220]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket Configuration. The bottom lines ";" are from when I used to verify the certs: [pop3hotmailSSL] client = yes accept = 127.0.0.1:56417 connect = pop3.live.com:995 ; CAfile = peer-cert\peer-pop3hotmailSSL.pem ; verify = 3 Could be because they use RC4-MD5 and after the new FREAK attack you (or OpenSSL) removed the option of weak ciphers, even you don't mention in the changelog? Just guessing. I attach both logs to compare, even don't tell too much. Until the connection "all" is the same except OpenSSL version. Regards.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Javier wrote:
connect = pop3.live.com:995 <cut> I attach both logs to compare, even don't tell too much. Until the connection "all" is the same except OpenSSL version.
It indeed seems to be caused by the OpenSSL version: $ /usr/bin/openssl version OpenSSL 1.0.1k 8 Jan 2015 $ /usr/bin/openssl s_client -connect pop3.live.com:995 CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 - --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA - --- Server certificate - -----BEGIN CERTIFICATE----- MIIFQjCCBCqgAwIBAgISESHl0vjrML7zKmGlv42YL75vMA0GCSqGSIb3DQEBBQUA MF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTMwMQYD VQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gRzIw HhcNMTMwNDI0MjAzNTA5WhcNMTYwNDI0MjAzNTA5WjBsMQswCQYDVQQGEwJVUzET MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV TWljcm9zb2Z0IENvcnBvcmF0aW9uMRYwFAYDVQQDDA0qLmhvdG1haWwuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumSiBWrzHZf6WFP5a/j4+K7D 1izLoYKj5Omll0pdxKvKcBRDf+iaIkCbSOPNpx2uWGZdwNwkabYCQavaBf2ebwmS S8i1CJpHflO+k0qYd5WUi7sSsZ3+6RaCMdLoDIPGyYMQuy7TFtVO7LSt5+qscyyi ET8c3lE2aj/XW13UZvRrV65ZJvMjUtwaDnIcAxGeasYoebLsKdqHQ2uTr4PmNwCc viGVFSOzkGAoC0PfyqKB2xUWy3Kc5zRI2xvUW8Jb2b/9Ze3g55pIUzKsjpglkQTm edVPSYYPGNz6Kl/ZshBXdBAk398q1JkSmUaTMa2hJgBbcC+73ax40AJDGJlz+QID AQABo4IB6zCCAecwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIC MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z aXRvcnkvMEAGA1UdEQQ5MDeCDSouaG90bWFpbC5jb22CCioubGl2ZS5jb22CDSou b3V0bG9vay5jb22CC2hvdG1haWwuY29tMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwu Z2xvYmFsc2lnbi5jb20vZ3MvZ3Nvcmdhbml6YXRpb252YWxnMi5jcmwwgZYGCCsG AQUFBwEBBIGJMIGGMEcGCCsGAQUFBzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbGcyLmNydDA7BggrBgEFBQcw AYYvaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFs ZzIwHQYDVR0OBBYEFHbgHqTLsXDt7uMRyE62rnDEfLn9MB8GA1UdIwQYMBaAFF1G so3ES3Qcu+31c7Y6tziPdZ5+MA0GCSqGSIb3DQEBBQUAA4IBAQByy1+3N6ZRVooI xqw8Ng+UFz0g7UHkbPEnvTu1uxJ2AojFuP/P1PAk+/6uMRvpPlWg/5uqmOIWxKxJ Lo6xSbkDf4LN+KYwes3XSuPyziZ4QbPnehHhZ0377iiA8fpRJADg9NWKCRHh5aAd e9QvJUW/GgYkBN+F4yYc2jIjR3Rehv4JYOKS3iXO9OoHsDS2CcCFaS2imgQVfYLg slBwT/A08PCOhW5huiluSmih7x5Qf7sFDv8jineu6ehKzi8pKnOq4k8G4QiWn38Y CeiBkkwFOwj7T3M/ITiiSS9DHDGeokj16eBi83Zx3YYiJ9YZvnQ+4GvqJ5eJJ6pR KKvemr+m - -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2 - --- No client certificate CA names sent - --- SSL handshake has read 2656 bytes and written 615 bytes - --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 5B1C000024A49549D3FC25B82623E52CFD62A118EA36198E88369773F5E9EA53 Session-ID-ctx: Master-Key: EA7B5AFEA681E4599551C67F7777F519123B714585F1948B498D0ADD4412CD023A91BD5947C41B177A31D4A420E495E9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426106767 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) - --- +OK BLU0-POP741 POP3 server ready ^C $ /usr/local/ssl/bin/openssl version OpenSSL 1.0.2 22 Jan 2015 $ /usr/local/ssl/bin/openssl s_client -connect pop3.live.com:995 CONNECTED(00000003) 140039514363536:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: - --- no peer certificate available - --- No client certificate CA names sent - --- SSL handshake has read 0 bytes and written 361 bytes - --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated - --- I found two workarounds: 1. Force TLSv1 handshake: sslVersion = TLSv1 2. Enable FIPS mode: fips = yes Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJVALByAAoJEC78f/DUFuAU1NEP/Ao/5qNFnuFG9rQqYkhplJxW 12qSji2gOg3R6T9gczZhh5bTY+E2gS3nAhxcC5W5ppRhu0mmo9WnpgOXHoQYgdv1 7y/RDodrG8xmr3MiR5VLmMFZd8hPx9Uo6BZnJkDCUWOIP+2IWuSh8RDLl8/rCFkj u+Xi9FRCqGYjX5d8AR6rztilw+Xf12uc1DXrbyk73V+7YyvIwiCOrl0tam1CG3RY ikNBPy37qzeMKvBgV0fRH+r6pTejgsrJ2ww2x0K78Dy9mdBoA7cokaBAydlx/KSq UFCguJLdSFnL5tAipxlN1Uagn0wnxlSD5OGtXgpwE/quMQStRxYz4rK718aBCQPS 1TySeVUXibYXrEZBKWaAkZxHZA49GPK3+uFBLrBYEt13HkZX7p2GkV1cZ51l2WJc pA9fXJsLhiwVBA9bXakDvXi/c3RCI5MGzxqi1e5WhJU/XEoN+BI281k3Wz0HMeB0 s6d7TskOPj4EbaLUUhcHXjWXrvUOxAYusWg8Nx5BuaOM44PFJ4+/yfm0sCHsgaKS RlCN2sgHKr8xFmI9N/C8mWR9L9KSQuFlW3rskNfOeI5G9beERBS8vhR5Qy4OzSUa BqYOGqpZ18V6Wdj7Z8F4mvYyCc/71lNhJ5U1kiG1UVZd5mxVn8bf8qak7a2Wq8Y1 S15fpc50FG0UoPNkr15R =YzR9 -----END PGP SIGNATURE-----
On Wed, 11 Mar 2015 22:15:30 +0100 Michal Trojnara <Michal.Trojnara@mirt.net> wrote:
I found two workarounds:
1. Force TLSv1 handshake: sslVersion = TLSv1
2. Enable FIPS mode: fips = yes
Mike
Hi, Thanks for the help. I went for the first and it is working :-)
From the ignorance, looks like OpenSSL want to negotiate with the highest TLS version and if it is not available it is closed. They had banned lower versions as browsers have done.
In the other hand, MS should be using higher but... Regards.
participants (2)
-
Javier -
Michal Trojnara