Re: [stunnel-users] Issue with Office365 certificates

milanimarco82 Fri, 09 Nov 2018 04:02:18 -0800

Thanks for your suggestion, I just tried but nothing changed.


> Il 9 novembre 2018 alle 12.44 Flo Rance <[email protected]> ha scritto:
> 
>     Hi,
> 
>     Damn, it seems that there's a serious issue with OCSP and microsoft 
> certificates.
> 
>      
>     You can try to put the option: OCSPaia = no to see if it fixes the issue, 
> but it seems that it needs further investigations.
> 
>     https://www.stunnel.org/static/stunnel.html
> 
>     Regards,
>     Flo
> 
>     On Fri, Nov 9, 2018 at 12:36 PM < [email protected] 
> mailto:[email protected] > wrote:
> 
>         > > 
> >         Hello, 
> > 
> >         I'm encountering an issue while using sTunnel with an Office365 
> > account. 
> > 
> >         sTunnel worked properly for a few months, while it gived an error 
> > with certificates since yesterday, whilst didn't change anything in the 
> > configuration. 
> > 
> >         This is our configuration:
> > 
> >         [pop3s]
> >         client = yes
> >         accept =http://127.0.0.1:2001
> >         connect =http://outlook.office365.com:995
> >         CAfile = C:\Program Files (x86)\stunnel\config\ca-certs.pem
> >         checkHost =http://outlook.office365.com
> >         verifyChain = yes
> >         OCSPaia = yes
> > 
> >         This is what we get in the log:
> > 
> >         2018.11.09 11:34:09 LOG7[main]: Found 1 ready file descriptor(s)
> >         2018.11.09 11:34:09 LOG7[main]: FD=432 ifds=r-x ofds=---
> >         2018.11.09 11:34:09 LOG7[main]: Service [pop3s] accepted (FD=672) 
> > fromhttp://127.0.0.1:49619
> >         2018.11.09 11:34:09 LOG7[main]: Creating a new thread
> >         2018.11.09 11:34:09 LOG7[main]: New thread created
> >         2018.11.09 11:34:09 LOG7[30]: Service [pop3s] started
> >         2018.11.09 11:34:09 LOG7[30]: Setting local socket options (FD=672)
> >         2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on local socket
> >         2018.11.09 11:34:09 LOG5[30]: Service [pop3s] accepted connection 
> > fromhttp://127.0.0.1:49619
> >         2018.11.09 11:34:09 LOG6[30]: failover: priority, starting at entry 
> > #0
> >         2018.11.09 11:34:09 LOG6[30]: s_connect: 
> > connectinghttp://40.101.9.178:995
> >         2018.11.09 11:34:09 LOG7[30]: s_connect: 
> > s_poll_waithttp://40.101.9.178:995 : waiting 10 seconds
> >         2018.11.09 11:34:09 LOG5[30]: s_connect: 
> > connectedhttp://40.101.9.178:995
> >         2018.11.09 11:34:09 LOG5[30]: Service [pop3s] connected remote 
> > server fromhttp://172.31.20.23:49620
> >         2018.11.09 11:34:09 LOG7[30]: Setting remote socket options (FD=668)
> >         2018.11.09 11:34:09 LOG7[30]: Option TCP_NODELAY set on remote 
> > socket
> >         2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) initialized
> >         2018.11.09 11:34:09 LOG6[30]: SNI: sending 
> > servername:http://outlook.office365.com
> >         2018.11.09 11:34:09 LOG6[30]: Peer certificate required
> >         2018.11.09 11:34:09 LOG7[30]: TLS state (connect): before/connect 
> > initialization
> >         2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv2/v3 write 
> > client hello A
> >         2018.11.09 11:34:09 LOG7[30]: TLS state (connect): SSLv3 read 
> > server hello A
> >         2018.11.09 11:34:09 LOG7[30]: Verification started at depth=2: 
> > C=US, O=DigiCert Inc, OU=http://www.digicert.com , CN=DigiCert Global Root 
> > CA
> >         2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> >         2018.11.09 11:34:09 LOG7[30]: OCSP: Ignoring root certificate
> >         2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=2: 
> > C=US, O=DigiCert Inc, OU=http://www.digicert.com , CN=DigiCert Global Root 
> > CA
> >         2018.11.09 11:34:09 LOG7[30]: Verification started at depth=1: 
> > C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
> >         2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> >         2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder 
> > "http://ocsp.digicert.com";
> >         2018.11.09 11:34:09 LOG6[30]: s_connect: 
> > connectinghttp://93.184.220.29:80
> >         2018.11.09 11:34:09 LOG7[30]: s_connect: 
> > s_poll_waithttp://93.184.220.29:80 : waiting 10 seconds
> >         2018.11.09 11:34:09 LOG5[30]: s_connect: 
> > connectedhttp://93.184.220.29:80
> >         2018.11.09 11:34:09 LOG7[30]: OCSP: 
> > Connectedhttp://ocsp.digicert.com:80
> >         2018.11.09 11:34:09 LOG7[30]: OCSP: Response received
> >         2018.11.09 11:34:09 LOG6[30]: OCSP: Status: good
> >         2018.11.09 11:34:09 LOG6[30]: OCSP: This update: Nov 9 00:00:00 
> > 2018 GMT
> >         2018.11.09 11:34:09 LOG6[30]: OCSP: Next update: Nov 16 00:00:00 
> > 2018 GMT
> >         2018.11.09 11:34:09 LOG5[30]: OCSP: Certificate accepted
> >         2018.11.09 11:34:09 LOG6[30]: Certificate accepted at depth=1: 
> > C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
> >         2018.11.09 11:34:09 LOG7[30]: Verification started at depth=0: 
> > C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
> > CN=http://outlook.com
> >         2018.11.09 11:34:09 LOG7[30]: CERT: Pre-verification succeeded
> >         2018.11.09 11:34:09 LOG6[30]: CERT: Host name 
> > "http://outlook.office365.com " matched with "*.http://office365.com "
> >         2018.11.09 11:34:09 LOG5[30]: OCSP: Connecting the AIA responder 
> > "http://ocspx.digicert.com";
> >         2018.11.09 11:34:09 LOG6[30]: s_connect: 
> > connectinghttp://93.184.220.29:80
> >         2018.11.09 11:34:09 LOG7[30]: s_connect: 
> > s_poll_waithttp://93.184.220.29:80 : waiting 10 seconds
> >         2018.11.09 11:34:09 LOG5[30]: s_connect: 
> > connectedhttp://93.184.220.29:80
> >         2018.11.09 11:34:09 LOG7[30]: OCSP: 
> > Connectedhttp://ocspx.digicert.com:80
> >         2018.11.09 11:34:09 LOG7[30]: OCSP: Response received
> >         2018.11.09 11:34:09 LOG3[30]: OCSP: Responder error: 6: unauthorized
> >         2018.11.09 11:34:09 LOG4[30]: Rejected by OCSP at depth=0: C=US, 
> > ST=Washington, L=Redmond, O=Microsoft Corporation, CN=http://outlook.com
> >         2018.11.09 11:34:09 LOG7[30]: TLS alert (write): fatal: handshake 
> > failure
> >         2018.11.09 11:34:09 LOG3[30]: SSL_connect: 14090086: 
> > error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify 
> > failed
> >         2018.11.09 11:34:09 LOG5[30]: Connection reset: 0 byte(s) sent to 
> > TLS, 0 byte(s) sent to socket
> >         2018.11.09 11:34:09 LOG7[30]: Deallocating application specific 
> > data for session connect address
> >         2018.11.09 11:34:09 LOG7[30]: Remote descriptor (FD=668) closed
> >         2018.11.09 11:34:09 LOG7[30]: Local descriptor (FD=672) closed
> >         2018.11.09 11:34:09 LOG7[30]: Service [pop3s] finished (0 left)
> > 
> > 
> >         Can you please help me?
> > 
> >         Thanks in advance!
> > 
> >         _______________________________________________
> >         stunnel-users mailing list
> >         [email protected] mailto:[email protected]
> >         https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> > 
> >     >

_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Re: [stunnel-users] Issue with Office365 certificates

Reply via email to