Hello, I'd like to use stunnel to acccess SMTP server that has following configuration parameters.
Host: smtp.example.org Port number: smtps (465) Encryption method: SMTP over TLS At first I created following configuration file and run stunnel 5.70 with it on FreeBSD 13.2-RELEASE. ---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ---------------------------------------------------------------------- But unfortunately stunnel emits following messages and local-side connection.is closed when I connect to 12345 port of localhost. ---------------------------------------------------------------------- 2023.07.14 12:29:12 LOG5[0]: Service [12345] accepted connection from ::1:14632 2023.07.14 12:29:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:29:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.1:14633 2023.07.14 12:29:12 LOG5[0]: Certificate accepted at depth=0: C=JP, ST=Tokyo, L=Ohta-Ku, O=EXAMLE.INC, CN=smtp.examle.org 2023.07.14 12:29:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/t1_lib.c:1146: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type 2023.07.14 12:29:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ---------------------------------------------------------------------- So I added setting of securityLevel as following. ---------------------------------------------------------------------- CApath=/home/yasu/.certs client=yes foreground=yes securityLevel=1 syslog=no verify=2 [12345] accept=localhost:12345 checkHost=smtp.examle.org connect=smtp.examle.org:465 ---------------------------------------------------------------------- And now I can successfully access to STMP server through stunnel. Next, I also tried it on FreeBSD 14-CURRENT and surprisingly stunnel 5.70 emits following messages even if 'securityLevel=1' is specified in configuration file. ---------------------------------------------------------------------- 2023.07.14 12:31:12 LOG5[0]: Service [12345] accepted connection from ::1:10838 2023.07.14 12:31:12 LOG5[0]: s_connect: connected 10.0.0.1:465 2023.07.14 12:31:12 LOG5[0]: Service [12345] connected remote server from 192.168.0.11:41449 2023.07.14 12:31:12 LOG3[0]: SSL_connect: /usr/src/crypto/openssl/ssl/statem/extensions.c:894: error:0A000152:SSL routines::unsafe legacy renegotiation disabled 2023.07.14 12:31:12 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ---------------------------------------------------------------------- So I also tried on 2 other platforms. a. Cygwin's stunnel.exe (version 5.69) b. tstunnel.exe installed by useing stunnel-5.69-win64-installer.exe And result is that the former works fine and the latter emits same message as FreeBSD 14-CURRENT. According to these result it seems the failure is related to the version of OpenSSL. That is, while FreeBSD 13.2-RELEASE and Cygwin use OpenSSL 1.1.1, FreeBSD 14-CURRENT and stunnel-5.69-win64-installer.exe use OpenSSL 3.0. So does this mean securityLevel option doesn't work with OpenSSL 3.0? Regards. --- Yasuhiro Kimura _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
