stunnel won’t establish connection with errno=104
stunnel won’t establish connection with errno=104
https://forums.freebsd.org/threads/stunnel-wont-establish-connection-with-errno-104.36545/
stunnel won’t establish connection with errno=104
Thread starter integrator Start date Dec 26, 2012
integrator
Dec 26, 2012
#1
Hello,
On my VPS with FreeBSD 9.0 I need to have SSL connection for sendmail. I installed stunnel with commands below. I can not establish connection to my VPS with command openssl s_client -connect 178.172.148.149:995. It gives “read:errno=104”. But I can successfully connect to my another test-server with exactly the same configuration and the same stunnel.conf. Could you help me to solve my problem?
Command list: Code:
cd /usr/ports/security/stunnel/ make && make install && make cert && make clean cd /usr/local/etc/stunnel cp stunnel.conf-sample stunnel.conf mkdir /var/tmp/stunnel touch /var/tmp/stunnel/stunnel.pid chown -R stunnel:nogroup /var/tmp/stunnel
Output for unsuccessful connection: Code:
ntegrator@integrator-laptop:~$ openssl s_client -connect 178.172.148.149:995 CONNECTED(00000003) depth=0 /C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by verify error:num=18:self signed certificate verify return:1 depth=0 /C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by verify return:1 — Certificate chain 0 s:/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by i:/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by — Server certificate —–BEGIN CERTIFICATE—– MIIDhDCCAmygAwIBAgIJAKYyEzzdWZdUMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV BAYTAkJZMRAwDgYDVQQIEwdCZWxhcnVzMQ4wDAYDVQQHEwVNaW5zazEWMBQGA1UE ChMNQXV0b2xvYmF6IEx0ZDEWMBQGA1UECxMNQXV0b2xvYmF6IEx0ZDEVMBMGA1UE AxMMYXV0b2xvYmF6LmJ5MB4XDTEyMTIyNjEyMTIyMVoXDTEzMTIyNjEyMTIyMVow djELMAkGA1UEBhMCQlkxEDAOBgNVBAgTB0JlbGFydXMxDjAMBgNVBAcTBU1pbnNr MRYwFAYDVQQKEw1BdXRvbG9iYXogTHRkMRYwFAYDVQQLEw1BdXRvbG9iYXogTHRk MRUwEwYDVQQDEwxhdXRvbG9iYXouYnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDBKoer8RcYM+khmi990XrficAfwJusPi+K6StxOGgSYol9P5IoOpVM 7/tTKVkC/pjAd0hgKsborQdT7F18ubF3rw+4f1JkaCiMz/5pCrPm8T1u9FTNtCu1 Gq42FurboC3tI96LKav2TNc+2InRCyO+zBQjyxvCwv3rO3HPHNPV8r9Js/7PBaHd AVIFxjeKcvbHsht68pHU0vrNekfv1GaUTrKUZxD8iP66GY0h/5eyvFg1Z/fBHdl7 9qceWz9ljuvDkDwX6qA7veNxqj2XpPCvZvjDennGqiQ0O7dkwVgrfh1JBOs/jPyB BOtVNxldxpxNuntHJze4byRKJ3DZCbR1AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE AwIGQDANBgkqhkiG9w0BAQUFAAOCAQEADuQW8k1VrNX+KJssyQv/nSz3sovQiJoC Xu3i7XhoCcwD4QhLQVp3NdCob9n/1rBPop3WTHl9OvMEo6lN61kmtY5GHJfdZN6q FdQbG5hY2TchS4oU7NYzxrgWwygERm5ejC7/QAPTpQMMXWhrNzrOmTGHdjzjvidn qhDg/pbGpVdefyAm3BjqmCN5znWGvX6ztLZlSnV0Egv7frc3PSiCb+wTF4qvxA97 DLnDMX0Aemhq3AEnvyA9nKVZaluqU/rRgJ2EjRgYLn/ta+UargkMR+0YW2fQrblG 3CJ3B54POP396UH8sr0fB1Opd34F/r5aXPJ7+PXMBX9JGxeuiX5SMA== —–END CERTIFICATE—– subject=/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by issuer=/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by — No client certificate CA names sent — SSL handshake has read 1603 bytes and written 319 bytes — New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 129F9CAE8CF22ED9717076B754B0E76E5809610790C3CD9F55B9EA028C989F10 Session-ID-ctx: Master-Key: E410F25DCE7D99D5B3FBF9FAE55F71380DB83707B4A90116057C77B6719001CA582715840AF3D3A83D977D72AFF6D6C5 Key-Arg : None Start Time: 1356550156 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) — read:errno=104 integrator@integrator-laptop:~$
SirDice SirDice Staff member Administrator Moderator
Dec 27, 2012
#2
Why muck about with security/stunnel when sendmail already supports TLS?
http://www.clearchain.com/blog/posts/setting-up-sendmail-with-tls-auth-support-under-freebsd
kpa
Dec 27, 2012
#3
Port 995 is usually POP3 with SSL. The standard port for mail submission with TLS is 587 (technically 25 could be used too but it’s blocked very often by ISPs), use that if you can.
OP integrator
Dec 27, 2012
#4
Helo, On TSL on 587 I have: Code:
integrator@integrator-laptop:~$ openssl s_client -connect 178.172.148.149:587 CONNECTED(00000003) 2224:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601: integrator@integrator-laptop:~$
But the main question is why I can’t establish connection on port 995?
kpa
Dec 27, 2012
#5
s_client(1) needs an additional -starttls protocol option so it knows what kind of service it’s connecting to.
$ openssl s_client -starttls smtp -connect 178.172.148.149:587
If there’s a TLS protected pop3 service at port 995:
$ openssl s_client -starttls pop3 -connect 178.172.148.149:995