Cannot connect to SBC/yahoo to send (or telnet)
|
View:
New views
16 Messages
—
Rating Filter:
Alert me
|
 |
Cannot connect to SBC/yahoo to send (or telnet)
by James Moe-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hello, (I sent this yesterday but that one seems to have gotten lost....) Stunnel v4.20. When connecting to SBC/Yahoo, the session is terminated with a "bad certificate" message. See the log below. The tech folks claim all is well at their end. Is there something I am missing here? Here is the conf file: ....[ conf ].... socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes output = G:/c/voice/pmmdev/testcase/bin/stunnel.log verify = 0 debug = 7 cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem [sbc] accept = localhost:6325 connect = smtp.att.yahoo.com:465 ....[ end conf ].... ....[ connection log ].... 2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread 2008.11.11 00:14:17 LOG7[223:1737]: New thread created 2008.11.11 00:14:17 LOG7[251:1737]: sbc started 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local socket 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from 127.0.0.1:61053 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from 192.168.69.14:61054 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote socket 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect initialization 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client hello A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server hello A 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server certificate request A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read server done A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client certificate A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write client key exchange A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write certificate verify A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write change cipher spec A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write finished A 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush data 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad certificate 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left) ....[ end log ].... - -- jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2) iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC 9k2qqpP2hN99BL0TnsNhlnw= =P74g -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
Re: Cannot connect to SBC/yahoo to send (or telnet)
by Christophe Nanteuil
::
Rate this Message:
Try the option
sslVersion=TLSv1 2008/11/11 James Moe <jimoe@...> -----BEGIN PGP SIGNED MESSAGE----- -- Christophe Nanteuil _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
Help - Getting stunnel compiled on windows and using a patch
by Reinier van der Gugten
::
Rate this Message:
Hello,
I am trying to compile STunnel. I'd rather not, but the
pre-compiled version does not support a proxy server.
So I hop you will be able to help me, or point me to a good
howto on how to compile stunnel using windows and a patch from the patch-list.
Or does someone have a compiled (windows) version with proxy support? If so,
please mail it to me.
Or tell me where to find more detailed information pls. -
Next thing I will try is to install linux on a computer in order to try it that
way...
Greetings,
Reinier.
_______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
Re: Help - Getting stunnel compiled on windows and using a patch
by tcort
::
Rate this Message:
Hello Reinier,
> So I hope you will be able to help me, or point me to a > good howto on how to compile stunnel using windows and a > patch from the patch-list The INSTALL.W32 file in the source tarball says "native compilation on a Windows machine is possible, but not supported." The approach suggested in the file is to install a cross compiler on a Linux machine and build the stunnel binary there. A while ago I successfully compiled stunnel 4.24 on Linux after a lot of trial and error. I wrote down these instructions at the time, but I don't know if they're applicable to openssl-0.9.8i and stunnel-4.26. Hopefully I wrote down everything correctly. If you (or anyone else) discovers or knows of a better way to build an stunnel binary for Windows, please share it with the list and/or add it to the INSTALL.W32 file. * Install mingw32 apt-get install mingw32 * Download and unpack openssl-0.9.8h * Make sure the environment is setup properly. export CC=i586-mingw32msvc-gcc export CXX=i586-mingw32msvc-c++ export LD=i586-mingw32msvc-ld export AR=i586-mingw32msvc-ar export AS=i586-mingw32msvc-as export NM=i586-mingw32msvc-nm export STRIP=i586-mingw32msvc-strip export RANLIB=i586-mingw32msvc-ranlib export DLLTOOL=i586-mingw32msvc-dlltool export OBJDUMP=i586-mingw32msvc-objdump export RESCOMP=i586-mingw32msvc-windres * Edit Configure, remove the following line $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); * Edit Configure, replace ":-mno-cygwin -shared:" with :-mno-cygwin -Wl,--export-all -shared: * Configure and make perl Configure mingw shared sed -i -e 's/nm/i586-mingw32msvc-nm/g' Makefile.shared make CC=i586-mingw32msvc-gcc RANLIB=i586-mingw32msvc-ranlib * Download and unpack stunnel-4.24 * Configure it ./configure --with-ssl=/path/to/openssl-0.9.8h * Extracted openssl source code to /usr/src because the makefile adds "-I/usr/src/openssl-0.9.8h/include" to CFLAGS. cd /usr/src && tar zvxf ~/openssl-0.9.8h.tar.gz * Go back to stunnel-4.24/src make stunnel.exe Hope this helps, Tom _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
|
|
|
Proxy support
by Reinier van der Gugten
::
Rate this Message:
Hi STunnel users!
Has someone got a working version of STunnel that can
handle a proxy?
I was hoping to use one of the patches (verion 4.05) that
say they can use proxy, but beleave me or not, I was unable to compile the 4.05
version (the latest version compiles fine, thanks to dmile525). And I also tried
to merge the patch with the source files, but that failed as
well.
So my question is, has anyone got a working STunnel with
proxy support (preferably a recent version)? If so, I would be very greatful and
would even be willing to pay him a bit of money for it. I need it to run under
windows.
Please let me know what the options
are.
Reinier.
_______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
Re: Proxy support
by Michal Trojnara-2
::
Rate this Message:
On Fri, 14 Nov 2008 14:53:20 +0100, "Reinier van der Gugten" <info@...> wrote: > Has someone got a working version of STunnel that can handle a proxy? Do you mean client mode CONNECT protocol support (RFC 2817 section 5.2)? http://www.ietf.org/rfc/rfc2817.txt It's supported in stunnel since version 4.15 (released 2006.03.11). Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
|
|
|
Re: Proxy support
by Reinier van der Gugten
::
Rate this Message:
Can anyone tell me the config settings to make it work over a windows
proxy? If it's not implemented, how mucht would it cost to get it implemented? Reinier -----Original Message----- From: stunnel-users-bounces@... [mailto:stunnel-users-bounces@...] On Behalf Of Reinier van der Gugten Sent: zondag 16 november 2008 8:50 To: stunnel-users@... Subject: [stunnel-users] Proxy support Oops.. That's exactly what I meant... However What is the correct configuration in that case? E.g. I want to connect to an external location at: Myserver.com:443 The proxy is at: CustomerProxy:8080 And my application runs at the customer talking to: localhost:1433 The proxy does not require authentication. Looking at the docuemtation you linked me I found this example: CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 Proxy-Authorization: basic aGVsbG86d29ybGQ= Using my addresses, where goes what? CONNECT CustomerProxy:8080 HTTP/1.1 Host: Myserver.com:443 // Proxy-Authorization: basic aGVsbG86d29ybGQ= Kind regards, Reinier -----Original Message----- From: stunnel-users-bounces@... [mailto:stunnel-users-bounces@...] On Behalf Of Michal Trojnara Sent: vrijdag 14 november 2008 15:04 To: stunnel-users@... Subject: Re: [stunnel-users] Proxy support On Fri, 14 Nov 2008 14:53:20 +0100, "Reinier van der Gugten" <info@...> wrote: > Has someone got a working version of STunnel that can handle a proxy? Do you mean client mode CONNECT protocol support (RFC 2817 section 5.2)? http://www.ietf.org/rfc/rfc2817.txt It's supported in stunnel since version 4.15 (released 2006.03.11). Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
|
|
|
|
|
|
Re: Cannot connect to SBC/yahoo to send (or telnet)
by alexlim
::
Rate this Message:
Hi,
I'm having the same problem. Setting the ssl level to version 1 didn't seem to help. Did this work for you>
|
|
|
Re: Cannot connect to SBC/yahoo to send (or telnet)
by alexlim
::
Rate this Message:
Thanks to James email today. I was able to get it to work. Quoting James here.
The solution was to remove the "cert" line from the configuration file. The "verify" level had to stay at 0. This did the trick.
|
|
|
Re: Cannot connect to SBC/yahoo to send (or telnet)
by Michal Trojnara-2
::
Rate this Message:
Guys, Just be aware a configuration without any authentication (a certificate is not sent nor verified) is vulnerable to trivial active (MiTM) attacks. There are various lamer-friendly tools available, so an attack is no more difficult than sniffing a plaintext connection. Mike On Sat, 29 Nov 2008 13:24:52 -0800 (PST), alexlim <alex@...> wrote: > > Thanks to James email today. I was able to get it to work. Quoting James > here. > > The solution was to remove the "cert" line from the configuration file. > The "verify" level had to stay at 0. > > This did the trick. > > > > > James Moe-2 wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello, >> (I sent this yesterday but that one seems to have gotten lost....) >> Stunnel v4.20. >> When connecting to SBC/Yahoo, the session is terminated >> with a "bad certificate" message. See the log below. The tech folks > claim >> all is well at their end. >> Is there something I am missing here? >> Here is the conf file: >> >> ....[ conf ].... >> >> socket = l:TCP_NODELAY=1 >> socket = r:TCP_NODELAY=1 >> client = yes >> output = G:/c/voice/pmmdev/testcase/bin/stunnel.log >> verify = 0 >> debug = 7 >> cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem >> >> [sbc] >> accept = localhost:6325 >> connect = smtp.att.yahoo.com:465 >> >> ....[ end conf ].... >> >> ....[ connection log ].... >> >> 2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from >> 127.0.0.1:61053 >> 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread >> 2008.11.11 00:14:17 LOG7[223:1737]: New thread created >> 2008.11.11 00:14:17 LOG7[251:1737]: sbc started >> 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode >> 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local > socket >> 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from >> 127.0.0.1:61053 >> 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode >> 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465 >> 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds >> 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected >> 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from >> 192.168.69.14:61054 >> 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized >> 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote >> socket >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect >> initialization >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> client hello A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read > server >> hello A >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0, >> /C=US/ST=California/L=Santa Clara/O=Yahoo! >> Inc./OU=Yahoo/CN=smtp.att.yahoo.com >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read > server >> certificate A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read > server >> certificate request A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read > server >> done A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> client certificate A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> client key exchange A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> certificate verify A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> change cipher spec A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write >> finished A >> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush > data >> 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad >> certificate >> 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412: >> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate >> 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to > SSL, >> 0 bytes sent to socket >> 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left) >> >> >> ....[ end log ].... >> >> - -- >> jimoe (at) sohnen-moe (dot) com >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (OS/2) >> >> iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC >> 9k2qqpP2hN99BL0TnsNhlnw= >> =P74g >> -----END PGP SIGNATURE----- >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users@... >> http://stunnel.mirt.net/mailman/listinfo/stunnel-users >> >> > > -- > View this message in context: > > Sent from the Stunnel - Users mailing list archive at Nabble.com. > > _______________________________________________ > stunnel-users mailing list > stunnel-users@... > http://stunnel.mirt.net/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
Re: Cannot connect to SBC/yahoo to send (or telnet)
by James Moe-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 12/01/08 02:10 am, Michal Trojnara wrote: > > Just be aware a configuration without any authentication (a certificate is > not sent nor verified) is vulnerable to trivial active (MiTM) attacks. > There are various lamer-friendly tools available, so an attack is no more > difficult than sniffing a plaintext connection. > (I had sent on 1-Dec-2008 but it never showed up on the list. :-( ) <rant> Computer security makes me feel stupid. It has got to be one of the most opaque concepts in the industry. The problems discussed in this thread are typical. sbc/yahoo changed their session setup to require an encrypted connection. Fine. Then they refuse a session if the client offers a certificate without a CA chain, i.e., self-signed. But allows a connection when no client certificate is offered at all. To verify that sbc is really sbc, a CA certificate is needed from sbc. But to get said certificate an extremely obscure method must be used. (And how do I know that the site I connected to is really sbc since I do not have a CA certificate?) Then more obscure file manipulation and setup is required for Stunnel. It is no wonder that computer security is bungled so often. It is set up to do so. I see a lot of "All you have to do is these 247 steps..." to accomplish a "simple" security task. That's assuming I have all of the tools needed. I am sure that, somewhere, there must be a clear discussion of how SSL/TSL certificates work, what the client may provide, what the server may provide, what is necessary to establish a secure, authenticated session. I have not found it. </rant> - -- jimoe (at) sohnen-moe (dot) com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (OS/2) iD8DBQFJOYDUzTcr8Prq0ZMRAmAPAKC2A4qfbmHWVIVhvXUqJRkad83j5ACeIuDE nt7r/rAdg1ebb5oNOAI55G4= =FtQ1 -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@... http://stunnel.mirt.net/mailman/listinfo/stunnel-users |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
