Re: [stunnel-users] Cannot connect to SBC/yahoo to send (or telnet)

Guys,

Just be aware a configuration without any authentication (a certificate is
not sent nor verified) is vulnerable to trivial active (MiTM) attacks.
There are various lamer-friendly tools available, so an attack is no more
difficult than sniffing a plaintext connection.

Mike

On Sat, 29 Nov 2008 13:24:52 -0800 (PST), alexlim <alex@limberis.net>
wrote:
>
> Thanks to James email today. I was able to get it to work. Quoting James
> here.
>
> The solution was to remove the "cert" line from the configuration file.
> The "verify" level had to stay at 0.
>
> This did the trick.
>
>
>
>
> James Moe-2 wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello,
>> (I sent this yesterday but that one seems to have gotten lost....)
>> Stunnel v4.20.
>> When connecting to SBC/Yahoo, the session is terminated
>> with a "bad certificate" message. See the log below. The tech folks
> claim
>> all is well at their end.
>> Is there something I am missing here?
>> Here is the conf file:
>>
>> ....[ conf ]....
>>
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> client = yes
>> output = G:/c/voice/pmmdev/testcase/bin/stunnel.log
>> verify = 0
>> debug = 7
>> cert = g:/c/voice/pmmdev/testcase/bin/sma-test.pem
>>
>> [sbc]
>> accept = localhost:6325
>> connect = smtp.att.yahoo.com:465
>>
>> ....[ end conf ]....
>>
>> ....[ connection log ]....
>>
>> 2008.11.11 00:14:17 LOG7[223:1737]: sbc accepted FD=15 from
>> 127.0.0.1:61053
>> 2008.11.11 00:14:17 LOG7[223:1737]: Creating a new thread
>> 2008.11.11 00:14:17 LOG7[223:1737]: New thread created
>> 2008.11.11 00:14:17 LOG7[251:1737]: sbc started
>> 2008.11.11 00:14:17 LOG7[251:1737]: FD 15 in non-blocking mode
>> 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on local
> socket
>> 2008.11.11 00:14:17 LOG5[251:1737]: sbc accepted connection from
>> 127.0.0.1:61053
>> 2008.11.11 00:14:17 LOG7[251:1737]: FD 16 in non-blocking mode
>> 2008.11.11 00:14:17 LOG7[251:1737]: sbc connecting 69.147.64.31:465
>> 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: waiting 10 seconds
>> 2008.11.11 00:14:17 LOG7[251:1737]: connect_wait: connected
>> 2008.11.11 00:14:17 LOG5[251:1737]: sbc connected remote server from
>> 192.168.69.14:61054
>> 2008.11.11 00:14:17 LOG7[251:1737]: Remote FD=16 initialized
>> 2008.11.11 00:14:17 LOG7[251:1737]: TCP_NODELAY option set on remote
>> socket
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): before/connect
>> initialization
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> client hello A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
> server
>> hello A
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY IGNORE: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG5[251:1737]: VERIFY OK: depth=0,
>> /C=US/ST=California/L=Santa Clara/O=Yahoo!
>> Inc./OU=Yahoo/CN=smtp.att.yahoo.com
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
> server
>> certificate A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
> server
>> certificate request A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 read
> server
>> done A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> client certificate A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> client key exchange A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> certificate verify A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> change cipher spec A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 write
>> finished A
>> 2008.11.11 00:14:17 LOG7[251:1737]: SSL state (connect): SSLv3 flush
> data
>> 2008.11.11 00:14:18 LOG7[251:1737]: SSL alert (read): fatal: bad
>> certificate
>> 2008.11.11 00:14:18 LOG3[251:1737]: SSL_connect: 14094412:
>> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>> 2008.11.11 00:14:18 LOG5[251:1737]: Connection reset: 0 bytes sent to
> SSL,
>> 0 bytes sent to socket
>> 2008.11.11 00:14:18 LOG7[251:1737]: sbc finished (0 left)
>>
>>
>> ....[ end log ]....
>>
>> - --
>> jimoe (at) sohnen-moe (dot) com
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (OS/2)
>>
>> iD8DBQFJGe4zzTcr8Prq0ZMRAhSPAJ4h6YHyR+/W5brb7FK1tbbW1zYZ+wCglxpC
>> 9k2qqpP2hN99BL0TnsNhlnw=
>> =P74g
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users@mirt.net
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>>
>
> --
> View this message in context:
>
http://www.nabble.com/Cannot-connect...p20751631.html
> Sent from the Stunnel - Users mailing list archive at Nabble.com.
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users@mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users