Robert, Most likely amazon is not accepting TLSv1. It is a deprecated protocol. Remove sslVersion lines.
Check the OpenSSL output from your connection test. It should display the TLS version used. Saludos Jose A. Diaz > On Sep 15, 2017, at 2:05 PM, Rob Allen <[email protected]> wrote: > > I’ve installed stunnel on an Amazon EC2 instance: > > stunnel 4.56 on x86_64-redhat-linux-gnu platform > Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 > Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP > > Global options: > debug = daemon.notice > pid = /var/run/stunnel.pid > RNDbytes = 64 > RNDfile = /dev/urandom > RNDoverwrite = yes > > Service-level options: > ciphers = FIPS (with "fips = yes") > ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with > "fips = no") > curve = prime256v1 > sessionCacheSize = 1000 > sessionCacheTimeout = 300 seconds > sslVersion = TLSv1 (with "fips = yes") > sslVersion = TLSv1 for client, all for server (with "fips = no") > stack = 65536 bytes > TIMEOUTbusy = 300 seconds > TIMEOUTclose = 60 seconds > TIMEOUTconnect = 10 seconds > TIMEOUTidle = 43200 seconds > verify = none > > I’ve created the stunnel.conf file: > > [smtp-tls-wrapper] > accept = 2525 > client = yes > connect = email-smtp.us-west-2.amazonaws.com:465 > protocol=smtp > delay = yes > > I’ve tested the connection to SES (successfully) via openssl: > > [ec2-user@ip-172-31-4-68 ~]$ openssl s_client -quiet -crlf -connect > email-smtp.us-west-2.amazonaws.com:465 > depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) > 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public > Primary Certification Authority - G5 > verify return:1 > depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = > Symantec Class 3 Secure Server CA - G4 > verify return:1 > depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = > email-smtp.us-west-2.amazonaws.com > verify return:1 > 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-2370111491 > wa7VtNk9b7c4TX0jNpdG > > But when I try to access through stunnel via localhost with telnet, I get > this: > > [ec2-user@ip-172-31-4-68 ~]$ telnet localhost 2525 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > Connection closed by foreign host. > > I’ve tried everything I can think of; I’ve read all the blogs and pages > related to connecting from ec2 to SES via stunnel and I just can’t get it to > work. Does anyone have any suggestions for other things I could try? > > Thanks in advance, > Rob Allen, CPO > Software Engineer | Eyefinity > NOTICE: This message is intended only for the individual to whom it is > addressed and may contain information that is confidential or privileged. If > you are not the intended recipient, or the employee or person responsible for > delivering it to the intended recipient, you are hereby notified that any > dissemination, distribution, copying or use is strictly prohibited. If you > have received this communication in error, please notify the sender and > destroy or delete this communication immediately. > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
