Re: [stunnel-users] Help with connectivity issue

Fri, 15 Sep 2017 13:18:36 -0700 

I added “sslVersion = TLSv1.2” to my stunnel.conf file, and this time my telnet 
attempt returned:

220 email-smtp.amazonaws.com ESMTP SimpleEmailService-2370111491 
vrvCuSNrkl4H4hgb19Wk

I think that’s what I wanted to see.  Thanks so much for your help!

Rob Allen, CPO
Software Engineer | Eyefinity | Team OCP | 3333 Quality Drive, Rancho Cordova, 
CA 95670
eyefinity.com | P: 916.858.5645
What does it mean to move Forward Together? Watch Eyefinity EHR Senior Product 
Manager Phernell Walker II, ABOM 
explain.<https://www.youtube.com/watch?v=Nj2MzSZDKF0>

From: "Josealf.rm" <[email protected]>
Date: Friday, September 15, 2017 at 1:06 PM
To: "[email protected]" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [stunnel-users] Help with connectivity issue

Robert,

Most likely amazon is not accepting TLSv1. It is a deprecated protocol. Remove 
sslVersion lines.

Check the OpenSSL output from your connection test. It should display the TLS 
version used.

Saludos
Jose A. Diaz



On Sep 15, 2017, at 2:05 PM, Rob Allen 
<[email protected]<mailto:[email protected]>> wrote:
I’ve installed stunnel on an Amazon EC2 instance:

stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP

Global options:
debug                  = daemon.notice
pid                    = /var/run/stunnel.pid
RNDbytes               = 64
RNDfile                = /dev/urandom
RNDoverwrite           = yes

Service-level options:
ciphers                = FIPS (with "fips = yes")
ciphers                = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with 
"fips = no")
curve                  = prime256v1
sessionCacheSize       = 1000
sessionCacheTimeout    = 300 seconds
sslVersion             = TLSv1 (with "fips = yes")
sslVersion             = TLSv1 for client, all for server (with "fips = no")
stack                  = 65536 bytes
TIMEOUTbusy            = 300 seconds
TIMEOUTclose           = 60 seconds
TIMEOUTconnect         = 10 seconds
TIMEOUTidle            = 43200 seconds
verify                 = none

I’ve created the stunnel.conf file:

[smtp-tls-wrapper]
accept = 2525
client = yes
connect = 
email-smtp.us-west-2.amazonaws.com:465<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com%3A465&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=%2BfS8Op4y7CLnSzoXnbOE87d6Kf5ApPh3ECQz%2Bw8%2FdDg%3D&reserved=0>
protocol=smtp
delay = yes

I’ve tested the connection to SES (successfully) via openssl:

[ec2-user@ip-172-31-4-68 ~]$ openssl s_client -quiet -crlf -connect 
email-smtp.us-west-2.amazonaws.com:465<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com%3A465&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=%2BfS8Op4y7CLnSzoXnbOE87d6Kf5ApPh3ECQz%2Bw8%2FdDg%3D&reserved=0>
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public 
Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = 
Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = 
"Amazon.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2FAmazon.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=SPg%2BeVhM4yAHLAPKSdCzgnnHoC51pmAaE1vQLq5RDfY%3D&reserved=0>,
 Inc.", CN = 
email-smtp.us-west-2.amazonaws.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.us-west-2.amazonaws.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=4vOpXE%2FdfjrzF7jAJsntndPu433EpFh%2FcQ0mJM%2FJjzE%3D&reserved=0>
verify return:1
220 
email-smtp.amazonaws.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail-smtp.amazonaws.com&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=BzqvMygpf9MVsmanrmhXorCK7xeONRU6%2FjrkJTM6pB8%3D&reserved=0>
 ESMTP SimpleEmailService-2370111491 wa7VtNk9b7c4TX0jNpdG

But when I try to access through stunnel via localhost with telnet, I get this:

[ec2-user@ip-172-31-4-68 ~]$ telnet localhost 2525
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

I’ve tried everything I can think of; I’ve read all the blogs and pages related 
to connecting from ec2 to SES via stunnel and I just can’t get it to work.  
Does anyone have any suggestions for other things I could try?

Thanks in advance,
Rob Allen, CPO
Software Engineer | Eyefinity
NOTICE: This message is intended only for the individual to whom it is 
addressed and may contain information that is confidential or privileged. If 
you are not the intended recipient, or the employee or person responsible for 
delivering it to the intended recipient, you are hereby notified that any 
dissemination, distribution, copying or use is strictly prohibited. If you have 
received this communication in error, please notify the sender and destroy or 
delete this communication immediately.
_______________________________________________
stunnel-users mailing list
[email protected]<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stunnel.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fstunnel-users&data=02%7C01%7Crobert.allen%40eyefinity.com%7Ce66f069e412a40f675a708d4fc75318d%7C3510753d6c4048ae9b9e2fc672d5e5dd%7C0%7C0%7C636411027658759126&sdata=LrMGRFpXuLN9IsaX6%2Fvd20SVYB%2FeNTB1ml1hKGK2cT0%3D&reserved=0>

MailGate made the following annotations
---------------------------------------------------------------------
NOTICE: This message is intended only for the individual to whom it is 
addressed and may contain information that is confidential or privileged. If 
you are not the intended recipient, or the employee or person responsible for 
delivering it to the intended recipient, you are hereby notified that any 
dissemination, distribution, copying or use is strictly prohibited. If you have 
received this communication in error, please notify the sender and destroy or 
delete this communication immediately.
---------------------------------------------------------------------


_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to