Hi again. In the beginning of the OpenSLL command I get: OpenSSL> s_client -connect 10.67.6.106:6161 CONNECTED(000000D0) Can't use SSL_get_servername depth=0 C = SE, L = Stockholm, O = O1, CN = Xn1.x1.x2.se, serialNumber = SE?-AHH8 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = SE, L = Stockholm, O = O1, CN = Xn1.x1.x2.se, serialNumber = SE?-AHH8 verify error:num=21:unable to verify the first certificate verify return:1 4696:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1536:SSL alert number 40 --- Certificate chain 0 s:C = SE, L = Stockholm, O = O1, CN = Xn1.x1.x2.se, serialNumber = SE?-AHH8 i:C = SE, O = O2, CN = SITHS Type 3 CA v1 PP --- Server certificate -----BEGIN CERTIFICATE-----
I can see that I have a error 20 and 21, is there a certificate-issue? In Stunnel-log there's no such identification.... //Janne Jan Falk MTA [cid:[email protected]]<http://www.sodersjukhuset.se/> 08 616 1721 Från: Jan Falk Skickat: den 13 mars 2020 13:36 Till: Peter Pentchev <[email protected]> Kopia: [email protected] Ämne: SV: SV: [stunnel-users] S-tunnel will not send TLS Thanks Peter, I really appriciate your support. The config file is just a little edited by me, but I think that you can see how it's set up: [SOS_SYNGO_HL7_BFT_client] client = yes accept = 46161 connect = Xn1.x1.x2.se:6161 cert = ds3000-03.x3.x2.se.pem verify = 2 CAfile = CAFile.pem [SOS_SYNGO_DICOM_BFT_client] client = yes accept = 46162 connect = Xn2.x1.x2.se:6162 cert = ds3000-03.x3.x2.se.pem verify = 2 CAfile = CAFile.pem Is there a way to copy inhold of opensll shell-window and make it anonymos before I make it public? It ends as this screenshot at least: [cid:[email protected]] //Janne Jan Falk MTA 08 616 1721 -----Ursprungligt meddelande----- Från: Peter Pentchev <[email protected]<mailto:[email protected]>> Skickat: den 13 mars 2020 12:53 Till: Jan Falk <[email protected]<mailto:[email protected]>> Kopia: [email protected]<mailto:[email protected]> Ämne: Re: SV: [stunnel-users] S-tunnel will not send TLS On Fri, Mar 13, 2020 at 11:19:16AM +0000, Jan Falk wrote: [format recovered] > Peter Pentchev wrote: > > On Fri, Mar 13, 2020 at 09:42:27AM +0000, Jan Falk wrote: > > > Hi. > > > Can someone tell me why Stunnel stops at wating 10s? Log: > > > > > > 2020.03.12 09:43:36 LOG6[main]: Initializing service > > > [x3_x4_DICOM_BFT_client] > > [snip] > > > 2020.03.12 09:44:37 LOG7[0]: Service [x3_x4_HL7_BFT_client] > > > started > > > 2020.03.12 09:44:37 LOG7[0]: Setting local socket options (FD=508) > > > 2020.03.12 09:44:37 LOG7[0]: Option TCP_NODELAY set on local > > > socket > > > 2020.03.12 09:44:37 LOG5[0]: Service [x3_x4_HL7_BFT_client] > > > accepted connection from 127.0.0.1:50299 > > > 2020.03.12 09:44:37 LOG6[0]: s_connect: connecting > > > 10.67.6.106:6161 > > > 2020.03.12 09:44:37 LOG7[0]: s_connect: s_poll_wait 10.67.6.106:6161: > > > waiting 10 seconds > > > > Have you made sure that there is something listening on port 6161 of > > the > > 10.67.6.106 host and that the host that stunnel is running on can > > establish a connection to it? No firewalls, no routing problems or > > anything like that? > > > > What happens if you run - on the host that stunnel runs on - this: > > > > nc -v -z 10.67.6.106 6161 > > > > ...and also, if stunnel is supposed to establish a secure connection > > to that host (that is, if stunnel is working in client mode): > > > > openssl s_client -connect 10.67.6.106:6161 > > > > The first command should exit immediately and tell you that a TCP > > connection was established successfully; the second one should also > > try to negotiate a TLS connection and show you what the server on > > the other side tells you after the connection has been established. > > Thanks Peter for a quick reply. > > Yes we have a connection with reciving server, in wireshark I can see > that vi get three ack:s on establishment. As I understand it, on third > Ack the TLS is supposed to be sent, but instead my Stunnel halts on 10 > sek. And there I stand..... > > The reciving server is not reply to non-crypted communication. OK, so at least the network troubles may be ruled out... to some extent. Can you show us your stunnel configuration file? Is stunnel supposed to connect to this service in its client mode (stunnel accepts a plaintext connection and connects to a TLS service), or in server mode (stunnel accepts a TLS connection, connects to a plaintext service)? If stunnel is supposed to run in client mode, that means that whatever is listening for incoming TCP connections on 10.67.6.106:6161 should not only accept the connection, but also start a TLS negotiation, and the "openssl s_client" command I posted above should show you this TLS negotiation. If this does not happen - if s_client does not show you a TLS negotiation, server names, certificates, etc - then something is wrong with the service running at 10.67.6.106:6161; you should make sure that this is fixed before attempting to get stunnel to talk to it. G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org}<mailto:roam@%7bringlet.net,debian.org,FreeBSD.org%7d> [email protected]<mailto:[email protected]> PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
