I get this in return, /e/stunnel# openssl s_client -connect 112.13.172.34:8228 -cert certs/CustomerABC/uat/cert.pem -key certs/CustomerABC/uat/key.pemĭepth=2 C = US, ST = NEW YORK, L = NEW YORK, O = CustomerABC LP, OU = R&D, CN = System Security Root CA, emailAddress = error:num=19:self signed certificate in certificate chainĠ s:/C=US/ST=New York/O=CustomerABC L.P./OU=Test/CN= I can connect to the customer using openssl s_connect and get a handshake, /e/stunnel# openssl s_client -connect 123.111.172.34:8228 -cert certs/customerABC/uat/cert.pem -key certs/customerABC/uat/key.pem -tls1_2 Key = /etc/stunnel/certs/customerABC/uat/key.pemĬAfile = /etc/stunnel/certs/customerABC/uat/CACerts.pem My stunnel config looks like this, Im using the customer's Key and Cert to connect (client mode) /e/stunnel# cat nfĬert = /etc/stunnel/certs/customerABC/uat/cert.pem My Stunnel version, /e/stunnel# rpm -qa | grep stunnel My openssl versions /e/stunnel# rpm -qa | grep openssl Jan 27 12:49:24 qbtch2 stunnel: LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 27 12:49:24 qbtch2 stunnel: LOG3: SSL_connect: s23_clnt.c:769: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Jan 27 12:49:24 qbtch2 stunnel: LOG6: Peer certificate not required I cannot establish a handshake and am getting the following err message in /var/log/messages, getting a Handshake Failure Jan 27 12:49:24 qbtch2 stunnel: LOG6: SNI: sending servername: 123.111.172.34 The customer is running Stunnel server, and I am the client. If you want a highly secure anonymous proxy server, you have to set the debug = 0 to disable the logging and foreground = no for daemon in stunnel configuration file, with a proper setup of squid configuration and iptables rules.I am trying to connect to a customer from my Centos7 server, These configurations are for development/test only. This tell stunnel only accept the connection from localhost, otherwise the section turn useless.
Where - means local traffic, = means internet traffic, and means the configure sections in stunnelĪnd I update the server configuration section accept option from 8443 to 127.0.0.1:8443. So the process is act like this: browser website So I change the client side configuration to this: The tip is: client side must separate in two sections like server side.
Is there anyone experienced in stunnel can help me?Īfter a day to research, I finally discover the way to solve the problem. I have confirmed squid configuration is good and it's working, so I'm sure the problem occurs on stunnel.
Here's the client side configuration: client = yes The browser(Firefox 43) report two errors, SSL Error when I access Google with HTTPS and Connection Reset when I access a non-HTTPS enabled site. LOG5: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket I have build a anonymous stunnel 5.29 + squid 3.3 SSL proxy server for few purpose and I want to enable PSK authorization.