I'm trying to set up stunnel to provide secure access to an nntp server. Following the instructions here I created a self-signed key and certificate. The commands I ran were:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
My stunnel configuration has these options:
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
output = /stunnel.log
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/var/lib/stunnel/server.crt
key = /usr/local/var/lib/stunnel/server.key
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
[nntps]
accept = 563
connect = 119
When I start stunnel (providing my passphrase) and try to connect with Thunderbird, Thunderbird sits "Connecting..." and I get these error messages in stunnel.log
:
2013.04.17 13:40:36 LOG5[30290:3074012864]: stunnel 4.56 on i686-pc-linux-gnu platform
2013.04.17 13:40:36 LOG5[30290:3074012864]: Compiled/running with OpenSSL 1.0.1 14 Mar 2012
2013.04.17 13:40:36 LOG5[30290:3074012864]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
2013.04.17 13:40:36 LOG5[30290:3074012864]: Reading configuration from file /etc/stunnel/news.conf
2013.04.17 13:40:36 LOG5[30290:3074012864]: FIPS mode is disabled
2013.04.17 13:40:39 LOG5[30290:3074012864]: Configuration successful
2013.04.17 13:40:51 LOG5[30291:3073764160]: Service [nntps] accepted connection from 97.79.58.17:57054
2013.04.17 13:40:51 LOG5[30291:3073764160]: connect_blocking: connected 127.0.0.1:119
2013.04.17 13:40:51 LOG5[30291:3073764160]: Service [nntps] connected remote server from 127.0.0.1:46866
2013.04.17 13:40:51 LOG3[30291:3073764160]: SSL_read: 14094418: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013.04.17 13:40:51 LOG5[30291:3073764160]: Connection reset: 95 byte(s) sent to SSL, 0 byte(s) sent to socket
I'm stumped. Help?
Edit: elsewhere it was suggested that I add sslVersion=SSLv3
to my stunnel config but this didn't seem to have any effect.