Mar 15 11:20:23 marte stunnel: LOG7: Created pid file /run/stunnel/stunnel.pid Mar 15 11:20:23 marte stunnel: LOG7: Option SO_REUSEADDR set on accept socket Mar 15 11:20:23 marte stunnel: LOG7: Setting accept socket options (FD=9) Mar 15 11:20:23 marte stunnel: LOG7: Listening file descriptor created (FD=9) Mar 15 11:20:23 marte stunnel: LOG7: Binding service Mar 15 11:20:23 marte stunnel: LOG7: Deallocating deployed section defaults Mar 15 11:20:23 marte stunnel: LOG5: Configuration successful Mar 15 11:20:23 marte stunnel: LOG7: ECDH initialized with curves prime256v1 Mar 15 11:20:23 marte stunnel: LOG7: ECDH initialization Mar 15 11:20:23 marte stunnel: LOG6: DH initialization skipped: client section Mar 15 11:20:23 marte stunnel: LOG7: No certificate or private key specified Mar 15 11:20:23 marte stunnel: LOG7: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK Mar 15 11:20:23 marte stunnel: LOG6: OpenSSL security level is used: 2 Mar 15 11:20:23 marte stunnel: LOG6: Initializing service Mar 15 11:20:23 marte stunnel: LOG7: No PRNG seeding was required Mar 15 11:20:23 marte stunnel: LOG7: Compression disabled Mar 15 11:20:23 marte stunnel: LOG5: FIPS mode disabled Mar 15 11:20:23 marte stunnel: LOG5: UTF-8 byte order mark not detected Mar 15 11:20:23 marte stunnel: LOG5: Reading configuration from file /etc/stunnel/conf.d/nf Mar 15 11:20:23 marte stunnel: LOG7: "/etc/stunnel/conf.d/." is not a file Mar 15 11:20:23 marte systemd: Started SSL tunnel for network daemons. Mar 15 11:20:37 marte stunnel: LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Mar 15 11:20:37 marte stunnel: LOG3: SSL_connect: ssl/statem/statem_clnt.c:1245: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Mar 15 11:20:37 marte stunnel: LOG7: TLS alert (write): fatal: unknown CA Mar 15 11:20:37 marte stunnel: LOG4: Rejected by CERT at depth=2: C=US, O=DigiCert Inc, OU=CN=DigiCert Global Root CA Mar 15 11:20:37 marte stunnel: LOG4: CERT: Pre-verification error: self signed certificate in certificate chain
Mar 15 11:20:37 marte stunnel: LOG7: Verification started at depth=2: C=US, O=DigiCert Inc, OU=CN=DigiCert Global Root CA Mar 15 11:20:37 marte stunnel: LOG7: TLS state (connect): SSLv3/TLS read server hello Mar 15 11:20:37 marte stunnel: LOG7: TLS state (connect): SSLv3/TLS write client hello Mar 15 11:20:37 marte stunnel: LOG7: Initializing application specific data for session authenticated Mar 15 11:20:37 marte stunnel: LOG7: TLS state (connect): before SSL initialization Mar 15 11:20:37 marte stunnel: LOG6: Peer certificate required Mar 15 11:20:37 marte stunnel: LOG6: SNI: sending servername: Mar 15 11:20:37 marte stunnel: LOG7: Remote descriptor (FD=10) initialized Mar 15 11:20:37 marte stunnel: LOG7: Option TCP_NODELAY set on remote socket Mar 15 11:20:37 marte stunnel: LOG7: Setting remote socket options (FD=10) # Also tested with: CApath = /etc/ssl/certs/ Also tested with other common domains and always results in the same issue. Installed without issues but could not get it to work due to "unknown CA" verification issues.