From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 1728956 for ecs-isp@2rosenthals.com; Fri, 05 Mar 2021 20:46:39 -0500 Received: from [192.168.200.201] (port=40686 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lIM1W-0006Co-25 for ecs-isp@2rosenthals.com; Fri, 05 Mar 2021 20:46:30 -0500 Received: from elasmtp-galgo.atl.sa.earthlink.net ([209.86.89.61]:49638) by mail2.2rosenthals.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lIM1K-00080I-2n for ecs-isp@2rosenthals.com; Fri, 05 Mar 2021 20:46:18 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1614995178; bh=QVKNWlDYuUt3oBy2u5+JK98P34DJzXWpybaq yO0ivaQ=; h=Received:From:Date:To:In-Reply-To:Subject:X-Mailer: Message-ID:X-ELNK-Trace:X-Originating-IP; b=GhiflGJkxiD7+h4C6enmJv RdRh+s96lj2JUnsM2NfkWl6el9u2y62q1UAqih1iZumNFNwr4Od9ylAKV/G56U5RpA2 sbLgSEYX3udVWOKqogHsCmGayeX8XLqL4KBM6XMeIloVdiYpNZ6ddb2+bzFOemXMlqO HzQzAEletCj2xboJnw34HkePj8qdKJJ3JN/0vvS7RwG/Om/Ntwgql3V/SvOjoU6hXI0 Cq5eqYF01n2UFufQXCDzMpSPXLQOIB5FiUnMV1AOFTRY4AtmZD70KE30PovpgdaDs/M X4u2+rBC4luvxt26NPsWJsLN9AQTz+r3f+4v0NetrBfajsCP0MYQ== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=AWO23EV3Hj0q505a2xy1yaRUSe0ik03XFEi2up58H/Y6mNIaKri+6dzDnehTdbOa4WWlTK8ALQVhP6h4FlIFbQcr2s8ubeicnbIVJ3/nZ2c2uehFlgyJbidhaKlj9DKbyA6Tg07UU2SOB7WAUBgYxMuGMZCkZfWW9f9QFxAZX42sPiGzet6rZCBEWwx8ROrej0jh+cM5bPUxz+ZgoswLaH7pQ0h6ASqQDuxpj5kwekeaG4M2eoH2ENaG1VH7F0+BIs1QPHAyU4ZsxlsKyMBr+Yl23UPQFePiNn4YDiSC8Ip0ZKeJ+L0y6IIQWe4djvxk3io/kXVXUCOZpeWx6e1UPA==; h=Received:From:Date:To:In-Reply-To:Subject:X-Mailer:Message-ID:X-ELNK-Trace:X-Originating-IP; Received: from [108.193.254.72] (helo=slamain) by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from ) id 1lIM1J-00050T-Jc for ecs-isp@2rosenthals.com; Fri, 05 Mar 2021 20:46:18 -0500 Date: Fri, 05 Mar 2021 15:02:14 -0800 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] Stunnel 5.58 X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.21 BETA/60 Message-ID: X-ELNK-Trace: a1109158fca87577d780f4a490ca6956df8303b86ceddf55e6436d5786c8aa31b39cd4438b5a18a0350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 108.193.254.72 In , on 03/06/21 at 07:03 AM, "Paul Smedley" said: Hi Paul, >I am NOT seeing this here. I just tested the build and it's working >fine in my environment. Please post the full output of trying to run >stunnel, not just the one line with the internal error. There may be >useful additional context around that error. stunnel-5.58-os2-20210228-debug.zip starts fine here, but I did run into a backwards compatibility issue: Starting Stunnel daemon from D:\SLAInc\stunnel\stunnel-to-steven-dnacih-com\etc stunnel stunnel_to_steven.conf [ ] Initializing inetd mode configuration [ ] Clients allowed=4882 [.] stunnel 5.58 on i386-pc-os2-emx built by Paul Smedley on Feb 28 2021 [.] Compiled/running with OpenSSL 1.1.1j 16 Feb 2021 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI [ ] errno: (* _errno()) [ ] Initializing inetd mode configuration [.] Reading configuration from file D:/SLAInc/stunnel/stunnel-to-steven-dnacih-com/etc/stunnel_to_steven.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [vnc] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) [ ] Loading certificate from file: ssl/private/slainc.crt [!] SSL_CTX_use_certificate_chain_file: ssl/ssl_rsa.c:301: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small [!] Service [vnc]: Failed to initialize TLS context [!] Configuration failed [ ] Deallocating temporary section defaults [ ] Deallocating section [vnc] This occurs because my keys, created years ago, are 1028 bit. The workaroud, for now, is to add: securityLevel = 1 to the stunnel config file. This is sufficient to allow secure, verification level 3 connections to the older stunnel builds. Of course, the older builds are perfectly happy with the 1024 bit keys without this config value. This allows me to avoid rebuilding all the keys and certificates. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------