# stunnel won't establish connection with errno=104



## integrator (Dec 26, 2012)

Hello,

On my VPS with FreeBSD 9.0 I need to have SSL connection for sendmail. I installed stunnel with  commands below. I can not establish connection to my VPS with command *openssl s_client -connect 178.172.148.149:995*. It gives "read:errno=104". But I can successfully connect to my another test-server with exactly the same configuration and the same stunnel.conf. 
Could you help me to solve my problem?

Command list:

```
cd /usr/ports/security/stunnel/
make && make install && make cert && make clean
cd /usr/local/etc/stunnel
cp stunnel.conf-sample stunnel.conf
mkdir /var/tmp/stunnel
touch /var/tmp/stunnel/stunnel.pid
chown -R stunnel:nogroup /var/tmp/stunnel
```
Output for unsuccessful connection:

```
ntegrator@integrator-laptop:~$ openssl s_client -connect 178.172.148.149:995
CONNECTED(00000003)
depth=0 /C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
verify return:1
---
Certificate chain
 0 s:/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
   i:/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIJAKYyEzzdWZdUMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV
BAYTAkJZMRAwDgYDVQQIEwdCZWxhcnVzMQ4wDAYDVQQHEwVNaW5zazEWMBQGA1UE
ChMNQXV0b2xvYmF6IEx0ZDEWMBQGA1UECxMNQXV0b2xvYmF6IEx0ZDEVMBMGA1UE
AxMMYXV0b2xvYmF6LmJ5MB4XDTEyMTIyNjEyMTIyMVoXDTEzMTIyNjEyMTIyMVow
djELMAkGA1UEBhMCQlkxEDAOBgNVBAgTB0JlbGFydXMxDjAMBgNVBAcTBU1pbnNr
MRYwFAYDVQQKEw1BdXRvbG9iYXogTHRkMRYwFAYDVQQLEw1BdXRvbG9iYXogTHRk
MRUwEwYDVQQDEwxhdXRvbG9iYXouYnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDBKoer8RcYM+khmi990XrficAfwJusPi+K6StxOGgSYol9P5IoOpVM
7/tTKVkC/pjAd0hgKsborQdT7F18ubF3rw+4f1JkaCiMz/5pCrPm8T1u9FTNtCu1
Gq42FurboC3tI96LKav2TNc+2InRCyO+zBQjyxvCwv3rO3HPHNPV8r9Js/7PBaHd
AVIFxjeKcvbHsht68pHU0vrNekfv1GaUTrKUZxD8iP66GY0h/5eyvFg1Z/fBHdl7
9qceWz9ljuvDkDwX6qA7veNxqj2XpPCvZvjDennGqiQ0O7dkwVgrfh1JBOs/jPyB
BOtVNxldxpxNuntHJze4byRKJ3DZCbR1AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOCAQEADuQW8k1VrNX+KJssyQv/nSz3sovQiJoC
Xu3i7XhoCcwD4QhLQVp3NdCob9n/1rBPop3WTHl9OvMEo6lN61kmtY5GHJfdZN6q
FdQbG5hY2TchS4oU7NYzxrgWwygERm5ejC7/QAPTpQMMXWhrNzrOmTGHdjzjvidn
qhDg/pbGpVdefyAm3BjqmCN5znWGvX6ztLZlSnV0Egv7frc3PSiCb+wTF4qvxA97
DLnDMX0Aemhq3AEnvyA9nKVZaluqU/rRgJ2EjRgYLn/ta+UargkMR+0YW2fQrblG
3CJ3B54POP396UH8sr0fB1Opd34F/r5aXPJ7+PXMBX9JGxeuiX5SMA==
-----END CERTIFICATE-----
subject=/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
issuer=/C=BY/ST=Belarus/L=Minsk/O=Autolobaz Ltd/OU=Autolobaz Ltd/CN=autolobaz.by
---
No client certificate CA names sent
---
SSL handshake has read 1603 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 129F9CAE8CF22ED9717076B754B0E76E5809610790C3CD9F55B9EA028C989F10
    Session-ID-ctx: 
    Master-Key: E410F25DCE7D99D5B3FBF9FAE55F71380DB83707B4A90116057C77B6719001CA582715840AF3D3A83D977D72AFF6D6C5
    Key-Arg   : None
    Start Time: 1356550156
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=104
integrator@integrator-laptop:~$
```


----------



## SirDice (Dec 27, 2012)

Why muck about with security/stunnel when sendmail already supports TLS?

http://www.clearchain.com/blog/posts/setting-up-sendmail-with-tls-auth-support-under-freebsd


----------



## kpa (Dec 27, 2012)

Port 995 is usually POP3 with SSL. The standard port for mail submission with TLS is 587 (technically 25 could be used too but it's blocked very often by ISPs), use that if you can.


----------



## integrator (Dec 27, 2012)

Helo,
On TSL on 587 I have:

```
integrator@integrator-laptop:~$ openssl s_client -connect 178.172.148.149:587
CONNECTED(00000003)
2224:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601:
integrator@integrator-laptop:~$
```
But the main question is why I can't establish connection on port 995?


----------



## kpa (Dec 27, 2012)

s_client(1) needs an additional -starttls protocol option so it knows what kind of service it's connecting to.

`$ openssl s_client -starttls smtp -connect 178.172.148.149:587`

If there's a TLS protected pop3 service at port 995:

`$ openssl s_client -starttls pop3  -connect 178.172.148.149:995`


----------

