Solved Since yesterday: OCSP: OCSP responder error: 6: unauthorised (stunnel)

[sidney2017]

Hello,

I use FreeBSD stunnel under 13.3-RELEASE-p3 to tunnel access via port 587 (SSL) to port 110.

This has not worked for about 24 hours now, and restarting stunnel did not change anything. This had been working without any problems for more than 1 year.

Errors appear in /var/log/messages (see below): ‘OCSP: OCSP responder error: 6: unauthorised’

I wonder whether this is due to the IP addresses permanently compiled into my local_unbound (root hints).
Because a ping to r11.o.lencr.org apparently leads to different results than a dig @127.0.0.1 r11.o.lencr.org (see below).

I have been using local_unbound (unbound 1.20.0 in FreeBSD 13.3) since the beginning of July 2024 without any problems.

Does anyone have an idea what I can do?
Or could it be something else?


Thanks in advance and kind regards
Sidney2017

Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: Service [pop3s] accepted connection from IP-Address:54129
Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: OCSP: Connecting the AIA responder "http://r11.o.lencr.org"
Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: s_connect: connected 184.24.77.55:80
Sep 4 16:03:39 mail stunnel[35842]: LOG3[3159]: OCSP: OCSP responder error: 6: unauthorized
Sep 4 16:03:39 mail stunnel[35842]: LOG3[3159]: s_connect: connect ::1:110: Connection refused (61)
Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: s_connect: connected 127.0.0.1:110
Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: Service [pop3s] connected remote server from 127.0.0.1:45355
Sep 4 16:03:39 mail inetd[1060]: pop3 from 127.0.0.1 exceeded counts/min (limit 60/min)
Sep 4 16:03:39 mail stunnel[35842]: LOG5[3159]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

===========================================================================


# dig @127.0.0.1 r11.o.lencr.org

; <<>> DiG 9.18.26 <<>> @127.0.0.1 r11.o.lencr.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7170
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;r11.o.lencr.org. IN A

;; ANSWER SECTION:
r11.o.lencr.org. 300 IN CNAME o.lencr.edgesuite.net.
o.lencr.edgesuite.net. 21600 IN CNAME a1887.dscq.akamai.net.
a1887.dscq.akamai.net. 20 IN A 184.24.77.59
a1887.dscq.akamai.net. 20 IN A 184.24.77.61
a1887.dscq.akamai.net. 20 IN A 184.24.77.75
a1887.dscq.akamai.net. 20 IN A 184.24.77.57
a1887.dscq.akamai.net. 20 IN A 184.24.77.72
a1887.dscq.akamai.net. 20 IN A 184.24.77.52
a1887.dscq.akamai.net. 20 IN A 184.24.77.73
a1887.dscq.akamai.net. 20 IN A 184.24.77.70
a1887.dscq.akamai.net. 20 IN A 184.24.77.76

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Sep 05 10:02:56 CEST 2024
;; MSG SIZE rcvd: 255

root@mail:~ # ping r11.o.lencr.org
PING a1887.dscq.akamai.net (184.24.77.46): 56 data bytes
64 bytes from 184.24.77.46: icmp_seq=0 ttl=56 time=4.916 ms
64 bytes from 184.24.77.46: icmp_seq=1 ttl=56 time=4.865 ms


root@mail:~ # ping r11.o.lencr.org
PING a1887.dscq.akamai.net (184.24.77.54): 56 data bytes
64 bytes from 184.24.77.54: icmp_seq=0 ttl=56 time=4.859 ms
64 bytes from 184.24.77.54: icmp_seq=1 ttl=56 time=4.882 ms
64 bytes from 184.24.77.54: icmp_seq=2 ttl=56 time=4.916 ms

root@mail:~ ping r11.o.lencr.org
PING a1887.dscq.akamai.net (23.53.40.144): 56 data bytes
64 bytes from 23.53.40.144: icmp_seq=0 ttl=59 time=4.874 ms

 

[Alain De Vos]

cat /etc/resolv.conf
cat /etc/hosts
cat /var/unbound/forward.conf
cat /var/unbound/lan-zones.conf

 

[covacat]

why would you want / need ocsp ?

 

[sidney2017]

Hello,

please find attached the requested data, whereby I must say once again that it is local_unbound AND that no changes have been made to the .conf files and the host file in the last 24 hours.

Best regards
Sidney2017

cat /etc/resolv.conf
cat /etc/hosts
cat /var/unbound/forward.conf
cat /var/unbound/lan-zones.conf

/etc/resolv.conf
nameserver 127.0.0.1
options edns0

cat /etc/hosts
::1 localhost localhost.domain.tld
127.0.0.1 localhost localhost.domain.tld

cat /var/unbound/forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
name: .
forward-addr: 185.12.64.1

cat /var/unbound/lan-zones.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
# Unblock reverse lookups for LAN addresses
unblock-lan-zones: yes
insecure-lan-zones: yes

 

[sidney2017]

why would you want / need ocsp ?

Hi,

this is obviously configured by default for local_unbound in FreeBSD 13.3.
I have not changed anything in this regard myself.

Kind regards
Sidney2017

 

[sidney2017]

In the meantime I have solved the problem: ONE simple .username.pop was causing all the trouble!
I deleted it and restarted stunnel. Now everything works fine again.

Thanks again for your hints!

Regards
Sidney2017

 

[zirias@]

Shameless plug: If all you need is a TLS socket proxy, you could also just use my security/tlsc. Be warned it doesn't even do any form of certificate revocation check (but of course the standard validity checks), it's really simplistic. I wrote it because I was really fed up trying to patch the (very complex) stunnel for libressl support