<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Meddelande</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1516" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>"stunnel 4.08 on
x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct
2004"</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>Hi, this is my first
try with both SSL & STunnel, so please excuse me for any missunderstandings
a.s.o.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>I have problems
running a STunnel in client-mode agains a SSL webservice.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>Our application does
not support clientside-certificates, so i want to use STunnel to handle the SSL
connection.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>For now, our
webservice-provider has disabled the need for client-certificates (to help us
narrow our problem down)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>But it still dont
work.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>As a first
step, i access whe webservice default-page through
IE-Explorer.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005><A
href="https://<ip>:3001/<path>">https://<ip>:3001/<path></A> and
i am presented with the default-webpage.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>As i second step, i
start stunnel with following .conf</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>verify =
2</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>CApath = <path
where i have saved all certificates as .pem:s with <hash>.0 filenames,
from the direct-access example with explorer above></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>debug =
7</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>client =
yes</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005>[https]</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>accept =
127.0.0.1:3000</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>connect =
<ip>:3001</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>TIMEOUTclose =
0</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>and try to access
http://127.0.0.1:3000/<path> </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>but i get: HTTP
404 File Not found.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>I have tried the
same approach against a microsoft webservice at:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005><A
href="https://test.uddi.microsoft.com/extension.asmx">https://test.uddi.microsoft.com/extension.asmx</A></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>Without any
problems.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>1. I see no errors
in the log, as i understand it (se below) can any one else with a more skilled
eye see any problem ?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>2. Our
webservice-provider has an invalid hostname in its certificate (no public
hostname, just IP during testing, but server certificate state <A
href="http://www.fora.se">www.fora.se</A>)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>might that cause a
problem ? (i have tried localy with invalid hostname in certificate without any
problem though)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>3. Is it possible to
enable/disable verification of hostname in STunnel ?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>(as i understand it,
the "verify" option in the STunnel.conf concerns the whole
certificate-validation-process, and not just the hostname validation
?)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV><FONT><SPAN
class=880202107-06102005>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>4. Could the problem
be a config-issue on the webservice-provider end ? Im not sure, as it works with
IE-Explorer, but not through STunnel ?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=880202107-06102005>5</SPAN>. Any
clue on where to look would be greatly apriciated, i have been working with this
for a week, and i have been able to use STunnel both as server & client,
with & without client-certs against everything i have tested localy and
public (tried between diffrent home-made applications, on a <SPAN
class=880202107-06102005>local </SPAN>webserver, against verisign website
a.s.o.) and everything works fine, except where i need it to work (against our
webservice-provider).</FONT></FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005>Regards</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>/Staffan
Sundell</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>STunnel log against
our webservice-provider (when it doesnt work):</SPAN></FONT></DIV>
<DIV><FONT><SPAN class=880202107-06102005><FONT face="Courier New"
size=1>2005.10.10 16:50:23 LOG5[2760:2800]: stunnel 4.08 on x86-pc-mingw32-gnu
WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004<BR>2005.10.10 16:50:23
LOG7[2760:2332]: RAND_status claims sufficient entropy for the
PRNG<BR>2005.10.10 16:50:23 LOG6[2760:2332]: PRNG seeded
successfully<BR>2005.10.10 16:50:23 LOG7[2760:2332]: Verify directory set to
w:\ws\certs<BR>2005.10.10 16:50:23 LOG5[2760:2332]: No limit detected for the
number of clients<BR>2005.10.10 16:50:23 LOG7[2760:2332]: FD 1916 in
non-blocking mode<BR>2005.10.10 16:50:23 LOG7[2760:2332]: SO_REUSEADDR option
set on accept socket<BR>2005.10.10 16:50:23 LOG7[2760:2332]: https bound to
127.0.0.1:3000<BR>2005.10.10 16:50:28 LOG7[2760:2332]: https accepted FD=1904
from 127.0.0.1:2975<BR>2005.10.10 16:50:28 LOG7[2760:2332]: FD 1904 in
non-blocking mode<BR>2005.10.10 16:50:28 LOG7[2760:2332]: Creating a new
thread<BR>2005.10.10 16:50:28 LOG7[2760:2332]: New thread created<BR>2005.10.10
16:50:28 LOG7[2760:3748]: https started<BR>2005.10.10 16:50:28 LOG5[2760:3748]:
https connected from 127.0.0.1:2975<BR>2005.10.10 16:50:28 LOG7[2760:3748]: FD
1876 in non-blocking mode<BR>2005.10.10 16:50:28 LOG7[2760:3748]: https
connecting <webserviceprovider ip>:3001<BR>2005.10.10 16:50:28
LOG7[2760:3748]: connect_wait: waiting 10 seconds<BR>2005.10.10 16:50:28
LOG7[2760:3748]: connect_wait: connected<BR>2005.10.10 16:50:28 LOG7[2760:3748]:
Remote FD=1876 initialized<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): before/connect initialization<BR>2005.10.10 16:50:28 LOG7[2760:3748]:
SSL state (connect): SSLv3 write client hello A<BR>2005.10.10 16:50:28
LOG7[2760:3748]: SSL state (connect): SSLv3 read server hello A<BR>2005.10.10
16:50:28 LOG5[2760:3748]: VERIFY OK: depth=2, /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority<BR>2005.10.10 16:50:28 LOG5[2760:3748]:
VERIFY OK: depth=1, /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign<BR>2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK:
depth=0, /C=SE/L=STOCKHOLM/O=Fora AB/OU=Member, VeriSign Trust Network/OU=Terms
of use at </FONT><A href="http://www.verisign.se/rpa"><FONT face="Courier New"
size=1>www.verisign.se/rpa</FONT></A><FONT face="Courier New" size=1>
(c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
Network/CN=www.fora.se<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): SSLv3 read server certificate A<BR>2005.10.10 16:50:28
LOG7[2760:3748]: SSL state (connect): SSLv3 read server done A<BR>2005.10.10
16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write client key exchange
A<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
change cipher spec A<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): SSLv3 write finished A<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL
state (connect): SSLv3 flush data<BR>2005.10.10 16:50:28 LOG7[2760:3748]: SSL
state (connect): SSLv3 read finished A<BR>2005.10.10 16:50:28
LOG7[2760:3748]: 1 items in the session cache<BR>2005.10.10
16:50:28 LOG7[2760:3748]: 1 client connects
(SSL_connect())<BR>2005.10.10 16:50:28 LOG7[2760:3748]: 1
client connects that finished<BR>2005.10.10 16:50:28
LOG7[2760:3748]: 0 client renegotiatations
requested<BR>2005.10.10 16:50:28 LOG7[2760:3748]: 0 server
connects (SSL_accept())<BR>2005.10.10 16:50:28
LOG7[2760:3748]: 0 server connects that finished<BR>2005.10.10
16:50:28 LOG7[2760:3748]: 0 server renegotiatiations
requested<BR>2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache hits<BR>2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache misses<BR>2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache timeouts<BR>2005.10.10 16:50:28 LOG6[2760:3748]: SSL connected: new
session negotiated<BR>2005.10.10 16:50:28 LOG6[2760:3748]: Negotiated ciphers:
AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256)
Mac=SHA1<BR>2005.10.10 16:50:45 LOG7[2760:3748]: SSL socket closed on
SSL_read<BR>2005.10.10 16:50:45 LOG7[2760:3748]: Socket write
shutdown<BR>2005.10.10 16:50:45 LOG5[2760:3748]: Connection closed: 407 bytes
sent to SSL, 507 bytes sent to socket<BR>2005.10.10 16:50:45 LOG7[2760:3748]:
https finished (0 left)</FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=880202107-06102005>STunnel log against
microsoft (where it works)</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=1><SPAN class=880202107-06102005>2005.10.10
16:50:22 LOG5[2940:2556]: stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with
OpenSSL 0.9.7e 25 Oct 2004<BR>2005.10.10 16:50:22 LOG7[2940:1112]: RAND_status
claims sufficient entropy for the PRNG<BR>2005.10.10 16:50:22 LOG6[2940:1112]:
PRNG seeded successfully<BR>2005.10.10 16:50:22 LOG7[2940:1112]: Verify
directory set to c:\ws\certs<BR>2005.10.10 16:50:22 LOG5[2940:1112]: No limit
detected for the number of clients<BR>2005.10.10 16:50:22 LOG7[2940:1112]: FD
136 in non-blocking mode<BR>2005.10.10 16:50:22 LOG7[2940:1112]: SO_REUSEADDR
option set on accept socket<BR>2005.10.10 16:50:22 LOG7[2940:1112]: https bound
to 127.0.0.1:80<BR>2005.10.10 16:50:32 LOG7[2940:1112]: https accepted FD=148
from 127.0.0.1:2977<BR>2005.10.10 16:50:32 LOG7[2940:1112]: FD 148 in
non-blocking mode<BR>2005.10.10 16:50:32 LOG7[2940:1112]: Creating a new
thread<BR>2005.10.10 16:50:32 LOG7[2940:1112]: New thread created<BR>2005.10.10
16:50:32 LOG7[2940:3904]: https started<BR>2005.10.10 16:50:32 LOG5[2940:3904]:
https connected from 127.0.0.1:2977<BR>2005.10.10 16:50:32 LOG7[2940:3904]: FD
176 in non-blocking mode<BR>2005.10.10 16:50:32 LOG7[2940:3904]: https
connecting 207.46.197.39:443<BR>2005.10.10 16:50:32 LOG7[2940:3904]:
connect_wait: waiting 10 seconds<BR>2005.10.10 16:50:33 LOG7[2940:3904]:
connect_wait: connected<BR>2005.10.10 16:50:33 LOG7[2940:3904]: Remote FD=176
initialized<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect):
before/connect initialization<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL state
(connect): SSLv3 write client hello A<BR>2005.10.10 16:50:33 LOG7[2940:3904]:
SSL state (connect): SSLv3 read server hello A<BR>2005.10.10 16:50:33
LOG5[2940:3904]: VERIFY OK: depth=3, /C=US/O=GTE Corporation/OU=GTE CyberTrust
Solutions, Inc./CN=GTE CyberTrust Global Root<BR>2005.10.10 16:50:33
LOG5[2940:3904]: VERIFY OK: depth=2, /CN=Microsoft Internet
Authority<BR>2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=1,
/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority<BR>2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=0,
/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=UDDI Test production
site/CN=test.uddi.microsoft.com<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 read server certificate A<BR>2005.10.10 16:50:33
LOG7[2940:3904]: SSL state (connect): SSLv3 read server done A<BR>2005.10.10
16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write client key exchange
A<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
change cipher spec A<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL state
(connect): SSLv3 write finished A<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 flush data<BR>2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 read finished A<BR>2005.10.10 16:50:33
LOG7[2940:3904]: 1 items in the session cache<BR>2005.10.10
16:50:33 LOG7[2940:3904]: 1 client connects
(SSL_connect())<BR>2005.10.10 16:50:33 LOG7[2940:3904]: 1
client connects that finished<BR>2005.10.10 16:50:33
LOG7[2940:3904]: 0 client renegotiatations
requested<BR>2005.10.10 16:50:33 LOG7[2940:3904]: 0 server
connects (SSL_accept())<BR>2005.10.10 16:50:33
LOG7[2940:3904]: 0 server connects that finished<BR>2005.10.10
16:50:33 LOG7[2940:3904]: 0 server renegotiatiations
requested<BR>2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache hits<BR>2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache misses<BR>2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache timeouts<BR>2005.10.10 16:50:33 LOG6[2940:3904]: SSL connected: new
session negotiated<BR>2005.10.10 16:50:33 LOG6[2940:3904]: Negotiated ciphers:
RC4-MD5
SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5 <BR>2005.10.10 16:51:38 LOG3[2940:3904]: readsocket: Connection reset by
peer (WSAECONNRESET) (10054)<BR>2005.10.10 16:51:38 LOG5[2940:3904]: Connection
reset: 203 bytes sent to SSL, 3214 bytes sent to socket<BR>2005.10.10 16:51:38
LOG7[2940:3904]: https finished (0 left)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=880202107-06102005></SPAN></FONT> </DIV></BODY></HTML>