<font size=2 face="sans-serif">Thank you in advance for any assistance
you can provide...</font>
<br>
<br><font size=2 face="sans-serif"> </font>
<br>
<br><font size=2 face="Arial">I am trying to talk to a UHF radio (from
a PC) over a secure channel, but having some difficulties. Please
let me provide just a little background so you know why I’m doing what
I’m doing. In the existing system, Internet Explorer (IE) is the
client that talks to this radio. When the radio boots up, it sends
a webpage over Ethernet to IE and (after the user login), a secure link
is established, and the radio can be controlled from IE – the various
webpages change as the user maneuvers through the various dropdowns, etc.
We’ve been asked to automate this interface now for a production
environment. The client is going to be replaced with a PC connected
to a great deal of test equipment, and the server will now send XML instead
of html to the client. The client is being developed in LabVIEW (from
National Instruments) – this has made this task even more challenging.</font>
<br>
<br><font size=2 face="Arial">As all of this secure stuff is new to me,
I spent many hours just trying to understand the problem(s) and the lingo.
As LabVIEW has some limitations in this area, I found that Stunnel
was my best option. Using TCP/IP and sending http to the radio (shown
below), I’ve been able (in a non-secure mode, without Stunnel) to communicate
and get the opening screen (html) to be returned to me (the XML server
output is currently being developed) and displayed in a LabVIEW window.</font>
<br>
<br><font size=2 face="sans-serif">GET / HTTP/1.1</font>
<br><font size=2 face="sans-serif">Host: 10.4.32.1</font>
<br><font size=2 face="sans-serif">Connection: Keep-Alive</font>
<br><font size=2 face="sans-serif">Authorization: Basic YWRtaW46UgEkJHdvtmQx</font>
<br><font size=2 face="sans-serif">Credentials: admin:Password</font>
<br>
<br><font size=2 face="Arial">I downloaded the binary version of Stunnel.exe
(version 4.27 with OpenSSL 0.9.8k dated Mar 2009), then modified the LabVIEW
code to call (using a command line approach) Stunnel. In this way,
I can’t provide any (dash) options, so it’s completely dependent on the
stunnel.conf file. After a number of attempts, I was able to get
the client to bind to the server (I think), but I see nothing being returned
to me (no html). I must use TLSv1, and ciphers = DES-CBC3-SHA.</font>
<br>
<br><font size=2 face="Arial">I’ve seen examples on stunnel.org that show
a great deal more handshaking information than I’m seeing, so I’m wondering
if I’m missing some detail in my conf file. For example, my log
file ends like this</font>
<br>
<br><font size=2 face="sans-serif">2009.10.16 13:18:49 LOG7[4812:4776]:
FD 208 in non-blocking mode</font>
<br><font size=2 face="sans-serif">2009.10.16 13:18:49 LOG7[4812:4776]:
SO_REUSEADDR option set on accept socket</font>
<br><font size=2 face="sans-serif">2009.10.16 13:18:49 LOG7[4812:4776]:
https bound to 10.4.1.8:443</font>
<br>
<br><font size=2 face="sans-serif">But the example I mentioned goes on
after the “https bound” and adds things like …</font>
<br>
<br><font size=2 face="Courier New">2009.08.04 12:15:55 LOG7[16648:22996]:
proxy accepted FD=320 from 127.0.0.1:48086<br>
2009.08.04 12:15:55 LOG7[16648:22996]: Creating a new thread<br>
2009.08.04 12:15:55 LOG7[16648:22996]: New thread created<br>
2009.08.04 12:15:55 LOG7[16648:8540]: proxy started<br>
2009.08.04 12:15:55 LOG7[16648:8540]: FD 320 in non-blocking mode<br>
2009.08.04 12:15:55 LOG7[16648:8540]: TCP_NODELAY option set on local socket<br>
2009.08.04 12:15:55 LOG5[16648:8540]: proxy accepted connection from 127.0.0.1:48086<br>
2009.08.04 12:15:55 LOG7[16648:8540]: FD 340 in non-blocking mode<br>
2009.08.04 12:15:55 LOG7[16648:8540]: proxy connecting 89.149.253.125:8080<br>
2009.08.04 12:15:55 LOG7[16648:8540]: connect_wait: waiting 10 seconds<br>
2009.08.04 12:15:56 LOG7[16648:8540]: connect_wait: connected<br>
2009.08.04 12:15:56 LOG5[16648:8540]: proxy connected remote server from
192.168.2.3:48088<br>
2009.08.04 12:15:56 LOG7[16648:8540]: Remote FD=340 initialized<br>
2009.08.04 12:15:56 LOG7[16648:8540]: TCP_NODELAY option set on remote
socket<br>
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): before/connect
initialization<br>
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): SSLv3 write
client hello A<br>
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): SSLv3 read server
hello A<br>
.</font>
<br><font size=2 face="Courier New">.</font>
<br><font size=2 face="Courier New">.</font>
<br><font size=2 face="Courier New">2009.08.04 12:15:57 LOG6[16648:8540]:
SSL connected: new session negotiated<br>
2009.08.04 12:15:57 LOG6[16648:8540]: Negotiated ciphers: AES256-SHA SSLv3
Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1</font>
<br>
<br><font size=2 face="sans-serif">That make’s me think that I’m not
quite there yet. I’ve attached my stunnel.conf, my log file, and
the http request I’m making (above). I’m hoping you can find some
flaws in my conf file that will get me closer. Other than receiving html,
I’m not sure how to know that I truly have a secure connection. I’m
thinking I should see a little more in my log file, but I’m not sure.
</font>
<br>
<br><font size=2 face="sans-serif">The other thing I’m not sure about
(as I’ve heard differing thoughts) is whether I have to Encrypt my http
commands, or does stunnel take care of that somehow? If I have to
encypt, how would I go about doing this? Also, (and I’m getting
ahead of myself) do I have to open and close a session every time I want
to talk, or do I somehow leave the channel open? I’ve read about
Session Resumption, but I’m not sure if that is something I need to setup
in the conf file, or if that can even be controlled by Stunnel.<br>
</font>
<br><font size=2 face="Arial"> </font>
<p><font size=2 face="Arial"><b>Al Gonzalez</b></font><font size=1 face="Arial"><br>
Principal Software Engineer<br>
Compass Call Programs<br>
Offensive Information Warfare<b><br>
Raytheon Company<br>
</b><br>
260.429.4354<br>
260.429.5829 fax</font><font size=1 color=#5f5f5f face="Arial"><u><br>
</u></font><a href=mailto:Al_Gonzalez@raytheon.com><font size=1 color=#5f5f5f face="Arial"><u>Al_Gonzalez@raytheon.com</u></font></a><font size=2 color=red face="Arial"><b>
</b></font>