<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:12pt"><div><span>Denis,</span></div><div><br><span></span></div><div><span>As I understand stunnel is logging the fact that the client closed the connection (socket) while it was waiting for data (reading) from the client. <br></span></div><div><span><br></span></div><div><span>Looks like your client connects for a very short time, sends just 1 byte, the disconnects. <br></span></div><div><br><span></span></div><div><span>Mike can correct me if I am wrong.<br></span></div><div><br><span></span></div><div><span>Regards,</span></div><div><span>Jose</span></div><div><br></div> <div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:
bold;">From:</span></b> Denis Berezhnoy <denis.berezhnoy@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Jose Alf. <josealf@rocketmail.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "stunnel-users@stunnel.org" <stunnel-users@stunnel.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, January 31, 2012 1:11 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server<br> </font> </div> <br>
<div id="yiv9985419">Hi Jose,<br><br>Thank you for your help! Finally I made it working. <br><br>But there is one thing that is not quite clear for me. In logs I can see "Socket closed on read". Here it is:<br><br>2012.01.31 12:57:12 LOG7[6748:6808]: Socket closed on read<br>
2012.01.31 12:57:12 LOG7[6748:6808]: Sending close_notify alert"<br><br>Can you please explain what it means? Why socket is closed? <br><br>Here is log:<br><br>2012.01.31 12:56:58 LOG7[6748:4740]: No limit detected for the number of clients<br>
2012.01.31 12:56:58 LOG5[6748:4740]: stunnel 4.52 on x86-pc-mingw32-gnu platform<br>2012.01.31 12:56:58 LOG5[6748:4740]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012<br>2012.01.31 12:56:58 LOG5[6748:4740]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6<br>
2012.01.31 12:56:58 LOG5[6748:4740]: Reading configuration from file stunnel.conf<br>2012.01.31 12:56:58 LOG5[6748:4740]: FIPS mode is disabled<br>2012.01.31 12:56:58 LOG7[6748:4740]: Compression not enabled<br>2012.01.31 12:56:58 LOG7[6748:4740]: Snagged 64 random bytes from C:/.rnd<br>
2012.01.31 12:56:58 LOG7[6748:4740]: Wrote 1024 new random bytes to C:/.rnd<br>2012.01.31 12:56:58 LOG7[6748:4740]: PRNG seeded successfully<br>2012.01.31 12:56:58 LOG6[6748:4740]: Initializing SSL context for service Router<br>
2012.01.31 12:56:58 LOG7[6748:4740]: SSL options set: 0x05000004<br>2012.01.31 12:56:58 LOG6[6748:4740]: SSL context initialized<br>2012.01.31 12:56:58 LOG5[6748:4740]: Configuration successful<br>2012.01.31 12:56:58 LOG7[6748:4740]: Service Router bound FD=292 to <a rel="nofollow" target="_blank" href="http://192.168.1.121:55555">192.168.1.121:55555</a><br>
2012.01.31 12:57:12 LOG7[6748:4740]: Service Router accepted FD=332 from <a rel="nofollow" target="_blank" href="http://192.168.1.161:59076">192.168.1.161:59076</a><br>2012.01.31 12:57:12 LOG7[6748:4740]: Creating a new thread<br>2012.01.31 12:57:12 LOG7[6748:4740]: New thread created<br>
2012.01.31 12:57:12 LOG7[6748:6808]: Service Router started<br>2012.01.31 12:57:12 LOG5[6748:6808]: Service Router accepted connection from <a rel="nofollow" target="_blank" href="http://192.168.1.161:59076">192.168.1.161:59076</a><br>2012.01.31 12:57:12 LOG6[6748:6808]: connect_blocking: connecting <a rel="nofollow" target="_blank" href="http://192.168.160.169:55443">192.168.160.169:55443</a><br>
2012.01.31 12:57:12 LOG7[6748:6808]: connect_blocking: s_poll_wait <a rel="nofollow" target="_blank" href="http://192.168.160.169:55443">192.168.160.169:55443</a>: waiting 10 seconds<br>2012.01.31 12:57:12 LOG5[6748:6808]: connect_blocking: connected <a rel="nofollow" target="_blank" href="http://192.168.160.169:55443">192.168.160.169:55443</a><br>
2012.01.31 12:57:12 LOG5[6748:6808]: Service Router connected remote server from <a rel="nofollow" target="_blank" href="http://192.168.1.121:52050">192.168.1.121:52050</a><br>2012.01.31 12:57:12 LOG7[6748:6808]: Remote FD=412 initialized<br>2012.01.31 12:57:12 LOG7[6748:6808]: Peer certificate was cached (1017 bytes)<br>
2012.01.31 12:57:12 LOG6[6748:6808]: SSL connected: new session negotiated<br>2012.01.31 12:57:12 LOG6[6748:6808]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1<br>2012.01.31 12:57:12 LOG6[6748:6808]: Compression: null, expansion: null<br>
2012.01.31 12:57:12 LOG7[6748:6808]: Socket closed on read<br>2012.01.31 12:57:12 LOG7[6748:6808]: Sending close_notify alert<br>2012.01.31 12:57:12 LOG6[6748:6808]: SSL_shutdown successfully sent close_notify alert<br>2012.01.31 12:57:22 LOG3[6748:6808]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing<br>
2012.01.31 12:57:22 LOG5[6748:6808]: Connection closed: 200 bytes sent to SSL, 1 bytes sent to socket<br>2012.01.31 12:57:22 LOG7[6748:6808]: Service Router finished (0 left)<br><br>Best regards,<br>Denis<br><br><div class="yiv9985419gmail_quote">
2012/1/25 Jose Alf. <span dir="ltr"><<a rel="nofollow" ymailto="mailto:josealf@rocketmail.com" target="_blank" href="mailto:josealf@rocketmail.com">josealf@rocketmail.com</a>></span><br><blockquote class="yiv9985419gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div style="font-size: 12pt; font-family: bookman old style,new york,times,serif;"><div><span>Denis,</span></div><div><br><span></span></div><div><span>Please review this:</span></div><div><span><br></span></div><div><span> http://stunnel.mirt.net/pipermail/stunnel-users/2011-May/003080.html</span></div>
<div><br><span></span></div><div><span>In particular, check that you have your signing CA certificates (hashed) in your CaPath.</span></div><div><br><span></span></div><div><span>Do the tests with openssl connect and post sanitized results if you are in trouble.<br>
</span></div><div><br><span></span></div><div><span>Regards,</span></div><div><span>Jose</span></div><div><br></div> <div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial"><div class="yiv9985419im"> <hr size="1">
<b><span style="font-weight: bold;">From:</span></b> Denis Berezhnoy <<a rel="nofollow" ymailto="mailto:denis.berezhnoy@gmail.com" target="_blank" href="mailto:denis.berezhnoy@gmail.com">denis.berezhnoy@gmail.com</a>><br> </div><b><span style="font-weight: bold;">To:</span></b> Jose Alf. <<a rel="nofollow" ymailto="mailto:josealf@rocketmail.com" target="_blank" href="mailto:josealf@rocketmail.com">josealf@rocketmail.com</a>> <br>
<b><span style="font-weight: bold;">Cc:</span></b> "<a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>" <<a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>> <br>
<b><span style="font-weight: bold;">Sent:</span></b> Wednesday, January 25, 2012 9:55 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server<br>
</font> </div><div><div class="yiv9985419h5"> <br>
<div><div>Hi Jose,</div><div> </div><div>Thank you for your reply. I double checked and actually there is SSL handshake. Sorry, it was my mistake I did not analyze WireShark capture carefully.</div><div> </div><div>But handshake failed and here is stunnel log:</div>
<div> </div><div><a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: stunnel 4.52 on x86-pc-mingw32-gnu platform<br><a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012<br>
<a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6<br>
<a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: Reading configuration from file stunnel.conf<br><a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: FIPS mode is enabled<br>
<a rel="nofollow">2012.01.25 09</a>:39:58 LOG5[1944:6264]: Configuration successful<br><a rel="nofollow">2012.01.25 09</a>:40:13 LOG5[1944:4724]: Service Router accepted connection from <a rel="nofollow" target="_blank" href="http://192.168.1.161:59519">192.168.1.161:59519</a><br>
<a rel="nofollow">2012.01.25 09</a>:40:13 LOG5[1944:4724]: connect_blocking: connected <a rel="nofollow" target="_blank" href="http://192.168.160.168:55443">192.168.160.168:55443</a><br>
<a rel="nofollow">2012.01.25 09</a>:40:13 LOG5[1944:4724]: Service Router connected remote server from <a rel="nofollow" target="_blank" href="http://192.168.1.121:52250">192.168.1.121:52250</a><br>
<a rel="nofollow">2012.01.25 09</a>:40:13 LOG3[1944:4724]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number<br><a rel="nofollow">2012.01.25 09</a>:40:13 LOG5[1944:4724]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<br>
</div><div><div>Server is setup for SSL3.0. </div><div> </div></div><div>Best regards,</div><div>Denis<br><br></div><div>2012/1/24 Jose Alf. <span dir="ltr"><<a rel="nofollow" ymailto="mailto:josealf@rocketmail.com" target="_blank" href="mailto:josealf@rocketmail.com">josealf@rocketmail.com</a>></span><br>
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left: 1px solid rgb(204, 204, 204);"><div><div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;">
<div><span>Denis,</span></div><div><span><br></span></div><div><span>Looks like your configuration is incomplete. Check the sample stunnel.conf file in the stunnel distribution. Read the man page. Post your log file.<br>
</span></div><div><br><span></span></div><div><span>Try adding lines like these before [Router]</span></div><div><br><span></span></div><div><span>sslVersion = SSLv3<br><br>cert=stunnel.pem<br>key=stunnel.pem<br><br># Authentication stuff, try 0 for test<br>
verify = 0<br><br>CApath = /your/CAcerts/path<br><br>debug = 7<br>output = stunnel.log<br><br><br></span></div><div><br></div> <div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial"> <hr size="1">
<b><span style="font-weight: bold;">From:</span></b> Denis Berezhnoy <<a rel="nofollow" ymailto="mailto:denis.berezhnoy@gmail.com" target="_blank" href="mailto:denis.berezhnoy@gmail.com">denis.berezhnoy@gmail.com</a>><br> <b><span style="font-weight: bold;">To:</span></b> <a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a> <br>
<b><span style="font-weight: bold;">Sent:</span></b> Tuesday, January 24, 2012 6:10 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> [stunnel-users] No SSL handshake between stunnel in client mode and SSL server<br>
</font> </div><div><div> <br>
<div><div>Hi guys, </div><div>I have a quick question. I am trying to use stunnel in client mode to encrypt traffic going to my server.</div><div>Basically, I have a server which listens for SSL connection. And I have a client which can not do SSL but it needs to communicate with server over SSL. </div>
<div>I setup stunnel in client mode to accept unecrypted traffic from client and redirect it to server over SSL. I checked TCP traffic with WireShark between stunnel and my server and I can see that there is no SSL handshake, stunnel makes TCP connection with server and sends some TCP packets but I expect to see SSL handshake.</div>
<div>My stunnel conf file is here:</div><div>[Router]<br>client=yes<br>accept = <a rel="nofollow" target="_blank" href="http://192.168.1.121:55555">192.168.1.121:55555</a><br>connect = <a rel="nofollow" target="_blank" href="http://192.168.160.168:55443">192.168.160.168:55443</a></div>
<div>Can you please comment on this?</div>
<div>Best regards,</div><div>Denis</div>
</div><br></div></div>_______________________________________________<br>stunnel-users mailing list<br><a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br><a rel="nofollow" target="_blank" href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br>
<br><br> </div> </div> </div></div></blockquote></div><br>
</div><br><br> </div></div></div> </div> </div></div></blockquote></div><br>
</div><br><br> </div> </div> </div></body></html>