<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
Hello,<br><br> I have 2 servers in different locations across the country. I am using them as a paired tunnel that both act as server and client <br><br>Server A has this configuration (cert definitions left out on purpose, but exist and are valid)<br><br><br>; Protocol version (all, SSLv2, SSLv3, TLSv1)<br>sslVersion = all<br><br>; Some security enhancements for UNIX systems - comment them out on Win32<br>chroot = /var/lib/stunnel4<br>setuid = stunnel4<br>setgid = stunnel4<br><br>; PID is created inside chroot jail<br>pid = /stunnel.pid<br><br>; Some performance tunings<br>socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1<br>;compression = rle<br>TIMEOUTclose=0<br><br>; 128-bit or highter only<br>ciphers = HIGH:MEDIUM<br><br>; Workaround for Eudora bug<br>options = DONT_INSERT_EMPTY_FRAGMENTS<br>options = NO_SSLv2<br><br>; Some debugging stuff useful for troubleshooting<br>debug = local7.info<br>;warning<br><br><br>[Tunnel from Server B]<br>accept = 1.2.3.4:443<br>connect = 127.0.0.1:8082<br><br>[Tunnel to Server B]<br>accept = 5.6.7.8:3132<br>connect = 9.10.11.12:4000<br>client = yes<br><br><br>Server B (cert definitions left out on purpose, but exist and are valid)<br><br>; Protocol version (all, SSLv2, SSLv3, TLSv1)<br>sslVersion = all<br><br>; Some security enhancements for UNIX systems - comment them out on Win32<br>chroot = /var/lib/stunnel4<br>setuid = stunnel4<br>setgid = stunnel4<br><br>; PID is created inside chroot jail<br>pid = /stunnel.pid<br><br>; Some performance tunings<br>socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1<br>;compression = rle<br>TIMEOUTclose=0<br><br>; 128-bit or highter only<br>ciphers = HIGH:MEDIUM<br><br>; Workaround for Eudora bug<br>options = DONT_INSERT_EMPTY_FRAGMENTS<br>options = NO_SSLv2<br><br>; Some debugging stuff useful for troubleshooting<br>debug = local7.debug<br>;warning<br><br>[Tunnel to Server A]<br>accept = 10.1.2.3:9443<br>connect = 1.2.3.4:443<br>client = yes<br><br>[Tunnel from Server A]<br>accept = 9.10.11.12:4000<br>connect = 10.4.5.6:3132<br><br><br>Communication through Server A (client) to Server B (server) works as expected<br><br>Communication through Server B (client) back to Server A (server) recieves this error<br><br> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (this is all the further it gets, the client says hello and the server responds with this)<br><br><br>If I skip the local stunnel config and pass the traffic publicly through to Server A (running in client mode), from Server B, I get the expected http response I setup to test the tunnel.<br><br>Im just assuming that if I am passing from Stunnel from one system to stunnel on another, one of them should be client and the other should be server. This works well on our old configurations and as far as I can see from a stunnel and network route perspective all rules are identical.<br><br>Why would it work from Server B to Server A on the response if I go directly to Server A, but fail locally? The configuration looks correct, what else could I check?<br><br><br><br><br> </div></body>
</html>