<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Some clarifications</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.</div><div id="AppleMailSignature">2. You can do a direct test with curl against you service (local) or openssl s_client.</div><div id="AppleMailSignature"><br>Regards</div><div id="AppleMailSignature">Jose</div><div><br>El 9 oct 2015, a las 5:44, Adrián Mihálko <<a href="mailto:adriankoooo@gmail.com">adriankoooo@gmail.com</a>> escribió:<br><br></div><blockquote type="cite"><div><div dir="ltr">Some good news, I remove client = yes as you suggested:<div><br></div><div><div>2015.10.09 12:39:29 LOG5[main]: Configuration successful</div><div>2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log</div><div>2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)</div><div>2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket</div><div>2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from <a href="http://192.168.1.25:49671">192.168.1.25:49671</a></div><div>2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated</div><div>2015.10.09 12:39:34 LOG6[60]: No peer certificate received</div><div>2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)</div><div>2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0</div><div>2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952</div><div>2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952</div><div>2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached</div><div>2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598</div><div>2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)</div><div>2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket</div><div>2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from <a href="http://192.168.1.25:49672">192.168.1.25:49672</a></div><div>2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated</div><div>2015.10.09 12:39:34 LOG6[61]: No peer certificate received</div><div>2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)</div><div>2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1</div><div>2015.10.09 12:39:34 LOG6[61]: s_connect: connecting <a href="http://127.0.0.1:41952">127.0.0.1:41952</a></div><div>2015.10.09 12:39:34 LOG5[61]: s_connect: connected <a href="http://127.0.0.1:41952">127.0.0.1:41952</a></div><div>2015.10.09 12:39:34 LOG6[61]: persistence: <a href="http://127.0.0.1:41952">127.0.0.1:41952</a> cached</div><div>2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from <a href="http://127.0.0.1:50599">127.0.0.1:50599</a></div></div><div><br></div><div>openssl_client log:</div><div><br></div><div><a href="http://pastebin.com/7bg3sf7J">http://pastebin.com/7bg3sf7J</a><br></div><div><br></div><div>The problem is now that the site loads forever, nothing happens. </div><div><br></div><div><div>(this certificate (:1988) is other than the original (:41952). This is not problem?</div></div><div><br></div><div>curl test:</div><div><br></div><div><p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">$ curl <a href="https://192.168.1.17:1988/DYMO/DLS/Printing/Check">https://192.168.1.17:1988/DYMO/DLS/Printing/Check</a> -vk</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">* Trying 192.168.1.17...</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">* Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">* Server certificate: localhost</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">> GET /DYMO/DLS/Printing/Check HTTP/1.1</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">> Host: <a href="http://192.168.1.17:1988">192.168.1.17:1988</a></p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">> User-Agent: curl/7.43.0</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">> Accept: */*</p>
<p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">> </p></div><div>waiting forever.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-10-09 12:34 GMT+02:00 Adrián Mihálko <span dir="ltr"><<a href="mailto:adriankoooo@gmail.com" target="_blank">adriankoooo@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In the first mail I wrote ports bad, of course in the log I am using the good ones.<div><br></div><div><span class=""><div>[myservice]</div><div>cert = stunnel.pem</div><div>client = yes</div><div>accept = <a href="http://0.0.0.0:1988" target="_blank">0.0.0.0:1988</a></div></span><div>connect = localhost:41952</div></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2015-10-09 12:32 GMT+02:00 Adrián Mihálko <span dir="ltr"><<a href="mailto:adriankoooo@gmail.com" target="_blank">adriankoooo@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sorry, curl was only for testing.<div><br></div>Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect <a href="http://192.168.1.17:1988" target="_blank">192.168.1.17:1988</a><br>CONNECTED(00000003)<br>1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:<div><br></div><div><div>2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf</div><div>2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected</div><div>2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled</div><div>2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]</div><div>2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]</div><div>2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]</div><div>2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]</div><div>2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem</div><div>2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem</div><div>2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks</div><div>2015.10.09 12:23:21 LOG5[main]: Configuration successful</div><div>2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log</div><div>2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from <a href="http://192.168.1.25:49454" target="_blank">192.168.1.25:49454</a></div><div>2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0</div><div>2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952</div><div>2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952</div><div>2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564</div><div>2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost</div><div>2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled</div><div>2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled</div><div>2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated</div><div>2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)</div><div>2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)</div><div>2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket</div></div><div><br></div><div>If I am connecting to the :41952:</div><div><br></div><p style="margin:0px;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(101,123,131);background-color:rgb(253,246,227)">openssl s_client -connect <a href="http://192.168.1.17:41952" target="_blank">192.168.1.17:41952</a></p>...<br><br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 1724 bytes and written 712 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is AES128-SHA<br>Server public key is 4096 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : AES128-SHA<br>...<div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>2015-10-09 10:55 GMT+02:00 test rig <span dir="ltr"><<a href="mailto:testrig@z1p.biz" target="_blank">testrig@z1p.biz</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><br><font face="arial" size="2"><font face="arial" size="2">Ouch #2 missing...<br><br></font></font><font face="arial" size="2"><font face="arial" size="2"><span>Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server<br><br></span>You are connection to :9999 with curl(?)<br>Try verify it via "openssl s_client -connect yourserverip:1988" command<br><br>Best Regards<br>Michael<br><br></font></font><font face="arial" size="2"><font face="arial" size="2"></font><blockquote style="border-left:2px solid rgb(0,0,0);padding-right:0px;padding-left:5px;margin-left:5px;margin-right:0px" dir="ltr">--- Ursprüngliche Nachricht ---<br><b>Von:</b> "test rig" <<a href="mailto:testrig@z1p.biz" target="_blank">testrig@z1p.biz</a>><br><b>Datum:</b> 09.10.2015 09:48:02<br><b>An:</b> "<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a>." <<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a>><br><b>Betreff:</b> Re: [stunnel-users] (no subject)<br><br><font face="arial" size="2"><span>Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server<br></span><blockquote style="border-left:2px solid rgb(0,0,0);padding-right:0px;padding-left:5px;margin-left:5px;margin-right:0px" dir="ltr"><span>--- Ursprüngliche Nachricht ---<br><b>Von:</b> Adrián Mihálko <u></u><br></span><div><div><b>Datum:</b> 09.10.2015 08:15:19<br><b>An:</b> <a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br><b>Betreff:</b> [stunnel-users] (no subject)<br><br><div dir="ltr"><div>Dear stunnel users,</div><div><br></div><div>I have a little service which listen only on <a href="https://localhost:4952/" rel="noreferrer" target="_blank">https://localhost:4952</a> and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"<br><br><a href="https://192.168.1.10:1988/" rel="noreferrer" target="_blank">https://192.168.1.10:1988</a>
-> redirect <a href="https://localhost:4952/" rel="noreferrer" target="_blank">https://localhost:4952</a><br><br><br> I am trying to configure stunnel like this<br><br> [myservice]<br> cert = stunnel.pem<br> client = yes<br> accept = <a href="http://0.0.0.0:1988/" rel="noreferrer" target="_blank">0.0.0.0:1988</a><br> connect = localhost:4952<br><br> remote machine$ curl <a href="https://192.168.1.25:9999/DYMO/DLS/Printing/Check" rel="noreferrer" target="_blank">https://192.168.1.25:9999/DYMO/DLS/Printing/Check</a> -v<br> * Trying 192.168.1.25...<br> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)<br> * WARNING: using IP address, SNI is being disabled by the OS.<br> * Unknown SSL protocol error in connection to 192.168.1.25:-9847<br> * Closing connection 0<br> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847<br><br> stunnel.log:<br> 2015.10.09
09:05:42 LOG5[38]: Service [myservice] accepted connection from <a href="http://192.168.1.24:60748/" rel="noreferrer" target="_blank">192.168.1.24:60748</a><br> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1<br> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting <a href="http://127.0.0.1:41952/" rel="noreferrer" target="_blank">127.0.0.1:41952</a><br> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected <a href="http://127.0.0.1:41952/" rel="noreferrer" target="_blank">127.0.0.1:41952</a><br> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from <a href="http://127.0.0.1:50503/" rel="noreferrer" target="_blank">127.0.0.1:50503</a><br> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost<br> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled<br> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled<br> 2015.10.09
09:05:42 LOG6[38]: SSL connected: new session negotiated<br> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)<br> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read)<br> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket<br><br> I am tried verify = 1 to 4, either works. :(<br><br> Best Regards,<br> Adrian </div></div>
<u></u></div></div></blockquote></font><div><div>
<br><br>
______________________________________________________<br>
powered by <a href="http://perfect-privacy.com">Perfect-Privacy.com</a> / <a href="http://secure-mail.biz">Secure-Mail.biz</a> - anonymous and secure internet.</div></div></blockquote></font><div><div>
<br><br>
______________________________________________________<br>
powered by <a href="http://perfect-privacy.com">Perfect-Privacy.com</a> / <a href="http://secure-mail.biz">Secure-Mail.biz</a> - anonymous and secure internet.
</div></div><br></div></div>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="noreferrer" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>stunnel-users mailing list</span><br><span><a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a></span><br><span><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a></span><br></div></blockquote></body></html>