<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1480044289359_14368">Jothish,</div><div id="yui_3_16_0_1_1480044289359_14369"><br id="yui_3_16_0_1_1480044289359_14370" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14371">1. You are using a very outdated version of OpenSSL (openssl 0.9.8 is EOL). I suggest you use a newer, supported version.<br id="yui_3_16_0_1_1480044289359_14372" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14373" dir="ltr"><br id="yui_3_16_0_1_1480044289359_14374" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14375" dir="ltr">2. On a DOS Window, try this:</div><div id="yui_3_16_0_1_1480044289359_14376" dir="ltr"><font id="yui_3_16_0_1_1480044289359_14377" face="Courier New, courier, monaco, monospace, sans-serif">openssl dhparam -rand randfile1;randfile2;randfile3 1024</font></div><div id="yui_3_16_0_1_1480044289359_14378" dir="ltr"><br id="yui_3_16_0_1_1480044289359_14379" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14380" dir="ltr"><div id="yui_3_16_0_1_1480044289359_14520" dir="ltr">where randfile1,randfile2.... <i id="yui_3_16_0_1_1480044289359_14808">are existing files or directories </i>to use as entrophy sources. If you're on Linux you can use <font id="yui_3_16_0_1_1480044289359_15277" face="Courier New, courier, monaco, monospace, sans-serif">dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024</font></div><div id="yui_3_16_0_1_1480044289359_14900" dir="ltr"><br></div><div id="yui_3_16_0_1_1480044289359_14582" dir="ltr">This will print something like this:</div></div><font id="yui_3_16_0_1_1480044289359_14382" face="Courier New, courier, monaco, monospace, sans-serif">WARNING: can't open config file: c:\openssl-vc/ssl/openssl.cnf<br id="yui_3_16_0_1_1480044289359_14383" clear="none">Loading 'screen' into random state - done<br id="yui_3_16_0_1_1480044289359_14384" clear="none">0 semi-random bytes loaded<br id="yui_3_16_0_1_1480044289359_14385" clear="none">Generating DH parameters, 1024 bit long safe prime, generator 2<br id="yui_3_16_0_1_1480044289359_14386" clear="none">This is going to take a long time<br id="yui_3_16_0_1_1480044289359_14387" clear="none">..+.. bla, bla....++*<br id="yui_3_16_0_1_1480044289359_14388" clear="none">unable to write 'random state'<br id="yui_3_16_0_1_1480044289359_14389" clear="none">-----BEGIN DH PARAMETERS-----<br id="yui_3_16_0_1_1480044289359_14390" clear="none">MIGHAoGBAJJ+QAYkKQd0pG1lxZKDYVZaURkTINQho8CWCUYOMp2ZEwZeMrEv+kjd<br id="yui_3_16_0_1_1480044289359_14391" clear="none">PVb4Ilnah1TmZQOxu1v8HtSWmKpclhlTDKjmDbhznUFkQhmRGjxXDCfrhnvNI4hV<br id="yui_3_16_0_1_1480044289359_14392" clear="none">kOB/3lGcWo50ttf+ZqNaXd0lKf9YfnjkRUSUtrHiMRL9CdecxQXbAgEC<br id="yui_3_16_0_1_1480044289359_14393" clear="none">-----END DH PARAMETERS-----</font><br id="yui_3_16_0_1_1480044289359_14394" clear="none"><div id="yui_3_16_0_1_1480044289359_14395" dir="ltr"><br id="yui_3_16_0_1_1480044289359_14396" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14397" dir="ltr">Now, cut from ---BEGIN... all the way to PARAMETERS--- and add it to your cert PEM file.</div><div id="yui_3_16_0_1_1480044289359_14398" dir="ltr"><br id="yui_3_16_0_1_1480044289359_14399" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14400" dir="ltr">3. Try again, your check command: <span id="yui_3_16_0_1_1480044289359_14401" style="color:#1F497D;">openssl dhparam -inform PEM -in ./training_client.pem -check -text</span></div><div id="yui_3_16_0_1_1480044289359_14402" dir="ltr"><div id="yui_3_16_0_1_1480044289359_15174">Should print something like:</div><div dir="ltr" id="yui_3_16_0_1_1480044289359_15123"><font id="yui_3_16_0_1_1480044289359_15263" face="Courier New, courier, monaco, monospace, sans-serif"> DH Parameters: (1024 bit)<br id="yui_3_16_0_1_1480044289359_15210"> prime:<br id="yui_3_16_0_1_1480044289359_15211"> 00:92:7e:40:06:24:29:07:74:a4:6d:65:c5:92:83:<br id="yui_3_16_0_1_1480044289359_15212"> ...<br id="yui_3_16_0_1_1480044289359_15219"> 31:12:fd:09:d7:9c:c5:05:db<br id="yui_3_16_0_1_1480044289359_15220"> generator: 2 (0x2)<br id="yui_3_16_0_1_1480044289359_15221">DH parameters appear to be ok.<br id="yui_3_16_0_1_1480044289359_15222">-----BEGIN DH PARAMETERS-----<br id="yui_3_16_0_1_1480044289359_15223">MIGHAoGBAJJ+QAYkKQd0pG1lxZKDYVZaURkTINQho8CWCUYOMp2ZEwZeMrEv+kjd<br id="yui_3_16_0_1_1480044289359_15224">....</font></div><div id="yui_3_16_0_1_1480044289359_15334" dir="ltr"><font id="yui_3_16_0_1_1480044289359_15263" face="Courier New, courier, monaco, monospace, sans-serif">-----END DH PARAMETERS-----</font></div><div id="yui_3_16_0_1_1480044289359_15227" dir="ltr"><br></div></div><div id="yui_3_16_0_1_1480044289359_14404" dir="ltr">4. Now, try connecting from SFDC to tibco and let us know.<br id="yui_3_16_0_1_1480044289359_14405" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14406" dir="ltr"><br id="yui_3_16_0_1_1480044289359_14407" clear="none"></div><div id="yui_3_16_0_1_1480044289359_14408" dir="ltr">Saludos</div>Jose<div id="yui_3_16_0_1_1480044289359_14315"><span></span></div><div id="yui_3_16_0_1_1480044289359_14316" class="qtdSeparateBR"><br><br></div><div style="display: block;" id="yui_3_16_0_1_1480044289359_15270" class="yahoo_quoted"> <div id="yui_3_16_0_1_1480044289359_15269" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1480044289359_15268" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1480044289359_15267" dir="ltr"> <font id="yui_3_16_0_1_1480044289359_15266" size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> "jothish.chokkalingam@accenture.com" <jothish.chokkalingam@accenture.com><br> <b><span style="font-weight: bold;">To:</span></b> josealf@rocketmail.com <br><b><span style="font-weight: bold;">Cc:</span></b> cbrowne@cbcs-usa.com; stunnel-users@stunnel.org<br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, November 24, 2016 6:45 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> RE: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility<br> </font> </div> <div id="yui_3_16_0_1_1480044289359_15275" class="y_msg_container"><br><div id="yiv9373448809"><style>#yiv9373448809 #yiv9373448809 --
_filtered #yiv9373448809 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}
_filtered #yiv9373448809 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv9373448809 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
_filtered #yiv9373448809 {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;}
#yiv9373448809
#yiv9373448809 p.yiv9373448809MsoNormal, #yiv9373448809 li.yiv9373448809MsoNormal, #yiv9373448809 div.yiv9373448809MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}
#yiv9373448809 a:link, #yiv9373448809 span.yiv9373448809MsoHyperlink
{color:#0563C1;text-decoration:underline;}
#yiv9373448809 a:visited, #yiv9373448809 span.yiv9373448809MsoHyperlinkFollowed
{color:#954F72;text-decoration:underline;}
#yiv9373448809 p
{margin-right:0in;margin-left:0in;font-size:11.0pt;color:black;}
#yiv9373448809 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}
#yiv9373448809 p.yiv9373448809MsoListParagraph, #yiv9373448809 li.yiv9373448809MsoListParagraph, #yiv9373448809 div.yiv9373448809MsoListParagraph
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}
#yiv9373448809 span.yiv9373448809HTMLPreformattedChar
{font-family:Consolas;color:black;}
#yiv9373448809 span.yiv9373448809EmailStyle20
{color:windowtext;}
#yiv9373448809 span.yiv9373448809EmailStyle21
{color:#1F497D;}
#yiv9373448809 span.yiv9373448809EmailStyle22
{color:#1F497D;}
#yiv9373448809 span.yiv9373448809EmailStyle23
{color:#1F497D;}
#yiv9373448809 .yiv9373448809MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv9373448809 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv9373448809 div.yiv9373448809WordSection1
{}
#yiv9373448809
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
_filtered #yiv9373448809 {}
#yiv9373448809 ol
{margin-bottom:0in;}
#yiv9373448809 ul
{margin-bottom:0in;}
#yiv9373448809 </style><div id="yui_3_16_0_1_1480044289359_15274">
<div id="yui_3_16_0_1_1480044289359_15273" class="yiv9373448809WordSection1">
<div id="yui_3_16_0_1_1480044289359_15276" class="yiv9373448809MsoNormal"><span style="color:#1F497D;">Jose,</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;">For the issue as mentioned in below down mail I am following below two approaches,</span></div>
<div id="yui_3_16_0_1_1480044289359_15272" class="yiv9373448809MsoListParagraph" style=""><span style="color:#1F497D;"><span style="">1.<span style="font:7.0pt;">
</span></span></span><span id="yui_3_16_0_1_1480044289359_15271" style="color:#1F497D;">Move the TLSv1.2 enabled traffic to an intermediate port and then to target port which has TLS1 enabled, in that ssl handshake from intermediate to target port getting below error. While triaging with
openssl command, it is observed that the DH parameters are not proper. So we are trying to add the dh parameters
</span></div>
<div class="yiv9373448809MsoListParagraph"><span style="color:#1F497D;">C:\Users\robin.johnson\Documents\SSL\SSL>C:\openssl-0.9.8k_X64\bin\openssl dhparam -inform PEM -in ./training_client.pem -check -text</span></div>
<div class="yiv9373448809MsoListParagraph"><span style="color:#1F497D;">unable to load DH parameters</span></div>
<div class="yiv9373448809MsoListParagraph"><span style="color:#1F497D;">1800:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: DH PARAMETERS
</span></div>
<div class="yiv9373448809MsoListParagraph"><span style="color:#1F497D;">stunnel.log</span><span style="font-family:Wingdings;color:#1F497D;">à</span><span style="color:#1F497D;">2016.11.23 23:08:32 LOG3[131]: SSL_connect: 14082174: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh
key too small</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> 2. Using https service in stunnel traffic is received by TLS V1.1 divert to non ssl enabled port.</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;">
</span></div>
<div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Thanks and Regards,</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Jothish
</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">TIBCO TSD</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Ph. : +91 44 39263958</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Mobile : +91 9884040171</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Support : +91 9962007110</span><span style="font-size:9.0pt;"></span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">OC : jothish.chokkalingam</span><span style="font-size:9.0pt;color:#17365D;"></span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#17365D;">Group mail:- Telstra.psm.tsd.tibco@accenture.com</span></div>
</div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div class="yiv9373448809yqt3805223068" id="yiv9373448809yqt53007"><div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv9373448809MsoNormal"><b><span style="color:windowtext;">From:</span></b><span style="color:windowtext;"> Josealf.rm [mailto:josealf@rocketmail.com]
<br clear="none">
<b>Sent:</b> Thursday, November 24, 2016 4:36 PM<br clear="none">
<b>To:</b> Chokkalingam, Jothish <jothish.chokkalingam@accenture.com><br clear="none">
<b>Cc:</b> cbrowne@cbcs-usa.com; stunnel-users@stunnel.org<br clear="none">
<b>Subject:</b> Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility</span></div>
</div>
</div>
<div class="yiv9373448809MsoNormal"> </div>
<div>
<div class="yiv9373448809MsoNormal" style="margin-bottom:12.0pt;"><br clear="none">
Can you please elaborate? If you want us to help, you need to provide enough information. <span style="font-size:12.0pt;"></span></div>
</div>
<div>
<div class="yiv9373448809MsoNormal">Regards</div>
</div>
<div>
<div class="yiv9373448809MsoNormal">Jose</div>
</div>
<div>
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div>
<div class="yiv9373448809MsoNormal" style="margin-bottom:12.0pt;"><br clear="none">
El 24/11/2016, a las 5:03 a.m., <<a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">jothish.chokkalingam@accenture.com</a>> <<a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">jothish.chokkalingam@accenture.com</a>> escribió:</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;">Jose,</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-family:Wingdings;color:#1F497D;">J</span><span style="color:#1F497D;"> you are right.i was trying but I thought it will work as a client and it worked as a workaround. But will check for the dh key small error while forwarding
the traffic with SSL from intermediate port to another port.</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Thanks and Regards,</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Jothish
</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">TIBCO TSD</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Ph. : +91 44 39263958</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Mobile : +91 9884040171</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Support : +91 9962007110</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">OC : jothish.chokkalingam</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#17365D;">Group mail:- <a rel="nofollow" shape="rect" ymailto="mailto:Telstra.psm.tsd.tibco@accenture.com" target="_blank" href="mailto:Telstra.psm.tsd.tibco@accenture.com">
Telstra.psm.tsd.tibco@accenture.com</a></span></div>
</div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv9373448809MsoNormal"><b><span style="color:windowtext;">From:</span></b><span style="color:windowtext;"> Josealf.rm [<a rel="nofollow" shape="rect" ymailto="mailto:josealf@rocketmail.com" target="_blank" href="mailto:josealf@rocketmail.com">mailto:josealf@rocketmail.com</a>]
<br clear="none">
<b>Sent:</b> Thursday, November 24, 2016 2:48 PM<br clear="none">
<b>To:</b> Chokkalingam, Jothish <<a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">jothish.chokkalingam@accenture.com</a>><br clear="none">
<b>Cc:</b> <a rel="nofollow" shape="rect" ymailto="mailto:cbrowne@cbcs-usa.com" target="_blank" href="mailto:cbrowne@cbcs-usa.com">cbrowne@cbcs-usa.com</a>; <a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">
stunnel-users@stunnel.org</a><br clear="none">
<b>Subject:</b> Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility</span></div>
</div>
</div>
<div class="yiv9373448809MsoNormal"> </div>
<div>
<div class="yiv9373448809MsoNormal">Jothish,<br clear="none">
<br clear="none">
Stunnel in server mode is what you need, with 99.9% confidence.</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">When you write:</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">[https]</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Accept=443</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Connect=local host:80</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Client=no</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Stunnnel will expect TLS connections on port 443 and will forward then to your normal web server running on loopback port 80.</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Is that clear?</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal"> </div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Regards,</div>
</div>
<div id="yiv9373448809AppleMailSignature">
<div class="yiv9373448809MsoNormal">Jose</div>
</div>
<div>
<div class="yiv9373448809MsoNormal" style="margin-bottom:12.0pt;"><br clear="none">
El 24/11/2016, a las 2:29 a.m., <<a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">jothish.chokkalingam@accenture.com</a>> <<a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">jothish.chokkalingam@accenture.com</a>> escribió:</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;">Is there a way to forward a Secure connection from one port to non secure port using stunnel. I am googling but unable to find. If you have can you let me know</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Thanks and Regards,</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Jothish
</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">TIBCO TSD</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Ph. : +91 44 39263958</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Mobile : +91 9884040171</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Support : +91 9962007110</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">OC : jothish.chokkalingam</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#17365D;">Group mail:- <a rel="nofollow" shape="rect" ymailto="mailto:Telstra.psm.tsd.tibco@accenture.com" target="_blank" href="mailto:Telstra.psm.tsd.tibco@accenture.com">
Telstra.psm.tsd.tibco@accenture.com</a></span></div>
</div>
<div class="yiv9373448809MsoNormal"><span style="color:#1F497D;"> </span></div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv9373448809MsoNormal"><b><span style="color:windowtext;">From:</span></b><span style="color:windowtext;"> stunnel-users [<a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users-bounces@stunnel.org" target="_blank" href="mailto:stunnel-users-bounces@stunnel.org">mailto:stunnel-users-bounces@stunnel.org</a>]
<b>On Behalf Of </b>Carter Browne<br clear="none">
<b>Sent:</b> Wednesday, November 23, 2016 9:30 PM<br clear="none">
<b>To:</b> <a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br clear="none">
<b>Subject:</b> Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility</span></div>
</div>
</div>
<div class="yiv9373448809MsoNormal"> </div>
<div>There are other tools for performing port forwarding with less overhead (I believe tappipe is one), although I make use stunnel to do this extensively.</div>
<div>In order forward a secure connection from one port to another is a two step process with stunnel:</div>
<div>A sample configuration segment would be:</div>
<div>[SFDC reverse in]</div>
<div>client = no</div>
<div>accept = 8008</div>
<div class="yiv9373448809MsoNormal" style="margin-bottom:12.0pt;">connect = localhost:48008<br clear="none">
<br clear="none">
<br clear="none">
[SFDC reverse out]<br clear="none">
client = yes<br clear="none">
accept = localhost:48008<br clear="none">
connect = localhost:8009</div>
<div>
<div class="yiv9373448809MsoNormal">On 11/23/2016 10:18 AM, Rodney Lott wrote:</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div class="yiv9373448809MsoNormal" style="margin-bottom:12.0pt;">Hi, there.<br clear="none">
<br clear="none">
I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada anymore ;-) ):<br clear="none">
- I would try including the key as well as the cert in your stunnel config<br clear="none">
- I would enable debug on the openssl s_client call to see if it will indicate why it is reseting. Same with your SFDC client to get more info.<br clear="none">
- Question: is the "WARNING: can't open config file" message below indicative of a permissions or path problem?
<br clear="none">
- Question: Is the stunnel cert and key compatible with the TIBCO server's certificate? They need to be using certs generated from the same key source, don't they?
<br clear="none">
- You might want to fix the SSL version in the stunnel config file (i.e. sslVersion = TLSv1.2)<br clear="none">
<br clear="none">
Good luck with your debugging. <br clear="none">
<br clear="none">
Rodney</div>
<div>
<div class="yiv9373448809MsoNormal">On 2016-11-22 07:43 PM, <a rel="nofollow" shape="rect" ymailto="mailto:jothish.chokkalingam@accenture.com" target="_blank" href="mailto:jothish.chokkalingam@accenture.com">
jothish.chokkalingam@accenture.com</a> wrote:</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div class="yiv9373448809MsoNormal">HI all,</div>
<div class="yiv9373448809MsoNormal"> </div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t
TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;"> </div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">[SFDC reverse proxy test]</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">debug=7</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">;client = yes</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">accept = 8008<span style="font-family:Wingdings;">à</span>port used by sfdc client to connect to TIBCO server</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">connect = localhost:8009 <span style="font-family:Wingdings;">
à</span>Tibco server that’s running</div>
<div class="yiv9373448809MsoNormal" style="text-indent:.5in;">cert = stunnel.pem</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG6[118]: Peer certificate not required</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed</div>
<div class="yiv9373448809MsoNormal">2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)</div>
<div class="yiv9373448809MsoNormal"> </div>
<div class="yiv9373448809MsoNormal">PFB the openssl snap shot looks odd </div>
<div class="yiv9373448809MsoNormal">C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts</div>
<div class="yiv9373448809MsoNormal"><b><span style="background:yellow;">WARNING: can't open config file: /devel/win32/openssl/openssl.cnf</span></b></div>
<div class="yiv9373448809MsoNormal">CONNECTED(0000016C)</div>
<div class="yiv9373448809MsoNormal"> </div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Thanks and Regards,</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Jothish
</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">TIBCO TSD</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Ph. : +91 44 39263958</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Mobile : +91 9884040171</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">Support : +91 9962007110</span></div>
<div class="yiv9373448809MsoNormal"><span style="font-size:9.0pt;">OC : jothish.chokkalingam</span></div>
<div class="yiv9373448809MsoNormal"><span style="color:#17365D;">Group mail:- <a rel="nofollow" shape="rect" ymailto="mailto:Telstra.psm.tsd.tibco@accenture.com" target="_blank" href="mailto:Telstra.psm.tsd.tibco@accenture.com">
Telstra.psm.tsd.tibco@accenture.com</a></span></div>
<div class="yiv9373448809MsoNormal"> </div>
<div class="yiv9373448809MsoNormal"><span style="font-size:12.0pt;"> </span></div>
<div class="yiv9373448809MsoNormal" style="text-align:center;" align="center"><span style="font-size:12.0pt;">
</span><hr size="2" width="100%" align="center">
</div>
<div class="yiv9373448809MsoNormal"><span style="font-size:7.5pt;"><br clear="none">
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by
you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of
internal compliance with Accenture policy. <br clear="none">
______________________________________________________________________________________<br clear="none">
<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://www.accenture.com/">www.accenture.com</a><br clear="none">
</span><span style="font-size:12.0pt;"><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
</span></div>
<pre>_______________________________________________</pre>
<pre>stunnel-users mailing list</pre>
<pre><a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a></pre>
<pre><a rel="nofollow" shape="rect" target="_blank" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a></pre>
</blockquote>
<div class="yiv9373448809MsoNormal"><span style="font-size:12.0pt;"><br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
</span></div>
<pre>_______________________________________________</pre>
<pre>stunnel-users mailing list</pre>
<pre><a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a></pre>
<pre><a rel="nofollow" shape="rect" target="_blank" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a></pre>
</blockquote>
<div class="yiv9373448809MsoNormal"><span style="font-size:12.0pt;"> </span></div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div class="yiv9373448809MsoNormal"><span style="font-size:12.0pt;">_______________________________________________<br clear="none">
stunnel-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=KpBOyF3X4pqPRFpbMzToAN2UwmN88FLptOWAJPygwvQ&s=8kvXlMhEoeJRHu_UCqWbs7nMCzviuGbvo4jzH9pJDuc&e=">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a></span></div>
</div>
</blockquote>
</div>
</blockquote></div>
</div>
</div></div><br><br></div> </div> </div> </div></div></body></html>