<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:11pt;color:#632423;font-family:Verdana,Geneva,sans-serif;" dir="ltr">
<p></p>
<div>Hello, I am new to STunnel and I am running into a problem. Here is my setup.</div>
<div><br>
</div>
<div>I use an ASUS router with Merlin firmware. I have STunnel installed via Entware on this router.</div>
<div><br>
</div>
<div>Running "stunnel -version" gives me:</div>
<div><br>
</div>
<div>stunnel 5.41 on mipsel-openwrt-linux-gnu platform</div>
<div>Compiled/running with OpenSSL 1.0.2k 26 Jan 2017</div>
<div>Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI</div>
<div><br>
</div>
<div>Global options:</div>
<div>RNDbytes = 64</div>
<div>RNDoverwrite = yes</div>
<div><br>
</div>
<div>Service-level options:</div>
<div>ciphers = FIPS (with "fips = yes")</div>
<div>ciphers = HIGH:!DH:!aNULL:!SSLv2 (with "fips = no")</div>
<div>curve = prime256v1</div>
<div>debug = daemon.notice</div>
<div>logId = sequential</div>
<div>options = NO_SSLv2</div>
<div>options = NO_SSLv3</div>
<div>sessionCacheSize = 1000</div>
<div>sessionCacheTimeout = 300 seconds</div>
<div>stack = 65536 bytes</div>
<div>TIMEOUTbusy = 300 seconds</div>
<div>TIMEOUTclose = 60 seconds</div>
<div>TIMEOUTconnect = 10 seconds</div>
<div>TIMEOUTidle = 43200 seconds</div>
<div>verify = none</div>
<div><br>
</div>
<div>-------------------------------------------------------------------------------------------</div>
<div><br>
</div>
<div>I use my own server certificate signed by my own CA. This cert has the proper SANs with correct DNS/IP entries.</div>
<div>I use this server certificate both for my router's HTTPS web gui and for the "cert" and "key" files listed in the config file below.</div>
<div>Also, the "CAfile" in the config is pointing to my Root CA's certificate.</div>
<div>My Root CA is also imported in my Windows box's certificate store.</div>
<div><br>
</div>
<div>I can directly access my router's web gui from LAN side via these ports: 80 (HTTP), 2000 (HTTPS).</div>
<div>Router's LAN subnet is 10.49.49.0/24 and the router's WAN IP is 10.76.5.3 (it is double NAT for testing, this router is for testing)</div>
<div>Also, STunnel is running as a server accepting connections on port 443 (all interfaces) on the router.</div>
<div><br>
</div>
<div>-------------------------------------------------------------------------------------------</div>
<div><br>
</div>
<div>I want to use Chrome directly as an STunnel client on my Windows box. </div>
<div>So, I don't run STunnel on my Windows box in the client mode.</div>
<div><br>
</div>
<div><br>
</div>
<div>SITUATION 1: WORKS FINE!!</div>
<div><br>
</div>
<div>-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443"</div>
<div> This should forward to the router's port 80 (HTTP protocol used).</div>
<div><br>
</div>
<div><br>
</div>
<div>My STunnel config file on the router has:</div>
<div><br>
</div>
<div>setuid = nobody</div>
<div>setgid = nobody</div>
<div>foreground</div>
<div>foreground = yes</div>
<div>syslog = yes</div>
<div>debug = 7</div>
<div><br>
</div>
<div>[Test-Service]</div>
<div>accept = 443</div>
<div>connect = 10.49.49.1:80</div>
<div>requireCert = yes</div>
<div>verifyChain = yes</div>
<div>CAfile = /mnt/Merlin/entware/etc/stunnel/ca.crt</div>
<div>cert = /mnt/Merlin/entware/etc/stunnel/server.crt</div>
<div>key = /mnt/Merlin/entware/etc/stunnel/server.key</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>SITUATION 2: DOES NOT WORK!!</div>
<div><br>
</div>
<div>-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443"</div>
<div> This should forward to the router's port 2000 (HTTPS protocol used).</div>
<div><br>
</div>
<div>There is only one change from the Situation 1 config file. The line for "connect" changed to "connect = 10.49.49.1:2000)</div>
<div><br>
</div>
<div>This does not work. </div>
<div>Note that I can directly access my router's web gui over https with "https://LAN_IP:2000" via Chrome, with no warnings.</div>
<div><br>
</div>
<div><br>
</div>
<div>------------------------------------------------------------------------------</div>
<div>My thoughts:</div>
<div><br>
</div>
<div>So, my current path is Chrome (Acting as STunnel Client) --> STunnel Server (on the router) --> Router's Web GUI.</div>
<div>The "Chrome --> STunnel" Server connection is fine. Chrome prompts for private key and STunnel server correctly shows this incoming Chrome connection.</div>
<div><br>
</div>
<div>The problem is the "STunnel Server --> Router" relay that uses HTTPS protocol.</div>
<div><br>
</div>
<div>1. STunnel does not like HTTPS to HTTPS relay. HTTP to HTTPS works, but not HTTPS to HTTPS.</div>
<div>2. STunnel server on my router is a client to my router's web gui. <span style="font-size: 11pt;">Is STunnel verifying the certificate of my router's HTTPS certificate?</span></div>
<div>3. If the above answer is yes, my guess is that STunnel sees a self signed certificate for this router and kills the connection?</div>
<div>4. How do I tell STunnel server to ignore certificate warnings for a remote connection, like when connecting to this router?</div>
<div>5. Or how do I explicitly tell STunnel to trust my Root CA while making this connection to my router? I couldn't find any options in STunnel for this.</div>
<br>
<p></p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(99, 36, 35); font-family: Verdana, Geneva, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<p><span style="font-size:11pt">Regards,</span></p>
<p><span style="font-size:11pt">Dipen Doshi</span><br>
</p>
</div>
</div>
</div>
</body>
</html>