<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi Peter,</div><table cellpadding="0" class="gmail-cf gmail-gJ"><tbody></tbody></table><div>Thanks for the help, but I still need help with the certificates.</div><div><br></div><div>Stunnel is installed on windows and the firewall is disabled.</div><div>In the application settings, the address will be "stunserv: 5432", the application is not located on the same host as stunnel.</div><div>At the moment, for easier testing, I use a browser. I have the opportunity to go to <a href="http://tdl.externalhost.com:9443">tdl.externalhost.com:9443</a>, do I truly understand that when stunnel is configured correctly, I should see the same result when going to stunserv: 54321?</div><div><br></div><div>I have a server root certificate that is currently installed at trusted root certification authorities (the chain looks like this: CA.cer -> externalhost.cer)</div><div>The CApath directory contains the root certificate for the <a href="http://tdl.externalhost.com">tdl.externalhost.com</a> server and revocation lists.</div><div>What certificates should I use? How to correctly specify the certificates in the config. Do I need to create any certificates?</div><div><br></div><div>Current config:<br><br><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">sslVersion = all<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">options = NO_SSLv2<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">options = NO_SSLv3<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">fips = no<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">[https]<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">client = yes<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">connect = <a href="http://tdl.externalhost.com:9443">tdl.externalhost.com:9443</a><span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">accept = stunserv:54321<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">TIMEOUTclose = 0<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">TIMEOUTconnect = 200<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">TIMEOUTidle = 86400<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">sni = <a href="http://tdl.externalhost.com">tdl.externalhost.com</a><span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">checkHost = <a href="http://tdl.externalhost.com">tdl.externalhost.com</a><span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">verifyChain = yes<span></span></span></p>
<span lang="EN-US" style="font-size:11pt;line-height:107%;font-family:Calibri,sans-serif">CApath = "C:\Program Files
(x86)\stunnel\config\ssl"<br></span><br><br>Connections log:<br><br><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
stunnel 5.50 on x64-pc-mingw32-gnu platform<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
Compiled/running with OpenSSL 1.1.1a 20
Nov 2018<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
Reading configuration from file stunnel.conf<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
UTF-8 byte order mark detected<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:19 LOG5[main]:
Configuration successful<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:31 LOG5[0]: Service
[https] accepted connection from fe80::1cc0:e238:fbbc:7767%12:53218<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:52 LOG3[0]:
s_connect: connect <a href="http://tdl.externalhost.com:9443">tdl.externalhost.com:9443</a>: Connection timed out
(WSAETIMEDOUT) (10060)<span></span></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US">2018.12.27 11:34:52 LOG3[0]: No more
addresses to connect<span></span></span></p>
<span lang="EN-US" style="font-size:11pt;line-height:107%;font-family:Calibri,sans-serif">2018.12.27 11:34:52 LOG5[0]: Connection reset: 0
byte(s) sent to TLS, 0 byte(s) sent to socket</span><br></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">ср, 26 дек. 2018 г. в 23:00, Eric Eberhard <<a href="mailto:flash@vicsmba.com">flash@vicsmba.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">There once was an open source libcsoap to do SOAP. It appeared abandoned 5-10 years ago but was available on line. <br>
<br>
I downloaded that ages ago and made a fully functional libcsoap -- this includes "nanohttp" which will POST via HTTP, HTTPS, 1.0, 1.1, etc. <br>
<br>
I only use this on AIX -- and my inability to do the craziness that the open source community does so well to make it work on all platforms and a lack of a real place to put it -- it never really got out.<br>
<br>
You are welcome to the code. It is in C. You can build nanohttp apart from libcsoap. If it has a few gotchas because of your O/S they should be easy to fix (I did make a couple AIX changes).<br>
<br>
The code is small and easy to link into C (or anything else that links to a .a or .so) -- and it can be set up as a server (never tried it).<br>
<br>
It DOES require openssl be installed (for the HTTPS I think).<br>
<br>
If you want it, email me and I'll put it on my FTP site.<br>
<br>
Eric<br>
<br>
-----Original Message-----<br>
From: stunnel-users [mailto:<a href="mailto:stunnel-users-bounces@stunnel.org" target="_blank">stunnel-users-bounces@stunnel.org</a>] On Behalf Of Peter Pentchev<br>
Sent: Wednesday, December 26, 2018 8:40 AM<br>
To: Константин Кручинин <<a href="mailto:kruchinin.c@gmail.com" target="_blank">kruchinin.c@gmail.com</a>><br>
Cc: <a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
Subject: Re: [stunnel-users] HTTP to HTTPS<br>
<br>
On Wed, Dec 26, 2018 at 04:54:34PM +0300, Константин Кручинин wrote:<br>
> Good day!<br>
> Is it possible to realize the means of Stunnel, the following functionality?<br>
> There is an application that is not able to SSL, I need to send data <br>
> to the server over HTTPS.<br>
<br>
As I noted in a recent message, stunnel may be used as a client for an HTTPS service; the configuration is pretty much what you have shown below, but there are several more details to configure. See <a href="https://www.stunnel.org/pipermail/stunnel-users/2018-December/006233.html" rel="noreferrer" target="_blank">https://www.stunnel.org/pipermail/stunnel-users/2018-December/006233.html</a><br>
<br>
First off, do you have control over the source code of your application - the one that sends the HTTP query that actually needs to reach an HTTPS server? If you do, is it possible to modify the source so that it establishes a TCP connection to a specified IP address and port and<br>
*then* sends an HTTP request over that connection, with the actual server's hostname in the HTTP request? Some HTTP client libraries do give you this opportunity, although it is rare. If you can do that, then it may not be necessary to do the hosts file trickery and chase the server's IP address - specify the server by name in stunnel's configuration and let the client connect to the address stunnel listens to and send an HTTP request containing the real server's name.<br>
<br>
If you cannot do that, or if it would be too much hassle, then there is always the solution that I outlined in my message - specify a numeric IP address in stunnel's configuration and put the server's name in your system's hosts file (/etc/hosts on Unix, %WINDIR%\system32\drivers\etc\hosts<br>
on Windows) entry for the IP address that stunnel listens on.<br>
<br>
One more thing that I forgot to mention in my previous message: with HTTPS it might be good to specify the "sni" option so that stunnel asks the server for the correct virtual host to connect to.<br>
<br>
> How can this be implemented without installing an instance of Stunnel <br>
> on the server side?<br>
<br>
If there is an HTTPS server on the server side, you should be able to do this with stunnel as a client, with pretty much the configuration that you have shown.<br>
<br>
> Do I need to specify the certificate when implementing the above, if <br>
> so, what kind of certificates are needed?<br>
<br>
Stunnel will want - and for good reasons, it will really be a good idea - to verify the certificate of the server that it is connecting to, so that it (stunnel) does not mislead your application by saying "here, this is a connection to the server you requested" and handing it a connection to a man-in-the-middle server controlled by an attacker. So you will need to obtain the certificate of the HTTPS server and either point stunnel to it directly or point stunnel to a directory containing the certificate of the entity that issued the server's certificate (e.g. Let's Encrypt or your organization's internal CA or something).<br>
<br>
> At the moment I have the following config.<br>
> <br>
> sslVersion = all<br>
> options = NO_SSLv2<br>
> options = NO_SSLv3<br>
> fips = no<br>
> <br>
> [https]<br>
> client = yes<br>
> connect = externalhost:9443<br>
> accept = localhost:54321<br>
> TIMEOUTclose = 0<br>
> TIMEOUTconnect = 200<br>
> TIMEOUTidle = 86400<br>
<br>
If there is already an HTTPS server listening on externalhost:9443, then this is very close to what you will need. The modifications may need to include specifying an IP address instead of a hostname in the "connect"<br>
directive (see the discussion about the hosts file above), then adding an "sni = serverhostname" line so that stunnel asks for the correct virtual host to connect to, then adding a "checkHost = serverhostname"<br>
line (or a similar line; in some cases the server that responds may have a slightly different common name, but this should be rare), and then adding some "verify" and "CAfile" or "CApath" lines to point stunnel to the certificate of the server or the certificate of the CA that issued the server's certificate.<br>
<br>
If all of this is making your head spin, let me know and I may try to explain it step by step in more detail :) We've all been there, just thrown into the deep by some "you have to learn how to do this *now*"<br>
task that comes out of nowhere...<br>
<br>
Hope at least some of this helps! :)<br>
<br>
G'luck,<br>
Peter<br>
<br>
--<br>
Peter Pentchev roam@{<a href="http://ringlet.net" rel="noreferrer" target="_blank">ringlet.net</a>,<a href="http://debian.org" rel="noreferrer" target="_blank">debian.org</a>,FreeBSD.org} <a href="mailto:pp@storpool.com" target="_blank">pp@storpool.com</a><br>
PGP key: <a href="http://people.FreeBSD.org/~roam/roam.key.asc" rel="noreferrer" target="_blank">http://people.FreeBSD.org/~roam/roam.key.asc</a><br>
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13<br>
<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15.36px;line-height:16.128px"><span style="font-size:11pt;line-height:15.4px;font-family:Calibri,sans-serif;color:rgb(64,64,64)">С уважением и наилучшими пожеланиями,</span></p><p style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:15.36px;line-height:16.128px"><b><span lang="EN-US" style="font-size:11pt;line-height:15.4px;font-family:Calibri,sans-serif;color:rgb(64,64,64)">Конс</span></b><b><span style="font-size:11pt;line-height:15.4px;font-family:Calibri,sans-serif;color:rgb(64,64,64)">тантин Кручинин</span></b></p></div></div>