@Peter ... I'm sure you are the Best! :)
Now it's works . I needed put ctm.omgeo.net in host file y ready :)
Now i put http://ctm.omgeo.net:19201 and I can connect with https://ctm.omgeo.net%C2%A0 (curl , firefox , application works!)
Many thanks :)
On 06/03/18 11:10, Peter Pentchev wrote:
On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
Hello
Thanks @Peter
Yes , my application not support TLS and I need the application connect using TLS , for this i using stunnel (i hope)
When I make curl -v http://127.0.0.1:19021%C2%A0 :
curl -v http://127.0.0.1:19201
- Rebuilt URL to: http://127.0.0.1:19201/
* Trying 127.0.0.1...
- Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: 127.0.0.1:19201 User-Agent: curl/7.47.0 Accept: */*
- HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad Request < Server: AkamaiGHost < Mime-Version: 1.0 < Content-Type: text/html < Content-Length: 208 < Expires: Mon, 05 Mar 2018 12:25:53 GMT < Date: Mon, 05 Mar 2018 12:25:53 GMT < Connection: close
The web ctm.omgeo.net only works in mode HTTPS , .
TL;DR: can you actually try your application with this stunnel config?
See below; I believe I've found the reason for the "Bad request" response, and you need to do something more to get it to work.
Yes, that's why you have stunnel - it will accept a pure HTTP connection from your application (or, in this case, from cURL), and then it will open a TLS (HTTPS) connection to ctm.omgeo.net.
Actually, the "HTTP/1.0 400 Bad Request" response that you get shows that stunnel already works: the request to ctm.omgeo.net is sent via HTTPS, not plain HTTP. If you try to send a plain HTTP request to ctm.omgeo.net port 443, cURL will report a very different error:
[roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/
- Trying 88.221.30.124...
- TCP_NODELAY set
- Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:443 User-Agent: curl/7.58.0 Accept: */*
- Recv failure: Connection reset by peer
- stopped the pause stream!
- Closing connection 0
curl: (56) Recv failure: Connection reset by peer [roam@straylight ~]$
This happens because ctm.omgeo.net expects a TLS Client Hello message on an incoming connection, and cURL sends it a plaintext HTTP request, so ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".
So I guess that the "400 Bad Request" response you get from ctm.omgeo.net means that 1. you have successfully sent a request to it and it considered it to be an HTTP request, and 2. it expected the application to send it a specific request, not just a "GET /", so it said "GET / is not a valid request for me, but thanks for speaking HTTPS". So it's time to test your actual application now; configure it to talk to 127.0.0.1:19201 and see what happens.
If anything goes wrong, show us the stunnel log.
OK, so there's another thing. If you tell cURL or your application to send an HTTP request to 127.0.0.1:19201, then it will send a request with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will not know which backend server to route it to. So both cURL and your application must be convinced to send a request that has a "Host: ctm.omgeo.net" header.
The simplest way to do this is somewhat error-prone, not quite future-proof, but it may work for the present. Add "ctm.omgeo.net" to the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system, %WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443. This last part - hardcoding the IP address of the server - is the part that is error-prone and not future-proof, since omgeo.net (or Akamai) may decide to change that address at any time and things will stop working. There is a hackish solution - write a little tool that performs a real DNS lookup and, if the IP address has changed, regenerates the stunnel config and restarts stunnel, then run this tool every minute or so... Still, it worked for me:
[roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts 127.0.0.1 localhost ctm.omgeo.net [roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201
- Rebuilt URL to: http://ctm.omgeo.net:19201/
- Trying 127.0.0.1...
- TCP_NODELAY set
- Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:19201 User-Agent: curl/7.58.0 Accept: */*
< HTTP/1.1 302 Moved Temporarily < Location: /cleartrust/ct_logon.jsp < Content-Length: 0 < Date: Tue, 06 Mar 2018 09:41:48 GMT < Connection: keep-alive < Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/ <
- Connection #0 to host ctm.omgeo.net left intact
[roam@straylight /etc/stunnel]$
...so that's a start.
G'luck, Peter