Hello,
I have been trying to enable stunnel on a HPUX server, and whilst I thought it was going to be simple, I have not been able to make it work so far. We have a webserver and due to some pages being hardcoded to port 8080 it can't support SSL without a lot of code changes. As a short term workaround I am trying to use stunnel in server mode to provide a HTTPS interface. I expected this to be a very simple matter of accepting connections on port 443 and connecting to port 8080, but it's not working.
We're using an old version of stunnel (4.04) however this is the version bundled with the HPUX OS we have.
When stunnel is started there are no errors (log file output below) and netstat shows that a process is listening on port 443, however a browser (tried IE6 and Firefox) doesn't display anything. Connecting to port 8080 shows the application as expected.
I have run a wireshark trace at the client end, and it seems that the stunnel server is not responding to the initial "Client Hello" message. Only 3 packets are seen:
C->S SYN S->C SYN,ACK C->S SSL Client Hello
My guess is that the ssl server is not starting up correctly, however everything looks ok in the logfile, although it might not be completing. Nothing is displayed in the log when I try to connect to port 443.
Any help would be much appreciated as I am stuck!
Thanks Craig
Server eSM_CoE# uname -a HP-UX eSM_CoE B.11.23 U ia64 1107767544 unlimited-user license
Stunnel Version eSM_CoE# ./sbin/stunnel -version stunnel 4.04 on ia64-hp-hpux11.23 PTHREAD with OpenSSL 0.9.8d 28 Sep 2006
Global options cert = /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem pid = /opt/hpws/apache32/stunnel/var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none
Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTidle = 43200 seconds
Conf file eSM_CoE# cat stunnel.conf # Sample stunnel configuration file
RNDfile=/opt/hpws/apache32/stunnel/.stunnel.rnd
# Chroot #chroot = /var/chroot/stunnel/
# PID is created inside chroot jail pid = /opt/hpws/apache32/logs/stunnel.pid
# Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS
# Client Authentication #verify = 2 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /certs # or simply use CAfile instead: #CAfile = /opt/hpws/apache32/conf/certs.pem
# Some debugging stuff debug = 7 output = /opt/hpws/apache32/logs/stunnel.log
# Use in client mode client = no
# Run in the background foreground = no
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
delay=yes
# Service-level configuration
[https] accept = 172.20.167.74:443 connect = localhost:8080 TIMEOUTclose = 10
Log file output 2009.10.30 14:32:41 LOG5[4172:1]: stunnel 4.04 on ia64-hp-hpux11.23 PTHREAD with OpenSSL 0.9.8d 28 Sep 2006 2009.10.30 14:32:41 LOG7[4172:1]: Snagged 64 random bytes from /opt/hpws/apache32/stunnel/.stunnel.rnd 2009.10.30 14:32:41 LOG7[4172:1]: Wrote 1024 new random bytes to /opt/hpws/apache32/stunnel/.stunnel.rnd 2009.10.30 14:32:41 LOG7[4172:1]: RAND_status claims sufficient entropy for the PRNG 2009.10.30 14:32:41 LOG6[4172:1]: PRNG seeded successfully 2009.10.30 14:32:41 LOG7[4172:1]: Certificate: /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem 2009.10.30 14:32:41 LOG7[4172:1]: Key file: /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem 2009.10.30 14:32:41 LOG5[4172:1]: FD_SETSIZE=60000, file ulimit=4096 -> 2000 clients allowed 2009.10.30 14:32:41 LOG7[4172:1]: FD 5 in non-blocking mode 2009.10.30 14:32:41 LOG7[4172:1]: SO_REUSEADDR option set on accept socket 2009.10.30 14:32:41 LOG7[4172:1]: https bound to 172.20.167.74:443
_________________________________________________________________ New Windows 7: Find the right PC for you. Learn more. http://www.microsoft.com/uk/windows/buy/