Hello,

I have been trying to enable stunnel on a HPUX server, and whilst I thought it was going to be simple, I have not been able to make it work so far. We have a webserver and due to some pages being hardcoded to port 8080 it can't support SSL without a lot of code changes. As a short term workaround I am trying to use stunnel in server mode to provide a HTTPS interface. I expected this to be a very simple matter of accepting connections on port 443 and connecting to port 8080, but it's not working.

We're using an old version of stunnel (4.04) however this is the version bundled with the HPUX OS we have.

When stunnel is started there are no errors (log file output below) and netstat shows that a process is listening on port 443, however a browser (tried IE6 and Firefox) doesn't display anything. Connecting to port 8080 shows the application as expected.

I have run a wireshark trace at the client end, and it seems that the stunnel server is not responding to the initial "Client Hello" message. Only 3 packets are seen:

C->S     SYN
S->C     SYN,ACK
C->S     SSL Client Hello

My guess is that the ssl server is not starting up correctly, however everything looks ok in the logfile, although it might not be completing. Nothing is displayed in the log when I try to connect to port 443.

Any help would be much appreciated as I am stuck!

Thanks Craig


Server

eSM_CoE# uname -a
HP-UX eSM_CoE B.11.23 U ia64 1107767544 unlimited-user license

Stunnel Version
eSM_CoE# ./sbin/stunnel -version
stunnel 4.04 on ia64-hp-hpux11.23 PTHREAD with OpenSSL 0.9.8d 28 Sep 2006

Global options
cert            = /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem
ciphers         = ALL:!ADH:+RC4:@STRENGTH
debug           = 5
key             = /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem
pid             = /opt/hpws/apache32/stunnel/var/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
session         = 300 seconds
verify          = none

Service-level options
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTidle     = 43200 seconds

Conf file
eSM_CoE# cat stunnel.conf
# Sample stunnel configuration file

RNDfile=/opt/hpws/apache32/stunnel/.stunnel.rnd

# Chroot
#chroot = /var/chroot/stunnel/

# PID is created inside chroot jail
pid = /opt/hpws/apache32/logs/stunnel.pid

# Workaround for Eudora bug
#options = DONT_INSERT_EMPTY_FRAGMENTS

# Client Authentication
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
#CAfile = /opt/hpws/apache32/conf/certs.pem

# Some debugging stuff
debug = 7
output = /opt/hpws/apache32/logs/stunnel.log

# Use in client mode
client = no

# Run in the background
foreground = no

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

delay=yes

# Service-level configuration

[https]
accept  = 172.20.167.74:443
connect = localhost:8080
TIMEOUTclose = 10

Log file output
2009.10.30 14:32:41 LOG5[4172:1]: stunnel 4.04 on ia64-hp-hpux11.23 PTHREAD with OpenSSL 0.9.8d 28 Sep 2006
2009.10.30 14:32:41 LOG7[4172:1]: Snagged 64 random bytes from /opt/hpws/apache32/stunnel/.stunnel.rnd
2009.10.30 14:32:41 LOG7[4172:1]: Wrote 1024 new random bytes to /opt/hpws/apache32/stunnel/.stunnel.rnd
2009.10.30 14:32:41 LOG7[4172:1]: RAND_status claims sufficient entropy for the PRNG
2009.10.30 14:32:41 LOG6[4172:1]: PRNG seeded successfully
2009.10.30 14:32:41 LOG7[4172:1]: Certificate: /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem
2009.10.30 14:32:41 LOG7[4172:1]: Key file: /opt/hpws/apache32/stunnel/etc/stunnel/stunnel.pem
2009.10.30 14:32:41 LOG5[4172:1]: FD_SETSIZE=60000, file ulimit=4096 -> 2000 clients allowed
2009.10.30 14:32:41 LOG7[4172:1]: FD 5 in non-blocking mode
2009.10.30 14:32:41 LOG7[4172:1]: SO_REUSEADDR option set on accept socket
2009.10.30 14:32:41 LOG7[4172:1]: https bound to 172.20.167.74:443






New Windows 7: Find the right PC for you. Learn more.