"stunnel 4.08 on
x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct
2004"
Hi, this is my first
try with both SSL & STunnel, so please excuse me for any missunderstandings
a.s.o.
I have problems
running a STunnel in client-mode agains a SSL webservice.
Our application does
not support clientside-certificates, so i want to use STunnel to handle the SSL
connection.
For now, our
webservice-provider has disabled the need for client-certificates (to help us
narrow our problem down)
But it still dont
work.
As a first
step, i access whe webservice default-page through
IE-Explorer.
As i second step, i
start stunnel with following .conf
verify =
2
CApath = <path
where i have saved all certificates as .pem:s with <hash>.0 filenames,
from the direct-access example with explorer above>
debug =
7
client =
yes
[https]
accept =
127.0.0.1:3000
connect =
<ip>:3001
TIMEOUTclose =
0
and try to access
http://127.0.0.1:3000/<path>
but i get: HTTP
404 File Not found.
I have tried the
same approach against a microsoft webservice at:
Without any
problems.
1. I see no errors
in the log, as i understand it (se below) can any one else with a more skilled
eye see any problem ?
2. Our
webservice-provider has an invalid hostname in its certificate (no public
hostname, just IP during testing, but server certificate state www.fora.se)
might that cause a
problem ? (i have tried localy with invalid hostname in certificate without any
problem though)
3. Is it possible to
enable/disable verification of hostname in STunnel ?
(as i understand it,
the "verify" option in the STunnel.conf concerns the whole
certificate-validation-process, and not just the hostname validation
?)
4. Could the problem
be a config-issue on the webservice-provider end ? Im not sure, as it works with
IE-Explorer, but not through STunnel ?
5. Any
clue on where to look would be greatly apriciated, i have been working with this
for a week, and i have been able to use STunnel both as server & client,
with & without client-certs against everything i have tested localy and
public (tried between diffrent home-made applications, on a local webserver, against verisign website
a.s.o.) and everything works fine, except where i need it to work (against our
webservice-provider).
Regards
/Staffan
Sundell
STunnel log against
our webservice-provider (when it doesnt work):
2005.10.10 16:50:23 LOG5[2760:2800]: stunnel 4.08 on x86-pc-mingw32-gnu
WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004
2005.10.10 16:50:23
LOG7[2760:2332]: RAND_status claims sufficient entropy for the
PRNG
2005.10.10 16:50:23 LOG6[2760:2332]: PRNG seeded
successfully
2005.10.10 16:50:23 LOG7[2760:2332]: Verify directory set to
w:\ws\certs
2005.10.10 16:50:23 LOG5[2760:2332]: No limit detected for the
number of clients
2005.10.10 16:50:23 LOG7[2760:2332]: FD 1916 in
non-blocking mode
2005.10.10 16:50:23 LOG7[2760:2332]: SO_REUSEADDR option
set on accept socket
2005.10.10 16:50:23 LOG7[2760:2332]: https bound to
127.0.0.1:3000
2005.10.10 16:50:28 LOG7[2760:2332]: https accepted FD=1904
from 127.0.0.1:2975
2005.10.10 16:50:28 LOG7[2760:2332]: FD 1904 in
non-blocking mode
2005.10.10 16:50:28 LOG7[2760:2332]: Creating a new
thread
2005.10.10 16:50:28 LOG7[2760:2332]: New thread created
2005.10.10
16:50:28 LOG7[2760:3748]: https started
2005.10.10 16:50:28 LOG5[2760:3748]:
https connected from 127.0.0.1:2975
2005.10.10 16:50:28 LOG7[2760:3748]: FD
1876 in non-blocking mode
2005.10.10 16:50:28 LOG7[2760:3748]: https
connecting <webserviceprovider ip>:3001
2005.10.10 16:50:28
LOG7[2760:3748]: connect_wait: waiting 10 seconds
2005.10.10 16:50:28
LOG7[2760:3748]: connect_wait: connected
2005.10.10 16:50:28 LOG7[2760:3748]:
Remote FD=1876 initialized
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): before/connect initialization
2005.10.10 16:50:28 LOG7[2760:3748]:
SSL state (connect): SSLv3 write client hello A
2005.10.10 16:50:28
LOG7[2760:3748]: SSL state (connect): SSLv3 read server hello A
2005.10.10
16:50:28 LOG5[2760:3748]: VERIFY OK: depth=2, /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
2005.10.10 16:50:28 LOG5[2760:3748]:
VERIFY OK: depth=1, /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK:
depth=0, /C=SE/L=STOCKHOLM/O=Fora AB/OU=Member, VeriSign Trust Network/OU=Terms
of use at www.verisign.se/rpa
(c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
Network/CN=www.fora.se
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): SSLv3 read server certificate A
2005.10.10 16:50:28
LOG7[2760:3748]: SSL state (connect): SSLv3 read server done A
2005.10.10
16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write client key exchange
A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
change cipher spec A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state
(connect): SSLv3 write finished A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL
state (connect): SSLv3 flush data
2005.10.10 16:50:28 LOG7[2760:3748]: SSL
state (connect): SSLv3 read finished A
2005.10.10 16:50:28
LOG7[2760:3748]: 1 items in the session cache
2005.10.10
16:50:28 LOG7[2760:3748]: 1 client connects
(SSL_connect())
2005.10.10 16:50:28 LOG7[2760:3748]: 1
client connects that finished
2005.10.10 16:50:28
LOG7[2760:3748]: 0 client renegotiatations
requested
2005.10.10 16:50:28 LOG7[2760:3748]: 0 server
connects (SSL_accept())
2005.10.10 16:50:28
LOG7[2760:3748]: 0 server connects that finished
2005.10.10
16:50:28 LOG7[2760:3748]: 0 server renegotiatiations
requested
2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache hits
2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache misses
2005.10.10 16:50:28 LOG7[2760:3748]: 0 session
cache timeouts
2005.10.10 16:50:28 LOG6[2760:3748]: SSL connected: new
session negotiated
2005.10.10 16:50:28 LOG6[2760:3748]: Negotiated ciphers:
AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256)
Mac=SHA1
2005.10.10 16:50:45 LOG7[2760:3748]: SSL socket closed on
SSL_read
2005.10.10 16:50:45 LOG7[2760:3748]: Socket write
shutdown
2005.10.10 16:50:45 LOG5[2760:3748]: Connection closed: 407 bytes
sent to SSL, 507 bytes sent to socket
2005.10.10 16:50:45 LOG7[2760:3748]:
https finished (0 left)
STunnel log against
microsoft (where it works)
2005.10.10
16:50:22 LOG5[2940:2556]: stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with
OpenSSL 0.9.7e 25 Oct 2004
2005.10.10 16:50:22 LOG7[2940:1112]: RAND_status
claims sufficient entropy for the PRNG
2005.10.10 16:50:22 LOG6[2940:1112]:
PRNG seeded successfully
2005.10.10 16:50:22 LOG7[2940:1112]: Verify
directory set to c:\ws\certs
2005.10.10 16:50:22 LOG5[2940:1112]: No limit
detected for the number of clients
2005.10.10 16:50:22 LOG7[2940:1112]: FD
136 in non-blocking mode
2005.10.10 16:50:22 LOG7[2940:1112]: SO_REUSEADDR
option set on accept socket
2005.10.10 16:50:22 LOG7[2940:1112]: https bound
to 127.0.0.1:80
2005.10.10 16:50:32 LOG7[2940:1112]: https accepted FD=148
from 127.0.0.1:2977
2005.10.10 16:50:32 LOG7[2940:1112]: FD 148 in
non-blocking mode
2005.10.10 16:50:32 LOG7[2940:1112]: Creating a new
thread
2005.10.10 16:50:32 LOG7[2940:1112]: New thread created
2005.10.10
16:50:32 LOG7[2940:3904]: https started
2005.10.10 16:50:32 LOG5[2940:3904]:
https connected from 127.0.0.1:2977
2005.10.10 16:50:32 LOG7[2940:3904]: FD
176 in non-blocking mode
2005.10.10 16:50:32 LOG7[2940:3904]: https
connecting 207.46.197.39:443
2005.10.10 16:50:32 LOG7[2940:3904]:
connect_wait: waiting 10 seconds
2005.10.10 16:50:33 LOG7[2940:3904]:
connect_wait: connected
2005.10.10 16:50:33 LOG7[2940:3904]: Remote FD=176
initialized
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect):
before/connect initialization
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state
(connect): SSLv3 write client hello A
2005.10.10 16:50:33 LOG7[2940:3904]:
SSL state (connect): SSLv3 read server hello A
2005.10.10 16:50:33
LOG5[2940:3904]: VERIFY OK: depth=3, /C=US/O=GTE Corporation/OU=GTE CyberTrust
Solutions, Inc./CN=GTE CyberTrust Global Root
2005.10.10 16:50:33
LOG5[2940:3904]: VERIFY OK: depth=2, /CN=Microsoft Internet
Authority
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=1,
/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=0,
/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=UDDI Test production
site/CN=test.uddi.microsoft.com
2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 read server certificate A
2005.10.10 16:50:33
LOG7[2940:3904]: SSL state (connect): SSLv3 read server done A
2005.10.10
16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write client key exchange
A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
change cipher spec A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state
(connect): SSLv3 write finished A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 flush data
2005.10.10 16:50:33 LOG7[2940:3904]: SSL
state (connect): SSLv3 read finished A
2005.10.10 16:50:33
LOG7[2940:3904]: 1 items in the session cache
2005.10.10
16:50:33 LOG7[2940:3904]: 1 client connects
(SSL_connect())
2005.10.10 16:50:33 LOG7[2940:3904]: 1
client connects that finished
2005.10.10 16:50:33
LOG7[2940:3904]: 0 client renegotiatations
requested
2005.10.10 16:50:33 LOG7[2940:3904]: 0 server
connects (SSL_accept())
2005.10.10 16:50:33
LOG7[2940:3904]: 0 server connects that finished
2005.10.10
16:50:33 LOG7[2940:3904]: 0 server renegotiatiations
requested
2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache hits
2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache misses
2005.10.10 16:50:33 LOG7[2940:3904]: 0 session
cache timeouts
2005.10.10 16:50:33 LOG6[2940:3904]: SSL connected: new
session negotiated
2005.10.10 16:50:33 LOG6[2940:3904]: Negotiated ciphers:
RC4-MD5
SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5
2005.10.10 16:51:38 LOG3[2940:3904]: readsocket: Connection reset by
peer (WSAECONNRESET) (10054)
2005.10.10 16:51:38 LOG5[2940:3904]: Connection
reset: 203 bytes sent to SSL, 3214 bytes sent to socket
2005.10.10 16:51:38
LOG7[2940:3904]: https finished (0 left)