Greetings,
I was wondering if anyone's come across anything like this. I want to encrypt connections for MS SQL Server 2008 Express from a Windows XP client to a Windows 2003 Server. Following these instructions:
http://www.securityfocus.com/infocus/1677
I was able to configure encrypted connections by pointing SQL Server Management Studio to 127.0.0.1 on _either_ XP or Vista and then that gets tunneled over to the Windows 2003 Server running SQL Server 2008 Express. I can browse the database tables, etc.
Now the problem. I have users that make use of a thin client that connects directly to the SQL Server. It has one config file that I've pointed to 127.0.0.1. When I run this thin client on Vista, it works great, however, when running it on XP, stunnel tries to connect, but then gives up after several attempts.
Here's what I see in the server log before connecting:
2009.03.23 12:26:59 LOG7[284564:274684]: RAND_status claims sufficient entropy for the PRNG 2009.03.23 12:26:59 LOG7[284564:274684]: PRNG seeded successfully 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service vnc 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service mssql 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service rdp 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service http 2009.03.23 12:26:59 LOG5[284564:274684]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008 2009.03.23 12:26:59 LOG5[284564:274684]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2009.03.23 12:26:59 LOG5[284564:289192]: No limit detected for the number of clients 2009.03.23 12:27:00 LOG7[284564:289192]: FD 268 in non-blocking mode 2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept socket 2009.03.23 12:27:00 LOG7[284564:289192]: mssql bound to WINDOWS_SQL_SERVER:14333 2009.03.23 12:27:00 LOG7[284564:289192]: FD 292 in non-blocking mode 2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept socket
And here's what I see after trying to connect from XP (this appears 16 more times in stunnel.log until stunnel gives up):
2009.03.23 12:29:48 LOG7[284564:289192]: mssql accepted FD=308 from Windows_XP_Client:1252 2009.03.23 12:29:48 LOG7[284564:289192]: Creating a new thread 2009.03.23 12:29:48 LOG7[284564:289192]: New thread created 2009.03.23 12:29:48 LOG7[284564:348604]: mssql started 2009.03.23 12:29:48 LOG7[284564:348604]: FD 308 in non-blocking mode 2009.03.23 12:29:48 LOG5[284564:348604]: mssql accepted connection from Windows_XP_Client:1252 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): before/accept initialization 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client hello A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write server hello A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write certificate A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write certificate request A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush data 2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed 2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=1, /C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure Labs/CN=CA/emailAddress=user@abc.com 2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed 2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=0, /C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure Labs/CN=VNC Client/emailAddress=user@abc.com 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client certificate A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client key exchange A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read certificate verify A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read finished A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write change cipher spec A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write finished A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush data 2009.03.23 12:29:48 LOG7[284564:348604]: 1 items in the session cache 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects (SSL_connect()) 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects that finished 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client renegotiations requested 2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects (SSL_accept()) 2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects that finished 2009.03.23 12:29:48 LOG7[284564:348604]: 0 server renegotiations requested 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache hits 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache misses 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache timeouts 2009.03.23 12:29:48 LOG6[284564:348604]: SSL accepted: new session negotiated 2009.03.23 12:29:48 LOG6[284564:348604]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2009.03.23 12:29:48 LOG7[284564:348604]: FD 332 in non-blocking mode 2009.03.23 12:29:48 LOG7[284564:348604]: mssql connecting 127.0.0.1:1433 2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: waiting 10 seconds 2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: connected 2009.03.23 12:29:48 LOG5[284564:348604]: mssql connected remote server from 127.0.0.1:2001 2009.03.23 12:29:48 LOG7[284564:348604]: Remote FD=332 initialized 2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (read): warning: close notify 2009.03.23 12:29:48 LOG7[284564:348604]: SSL closed on SSL_read 2009.03.23 12:29:48 LOG7[284564:348604]: Socket write shutdown 2009.03.23 12:29:48 LOG7[284564:348604]: SSL write shutdown 2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (write): warning: close notify 2009.03.23 12:29:48 LOG6[284564:348604]: SSL_shutdown successfully sent close_notify 2009.03.23 12:29:48 LOG5[284564:348604]: Connection closed: 37 bytes sent to SSL, 52 bytes sent to socket 2009.03.23 12:29:48 LOG7[284564:348604]: mssql finished (0 left)
The server's stunnel.conf:
CAfile = CAcert.pem CApath = certificates cert = server.pem client = no verify = 3 debug = 7 output = stunnel.log
[mssql] accept = WINDOWS_SQL_SERVER:14333 connect = 127.0.0.1:1433
The client's stunnel.conf:
CAfile = CAcert.pem CApath = certificates cert = client.pem client = yes verify = 3 debug = 7 output = stunnel.log
[mssql] accept = 127.0.0.1:1433 connect = WINDOWS_SQL_SERVER:14333
Things I've tried:
- changed the compatibility settings of the thin client to work under ealier versions of Windows, this didn't help
- regenerated certificates, no good
- tried connecting without certificates, still no good
I still haven't tried earlier versions of stunnel, but I figured I'd just check and see if may anyone's run across something like this before. From what I can tell, the combination of XP, the thin client and stunnel does not work. The thin client does work on XP when I do not use stunnel, but I need to have the connection encrypted.
Any help greatly appreciated, thanks