De : Pierre DUPONT Envoyé : jeudi 5 septembre 2019 16:55 À : 'stunnel-users@stunnel.org' stunnel-users@stunnel.org Cc : _sav.bibli sav.bibli@nedap.fr; Philippe ANQUETIN philippe.anquetin@nedap.fr Objet : using sTunnel with Chrome
Good day to all. So far, I can't succeed to use Chrome with sTunnel. I use these versions sTunnel : 5.55 (downloaded today...) Chrome is 76.0.3809 132 [cid:image002.png@01D5640A.99D102C0]
Here is my configuration for sTunnel : ; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2019 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may be useful for troubleshooting) ;debug = info ;output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance ;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS ;sslVersionMax = TLSv1.1
; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; e.g. softhsm2.dll or opensc-pkcs11.so ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2.dll ;engineCtrl = PIN:1234
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Enable support for the insecure SSLv3 protocol ;options = -NO_SSLv3
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; **************************************************************************
;include = conf.d
; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; **************************************************************************
; ***************************************** Example TLS client mode services
[gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verifyChain = yes CAfile = ca-certs.pem checkHost = pop.gmail.com OCSPaia = yes
[gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verifyChain = yes CAfile = ca-certs.pem checkHost = imap.gmail.com OCSPaia = yes
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.gmail.com OCSPaia = yes
; Encrypted HTTP proxy authenticated with a client certificate ; located in the Windows certificate store ;[example-proxy] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = capi
; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token ;[example-pkcs11] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = pkcs11 ;cert = pkcs11:token=MyToken;object=MyCert ;key = pkcs11:token=MyToken;object=MyKey
; ***************************************** Example TLS server mode services
;[pop3s] ;accept = 995 ;connect = 110 ;cert = stunnel.pem
;[imaps] ;accept = 993 ;connect = 143 ;cert = stunnel.pem
; Either only expose this service to trusted networks, or require ; authentication when relaying emails originated from loopback. ; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 ;cert = stunnel.pem
; TLS front-end to a web server [https] accept = 443 connect = 81 cert = stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
; Remote cmd.exe protected with PSK-authenticated TLS ; Create "secrets.txt" containing IDENTITY:KEY pairs ;[cmd] ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe ;PSKsecrets = secrets.txt
; vim:ft=dosini
The 81 connect port is used by our local webservice : http://localhost:81/nedaprfidwebservice.asmx which runs OK [cid:image007.png@01D5640A.99D102C0]
The problem is when I try to import the certificate. It looks OK giving these informations [cid:image008.png@01D5640A.99D102C0] [cid:image016.png@01D5640A.99D102C0]
However, I cannot connect on https [cid:image017.png@01D5640A.99D102C0]
I tried several things found browsing the list, like building a certificate with openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.crt -keyout stunnel.crt
No result so the only solution I see now is to call you for some help...
With kind regards,
Cordiales salutations de Pierre Dupont Support S.A.V. & Développement Bibliothèques
Courriel S.A.V. : sav.bibli@nedap.frmailto:sav.bibli@nedap.fr Téléphone : 06 13 99 69 38 - 01.61.03.03 18 8/10 Chemin d'Andrésy 95610 Eragny sur Oise [NEDAP LOGO - INLINE - RGB]
