De : Pierre DUPONT
Envoyé : jeudi 5 septembre 2019 16:55
À : 'stunnel-users@stunnel.org' <stunnel-users@stunnel.org>
Cc : _sav.bibli <sav.bibli@nedap.fr>; Philippe ANQUETIN <philippe.anquetin@nedap.fr>
Objet : using sTunnel with Chrome

 

Good day to all. So far, I can’t succeed to use Chrome with sTunnel.

I use these versions

sTunnel : 5.55 (downloaded today…)

Chrome is 76.0.3809 132

 

Here is my configuration for sTunnel :

; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2019

; Some options used here may be inadequate for your particular configuration

; This sample file does *not* represent stunnel.conf defaults

; Please consult the manual for detailed description of available options

 

; **************************************************************************

; * Global options                                                         *

; **************************************************************************

 

; Debugging stuff (may be useful for troubleshooting)

;debug = info

;output = stunnel.log

 

; Enable FIPS 140-2 mode if needed for compliance

;fips = yes

 

; Microsoft CryptoAPI engine allows for authentication with private keys

; stored in the Windows certificate store

; Each section using this feature also needs the "engineId = capi" option

;engine = capi

; You also need to disable TLS 1.2 or later, because the CryptoAPI engine

; currently does not support PSS

;sslVersionMax = TLSv1.1

 

; The pkcs11 engine allows for authentication with cryptographic

; keys isolated in a hardware or software token

; MODULE_PATH specifies the path to the pkcs11 module shared library,

; e.g. softhsm2.dll or opensc-pkcs11.so

; Each section using this feature also needs the "engineId = pkcs11" option

;engine = pkcs11

;engineCtrl = MODULE_PATH:softhsm2.dll

;engineCtrl = PIN:1234

 

; **************************************************************************

; * Service defaults may also be specified in individual service sections  *

; **************************************************************************

 

; Enable support for the insecure SSLv3 protocol

;options = -NO_SSLv3

 

; These options provide additional security at some performance degradation

;options = SINGLE_ECDH_USE

;options = SINGLE_DH_USE

 

; **************************************************************************

; * Include all configuration file fragments from the specified folder     *

; **************************************************************************

 

;include = conf.d

 

; **************************************************************************

; * Service definitions (at least one service has to be defined)           *

; **************************************************************************

 

; ***************************************** Example TLS client mode services

 

[gmail-pop3]

client = yes

accept = 127.0.0.1:110

connect = pop.gmail.com:995

verifyChain = yes

CAfile = ca-certs.pem

checkHost = pop.gmail.com

OCSPaia = yes

 

[gmail-imap]

client = yes

accept = 127.0.0.1:143

connect = imap.gmail.com:993

verifyChain = yes

CAfile = ca-certs.pem

checkHost = imap.gmail.com

OCSPaia = yes

 

[gmail-smtp]

client = yes

accept = 127.0.0.1:25

connect = smtp.gmail.com:465

verifyChain = yes

CAfile = ca-certs.pem

checkHost = smtp.gmail.com

OCSPaia = yes

 

; Encrypted HTTP proxy authenticated with a client certificate

; located in the Windows certificate store

;[example-proxy]

;client = yes

;accept = 127.0.0.1:8080

;connect = example.com:8443

;engineId = capi

 

; Encrypted HTTP proxy authenticated with a client certificate

; located in a cryptographic token

;[example-pkcs11]

;client = yes

;accept = 127.0.0.1:8080

;connect = example.com:8443

;engineId = pkcs11

;cert = pkcs11:token=MyToken;object=MyCert

;key = pkcs11:token=MyToken;object=MyKey

 

; ***************************************** Example TLS server mode services

 

;[pop3s]

;accept  = 995

;connect = 110

;cert = stunnel.pem

 

;[imaps]

;accept  = 993

;connect = 143

;cert = stunnel.pem

 

; Either only expose this service to trusted networks, or require

; authentication when relaying emails originated from loopback.

; Otherwise the following configuration creates an open relay.

;[ssmtp]

;accept  = 465

;connect = 25

;cert = stunnel.pem

 

; TLS front-end to a web server

[https]

accept  = 443

connect = 81

cert = stunnel.pem

; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel

; Microsoft implementations do not use TLS close-notify alert and thus they

; are vulnerable to truncation attacks

TIMEOUTclose = 0

 

; Remote cmd.exe protected with PSK-authenticated TLS

; Create "secrets.txt" containing IDENTITY:KEY pairs

;[cmd]

;accept = 1337

;exec = c:\windows\system32\cmd.exe

;execArgs = cmd.exe

;PSKsecrets = secrets.txt

 

; vim:ft=dosini

 

 

 

The 81 connect port is used by our local webservice : http://localhost:81/nedaprfidwebservice.asmx which runs OK

 

 

The problem is when I try to import the certificate. It looks OK giving these informations

 

However, I cannot connect on https

 

I tried several things found browsing the list, like building a certificate with

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.crt -keyout stunnel.crt

 

No result so the only solution I see now is to call you for some help…

 

With kind regards,

 

 

Cordiales salutations de

Pierre Dupont

Support S.A.V. & Développement Bibliothèques

 

Courriel S.A.V. : sav.bibli@nedap.fr

Téléphone :  06 13 99 69 38 - 01.61.03.03 18

8/10 Chemin d’Andrésy

95610 Eragny sur Oise

NEDAP LOGO - INLINE - RGB