On Sun, Dec 30, 2018 at 03:36:56AM +0100, kovacs janos wrote:
it still doesnt seem to work. i tried it with deviantart.com again. configuration: client = yes accept = 127.0.0.1:80 connect = 52.85.220.247:443 verifyChain = yes CAfile = ca-certs.pem checkHost = *.deviantart.com
the name after checkHost is the "Common Name" displayed when viewing the site's certificate in a browser(lock icon, view certificate). i also saved the certificate in case i would need to try the "certificate pinning" method. the connect IP is what 'get-site-ip.com' says the IP of the website is.
these are the logs: Service [fbsd-www] accepted connection from 127.0.0.1:4121 s_connect: connected 52.85.220.247:443 Service [fbsd-www] connected remote server from 192.168.0.3:4122 SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
i know i pestered everyone long enough, but i still havent been able to connect to anything. without any verification its the same
I'm sorry, my mistake. In a reply to somebody else on the list a couple of days later I mentioned that for HTTPS you may also need to set the "sni = www.deviantart.com" connection option so that stunnel tells the server "I'm trying to establish an HTTPS connection to this particular server", which, for HTTPS, may be important when multiple virtual hosts all live on the same IP address.
I haven't tried it with stunnel, but I just tried to establish a TLS connection to the IP address you specified using "openssl s_client" and it failed, and then I tried to specify the "-servername www.deviantart.com" s_client option, and it worked. So try adding "sni = www.deviantart.com" to your stunnel configuration section and see if it helps.
Sorry again, I should have thought about this from the start; I was misled by the fact that the FreeBSD webserver did not require the Server Name Indication extension to work, but apparently DeviantArt does.
G'luck, Peter