Adrian,

Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988

and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.

You need to 2 stunnel stanzas to achive what you want. Something like:

[myservice]
cert = stunnel.pem
client = no
accept = 0.0.0.0:1988

connect = localhost:1987

[myserviceaux]
cert = stunnel.pem
client = yes
accept = localhost:1987

connect = localhost:4952

If you find this too convoluted, you could try with other reverse proxy software like apache or squid.

With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.

Please try and let us know how it goes.

On Saturday, October 10, 2015 9:58 AM, Josealf.rm <josealf@rocketmail.com> wrote:

Some clarifications

1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.

2. You can do a direct test with curl against you service (local) or openssl s_client.

Regards

Jose

El 9 oct 2015, a las 5:44, Adrián Mihálko <adriankoooo@gmail.com> escribió:

Some good news, I remove client = yes as you suggested:

2015.10.09 12:39:29 LOG5[main]: Configuration successful
2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)
2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket
2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671
2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated
2015.10.09 12:39:34 LOG6[60]: No peer certificate received
2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0
2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952
2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952
2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached
2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598
2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)
2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672
2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated
2015.10.09 12:39:34 LOG6[61]: No peer certificate received
2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1
2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952
2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952
2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached
2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599

openssl_client log:

http://pastebin.com/7bg3sf7J

The problem is now that the site loads forever, nothing happens.

(this certificate (:1988) is other than the original (:41952). This is not problem?

curl test:

$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk

* Trying 192.168.1.17...

* Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate: localhost

> GET /DYMO/DLS/Printing/Check HTTP/1.1

> Host: 192.168.1.17:1988

> User-Agent: curl/7.43.0

> Accept: */*

>
waiting forever.

2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo@gmail.com>:
In the first mail I wrote ports bad, of course in the log I am using the good ones.

[myservice]
cert = stunnel.pem
client = yes
accept = 0.0.0.0:1988
connect = localhost:41952

2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo@gmail.com>:
Sorry, curl was only for testing.

Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988
CONNECTED(00000003)
1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf
2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected
2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled
2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]
2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]
2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]
2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]
2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem
2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem
2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks
2015.10.09 12:23:21 LOG5[main]: Configuration successful
2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454
2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0
2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952
2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952
2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564
2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost
2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated
2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)
2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket

If I am connecting to the :41952:

openssl s_client -connect 192.168.1.17:41952
...

---
No client certificate CA names sent
---
SSL handshake has read 1724 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
...

2015-10-09 10:55 GMT+02:00 test rig <testrig@z1p.biz>:

Ouch #2 missing...

Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server

You are connection to :9999 with curl(?)
Try verify it via "openssl s_client -connect yourserverip:1988" command

Best Regards
Michael

--- Ursprüngliche Nachricht ---
Von: "test rig" <testrig@z1p.biz>
Datum: 09.10.2015 09:48:02
An: "stunnel-users@stunnel.org." <stunnel-users@stunnel.org>
Betreff: Re: [stunnel-users] (no subject)

Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
--- Ursprüngliche Nachricht ---
Von: Adrián Mihálko
Datum: 09.10.2015 08:15:19
An: stunnel-users@stunnel.org
Betreff: [stunnel-users] (no subject)

Dear stunnel users,

I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"

https://192.168.1.10:1988 -> redirect https://localhost:4952

I am trying to configure stunnel like this

[myservice]
cert = stunnel.pem
client = yes
accept = 0.0.0.0:1988
connect = localhost:4952

remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
* Trying 192.168.1.25...
* Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
* WARNING: using IP address, SNI is being disabled by the OS.
* Unknown SSL protocol error in connection to 192.168.1.25:-9847
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847

stunnel.log:
2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748
2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1
2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952
2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952
2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503
2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost
2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated
2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read)
2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket

I am tried verify = 1 to 4, either works. :(

Best Regards,
Adrian

______________________________________________________
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.

______________________________________________________
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users