I'm hoping that someone can give me a hint of where to look at this issue because I'm totally stuck and have been for a few days. When I attempt to use sTunnel in client mode with client certificates, the SSL seems to negotiate the certs and ciphers and then nothing else happens; the services hang. I'm hoping that someone has some insights about something that I haven't looked at, yet.
Windows Server, IIS 7 running SOAP services set for SSL Required, Client Certificate required (transport level client certificate, not SOAP message level).
Windows machine, simple web application acting as a test client for the SOAP service.
Client configured to use client certificates directly against the IIS 7 service instance. This works as expected.
Server configured to not require client certificates, but require SSL. sTunnel configured to listen on local port 8090 and forward to the IIS 7 server. This works as expected.
Server configured to require client certificates. sTunnel configured to use client certificate as issued by a local CA in addition to the setup as before. This does not work, but hangs.
2010.03.24 11:54:31 LOG5[5616:5992]: Reading configuration from file stunnel.conf
2010.03.24 11:54:31 LOG7[5616:5992]: RAND_status claims sufficient entropy for the PRNG
2010.03.24 11:54:31 LOG7[5616:5992]: PRNG seeded successfully
2010.03.24 11:54:31 LOG7[5616:5992]: Certificate: C:\certs\client-cert-for-internal-environments.pem
2010.03.24 11:54:31 LOG7[5616:5992]: Certificate loaded
2010.03.24 11:54:31 LOG7[5616:5992]: Key file: C:\certs\client-cert-for-internal-environments.pem
2010.03.24 11:54:38 LOG7[5616:5992]: Private key loaded
2010.03.24 11:54:38 LOG7[5616:5992]: SSL context initialized for service http
2010.03.24 11:54:38 LOG5[5616:5992]: Configuration successful
2010.03.24 11:54:38 LOG5[5616:5992]: No limit detected for the number of clients
2010.03.24 11:54:38 LOG7[5616:5992]: FD=176 in non-blocking mode
2010.03.24 11:54:38 LOG7[5616:5992]: Option SO_REUSEADDR set on accept socket
2010.03.24 11:54:38 LOG7[5616:5992]: Service http bound to
0.0.0.0:8090
2010.03.24 11:54:38 LOG7[5616:5992]: Service http opened FD=176
2010.03.24 11:54:38 LOG3[5616:5992]: c:\temp\stunnel.log: Input/output error (5)
2010.03.24 11:54:38 LOG3[5616:5992]: Unable to open output file: c:\temp\stunnel.log
2010.03.24 11:54:38 LOG5[5616:5992]: stunnel 4.32 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009
2010.03.24 11:54:38 LOG5[5616:5992]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.03.24 11:54:54 LOG7[5616:6192]: Service http accepted FD=436 from
127.0.0.1:56102
2010.03.24 11:54:54 LOG7[5616:6192]: Creating a new thread
2010.03.24 11:54:54 LOG7[5616:6192]: New thread created
2010.03.24 11:54:54 LOG7[5616:6696]: Service http started
2010.03.24 11:54:54 LOG7[5616:6696]: FD=436 in non-blocking mode
2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on local socket
2010.03.24 11:54:54 LOG5[5616:6696]: Service http accepted connection from
127.0.0.1:561022010.03.24 11:54:54 LOG7[5616:6696]: FD=456 in non-blocking mode
2010.03.24 11:54:54 LOG6[5616:6696]: connect_blocking: connecting
10.12.32.68:14432010.03.24 11:54:54 LOG7[5616:6696]: connect_blocking: s_poll_wait
10.12.32.68:1443: waiting 10 seconds
2010.03.24 11:54:54 LOG5[5616:6696]: connect_blocking: connected
10.12.32.68:14432010.03.24 11:54:54 LOG5[5616:6696]: Service http connected remote server from
10.12.47.109:56103
2010.03.24 11:54:54 LOG7[5616:6696]: Remote FD=456 initialized
2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on remote socket
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): before/connect initialization
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client hello A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server hello A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server certificate A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server done A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client key exchange A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write change cipher spec A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write finished A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 flush data
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read finished A
2010.03.24 11:54:54 LOG7[5616:6696]: 1 items in the session cache
2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects (SSL_connect())
2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects that finished
2010.03.24 11:54:54 LOG7[5616:6696]: 0 client renegotiations requested
2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects (SSL_accept())
2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects that finished
2010.03.24 11:54:54 LOG7[5616:6696]: 0 server renegotiations requested
2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache hits
2010.03.24 11:54:54 LOG7[5616:6696]: 0 external session cache hits
2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache misses
2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache timeouts
2010.03.24 11:54:54 LOG6[5616:6696]: SSL connected: new session negotiated
2010.03.24 11:54:54 LOG6[5616:6696]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
This is where things time out; nothing happens beyond this point.