There is a list of ciphers you need to list along with ssl options perhaps. Also try setting your sslVersion on both ends.
On Wednesday, January 2, 2013, Arun Kumar wrote:
Brian,
Thank you for the inputs. I tried without client parameter & notice unknown protocol. I am not sure which "protocol" to use in stunnel.conf in my case.
comment out client = yes
restarted stunnel process.
ocm5-197-196:~ # dfm ldap find user1 Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=core,DC=dir,DC=telstra,DC=com': Can't contact LDAP server Error: Failed to search for user1.
ocm5-197-196:~ # cat /root/stunnel.log 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Clients allowed=500 2013.01.02 19:31:43 LOG5[18156:46934667927072]: stunnel 4.54 on x86_64-unknown-linux-gnu platform 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Compression not enabled 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Snagged 64 random bytes from /root/.rnd 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Wrote 1024 new random bytes to /root/.rnd 2013.01.02 19:31:43 LOG7[18156:46934667927072]: PRNG seeded successfully 2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap] 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters 2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key 2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1 2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004 2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap-ha] 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate: /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates from /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem revocation lookup file 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH parameters from /opt/crt_key.pem 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH parameters 2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with 2048-bit key 2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve prime256v1 2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Configuration successful 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap] (FD=7) bound to 0.0.0.0:389 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap-ha] (FD=8) bound to 0.0.0.0:8389 2013.01.02 19:31:43 LOG7[18157:46934667927072]: Created pid file /var/run/stunnel.pid 2013.01.02 19:32:02 LOG7[18157:46934667927072]: Service [ldap] accepted (FD=3) from 127.0.0.1:39760 2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] started 2013.01.02 19:32:02 LOG5[18157:1073809728]: Service [ldap] accepted connection from 127.0.0.1:39760 2013.01.02 19:32:02 LOG7[18157:1073809728]: SSL state (accept): before/accept initialization 2013.01.02 19:32:02 LOG3[18157:1073809728]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol <---------- 2013.01.02 19:32:02 LOG5[18157:1073809728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.01.02 19:32:02 LOG7[18157:1073809728]: Local socket (FD=3) closed 2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] finished (0 left)
appreciate your help.
Warm Regards, Arun kumar c
On Wed, Jan 2, 2013 at 7:29 PM, Brian Wilkins bwilkins@gmail.com wrote:
It thinks your server is a client. Remove client = yes. You need to have a client instance if stunnel and a server instance of stunnel. I am not too keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the traffic and then it gets down selected to unencrypted on the receiving end.
Brian
On Wednesday, January 2, 2013, Arun Kumar wrote:
Team,
I am configuring stunnel for the first time. My Requirement: "NetApp DataFabricManager" application on SLES10 SP4 platform <------ (LDAP over Stunnel) -----> Windows 2003 Active Directory, for Active Directory user authentication.
Stunnel.conf:
setuid = root setgid = root
client = yes
debug = 7 output = /root/stunnel.log
cert = /opt/crt_key.pem key = /opt/crt_key.pem
pid = /var/run/stunnel.pid
verify = 3 CAfile = /opt/crt_key.pem
options = NO_SSLv2
[ldap] accept = 389 connect = winad1-197-187:636
[ldap-ha] accept = 8389 connect = winad2-197-189:636
ocm5-197-196:~ # dfm ldap list Address Port Last Use Last Failure
127.0.0.1 389 2013-01-02 14:01:52.000000 127.0.0.1 8389 2013-01-02 13:49:35.000000 ocm5-197-196:~ #
ocm5-197-196:~ # dfm ldap find user1 Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact LDAP server Error: Failed to search for user1. ocm5-197-196:~ #
NOTE: If i add active directory server IP in the above list, instead of 127.0.0.1, ldap authentication works fine.
ocm5-197-196:~ # cat /etc/services ... ..... ........ #### This is a Manual Entry made by root user for AD authentication services & Stunnel Integration ######## ldap-ha 8389/tcp # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf] ldap-ha 8389/udp # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf
stunnel.log:
2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500 2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on x86_64-unknown-linux-gnu platform 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes from /root/.rnd 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new