Hello, I am new to STunnel and I am running into a problem. Here is my setup.
I use an ASUS router with Merlin firmware. I have STunnel installed via Entware on this router.
Running "stunnel -version" gives me:
stunnel 5.41 on mipsel-openwrt-linux-gnu platform Compiled/running with OpenSSL 1.0.2k 26 Jan 2017 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: RNDbytes = 64 RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:!DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 debug = daemon.notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
-------------------------------------------------------------------------------------------
I use my own server certificate signed by my own CA. This cert has the proper SANs with correct DNS/IP entries. I use this server certificate both for my router's HTTPS web gui and for the "cert" and "key" files listed in the config file below. Also, the "CAfile" in the config is pointing to my Root CA's certificate. My Root CA is also imported in my Windows box's certificate store.
I can directly access my router's web gui from LAN side via these ports: 80 (HTTP), 2000 (HTTPS). Router's LAN subnet is 10.49.49.0/24 and the router's WAN IP is 10.76.5.3 (it is double NAT for testing, this router is for testing) Also, STunnel is running as a server accepting connections on port 443 (all interfaces) on the router.
-------------------------------------------------------------------------------------------
I want to use Chrome directly as an STunnel client on my Windows box. So, I don't run STunnel on my Windows box in the client mode.
SITUATION 1: WORKS FINE!!
-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443" This should forward to the router's port 80 (HTTP protocol used).
My STunnel config file on the router has:
setuid = nobody setgid = nobody foreground foreground = yes syslog = yes debug = 7
[Test-Service] accept = 443 connect = 10.49.49.1:80 requireCert = yes verifyChain = yes CAfile = /mnt/Merlin/entware/etc/stunnel/ca.crt cert = /mnt/Merlin/entware/etc/stunnel/server.crt key = /mnt/Merlin/entware/etc/stunnel/server.key
SITUATION 2: DOES NOT WORK!!
-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443" This should forward to the router's port 2000 (HTTPS protocol used).
There is only one change from the Situation 1 config file. The line for "connect" changed to "connect = 10.49.49.1:2000)
This does not work. Note that I can directly access my router's web gui over https with "https://LAN_IP:2000" via Chrome, with no warnings.
------------------------------------------------------------------------------ My thoughts:
So, my current path is Chrome (Acting as STunnel Client) --> STunnel Server (on the router) --> Router's Web GUI. The "Chrome --> STunnel" Server connection is fine. Chrome prompts for private key and STunnel server correctly shows this incoming Chrome connection.
The problem is the "STunnel Server --> Router" relay that uses HTTPS protocol.
1. STunnel does not like HTTPS to HTTPS relay. HTTP to HTTPS works, but not HTTPS to HTTPS. 2. STunnel server on my router is a client to my router's web gui. Is STunnel verifying the certificate of my router's HTTPS certificate? 3. If the above answer is yes, my guess is that STunnel sees a self signed certificate for this router and kills the connection? 4. How do I tell STunnel server to ignore certificate warnings for a remote connection, like when connecting to this router? 5. Or how do I explicitly tell STunnel to trust my Root CA while making this connection to my router? I couldn't find any options in STunnel for this.
Regards,
Dipen Doshi