-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott, Your configuration should be either: [https] accept = 443 connect = 80 [test_com] sni = https:test.com connect = 192.168.64.220:80 [www_test_com] sni = https:www.test.com connect = 192.168.64.220:80 [testing_com] sni = https:testing.com connect = 192.168.64.253:80 [www_testing_com] sni = https:www.testing.com connect = 192.168.64.253:80 or [https] accept = 443 connect = 80 [test] sni = https:*test.com connect = 192.168.64.220:80 [testing] sni = https:*testing.com connect = 192.168.64.253:80 Mike On 17.03.2015 14:46, Scott McKeown wrote:
Hi Guys,
I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:
STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com <http://test.com> sni = https:www.test.com <http://www.test.com> connect = 192.168.64.220:80 <http://192.168.64.220:80>
[testing] sni = https:testing.com <http://testing.com> sni = https:www.testing.com <http://www.testing.com> connect = 192.168.64.253:80 <http://192.168.64.253:80>
I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com <http://www.test.com> works but test.com <http://test.com> does not. Its the same for testing.com <http://testing.com> and www.testing.com <http://www.testing.com>
This is what the log file show too:
2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com <http://testing.com> 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com <http://testing.com> 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com <http://testing.com> 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com <http://testing.com> 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)
I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.
Any thoughts?
-- With Kind Regards.
Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVCDZWAAoJEC78f/DUFuAUVmMP/jbvB9JHnkzTKCjv50vdaPNE fcB5lGN8xjYkS2RToqi8dt0HBOIRUYAMgnyD6ifdPvMIs8Wo4qkE61axVGmeI3bE sXdVv7jBwVXlx1pDzrD7fplTyumkMw/qSdrXe3W9LkaeBcCXtWDgDeJx6VfoiJ/0 tHE4lfOHTGiDl7MuVAUateILxdeUIA7vvrywmtKowIA+pJN2bgBmWDgcy45YAZe1 irjzxPBQxQtcizvTgW3eNL1TL+yO1k5oOT33l6aPitLq2TaZVwrDzsK9XKdEmD9Z 7lsa/lFqDEqWTxZ6TetGSnNM+Z6tOTD+jFj0PJvOohLYG/v+NPB4tc5U6z+4jl2S SBjuMymFAb5uT9UD32MB9puDL8HVqLi7zU88NPYPZVsVdQtUMKKAOtv6FMVNF8Uh qIbsUqMQMTSJiAFSNLbplBnsabUW4CEzs3A0eIbKg+XdKhfbK2vc/RYyORmXQGqT 7ZfeohaE5LVxjEZei6e7Bc+Gm+yz4Avki4t0AR3iS/j6tyBUJFnzk56NmhELLwao kQ+p4l1HWcoRKYLkybDmrxJHKH7O1iUyLW9qVsHNsPi/UsDB9yf+Avb69QOK66M+ ufQ0TF/zLW89SBIGMPtc0fhBM6vTpNPt27SK9138nNgCqX+0UgV2hXwrCDSecYNk P4tT4ckWBkwIVM6eqrSQ =EEX8 -----END PGP SIGNATURE-----