-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Scott,
Your configuration should be either:
[https] accept = 443 connect = 80
[test_com] sni = https:test.com connect = 192.168.64.220:80
[www_test_com] sni = https:www.test.com connect = 192.168.64.220:80
[testing_com] sni = https:testing.com connect = 192.168.64.253:80
[www_testing_com] sni = https:www.testing.com connect = 192.168.64.253:80
or
[https] accept = 443 connect = 80
[test] sni = https:*test.com connect = 192.168.64.220:80
[testing] sni = https:*testing.com connect = 192.168.64.253:80
Mike
On 17.03.2015 14:46, Scott McKeown wrote:
Hi Guys,
I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:
STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com http://test.com sni = https:www.test.com http://www.test.com connect = 192.168.64.220:80 http://192.168.64.220:80
[testing] sni = https:testing.com http://testing.com sni = https:www.testing.com http://www.testing.com connect = 192.168.64.253:80 http://192.168.64.253:80
I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com http://www.test.com works but test.com http://test.com does not. Its the same for testing.com http://testing.com and www.testing.com http://www.testing.com
This is what the log file show too:
2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 http://192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 http://192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com http://testing.com 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com http://testing.com 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 http://192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 http://192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com http://testing.com 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com http://testing.com 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)
I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.
Any thoughts?
-- With Kind Regards.
Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK)
- +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll
Free)(24x7)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users