We have an STunnel configuration running to take encrypted TLS traffic from customers and pass it to our application unencrypted. We have purchased a CA signed certificate, but we are receiving an error when negotiating. We have tried many searches/configurations with no progress.
STunnel General Config
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may be useful for troubleshooting) debug = debug output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance ;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS
;sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2
; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later ;securityLevel = 0
ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-;RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-;SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-;AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256
curves = X25519:P-256:X448:P-521:P-384
; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Enable support for the insecure SSLv3 protocol options = -NO_SSLv3
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; **************************************************************************
;include = conf.d
STunnel Service Specific Config ; TLS front-end to a web server [https] accept = 27015 connect = 172.31.4.10:9000 cert = mycert.pem key = mycert.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
STunnel Debug 2022.10.15 11:16:08 LOG6[769]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 11:16:08 LOG3[769]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 11:16:08 LOG7[769]: Compression: null, expansion: null 2022.10.15 11:16:08 LOG7[769]: Deallocating application specific data for session connect address 2022.10.15 11:16:08 LOG6[769]: s_connect: connecting x.x.x.x:9000 2022.10.15 11:16:08 LOG7[769]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 11:16:08 LOG7[769]: FD=792 ifds=--- ofds=r-- 2022.10.15 11:16:08 LOG7[769]: FD=888 ifds=rwx ofds=--- 2022.10.15 11:16:08 LOG5[769]: s_connect: connected x.x.x.x:9000 2022.10.15 11:16:08 LOG6[769]: persistence: x.x.x.x:9000 cached 2022.10.15 11:16:08 LOG5[769]: Service [https] connected remote server from x.x.x.x:52720 2022.10.15 11:16:08 LOG7[769]: Setting remote socket options (FD=888) 2022.10.15 11:16:08 LOG7[769]: Option TCP_NODELAY set on remote socket 2022.10.15 11:16:08 LOG7[769]: Remote descriptor (FD=888) initialized 2022.10.15 11:16:09 LOG6[769]: SSL_read: Socket is closed 2022.10.15 11:16:09 LOG6[769]: TLS socket closed (SSL_read) 2022.10.15 11:16:09 LOG7[769]: Sent socket write shutdown
Any assistance would be GREATLY appreciated!
Thank you. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.