We have an STunnel configuration running to take encrypted TLS traffic from customers and pass it to our application unencrypted. We have purchased a CA signed certificate, but we are receiving an error when negotiating. We have tried
many searches/configurations with no progress.
STunnel General Config
; **************************************************************************
; * Global options *
; **************************************************************************
; Debugging stuff (may be useful for troubleshooting)
debug = debug
output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi
; You also need to disable TLS 1.2 or later, because the CryptoAPI engine
; currently does not support PSS
;sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.2
; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later
;securityLevel = 0
ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-;RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-;SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-;AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256
curves = X25519:P-256:X448:P-521:P-384
; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; such as softhsm2-x64.dll or opensc-pkcs11.dll
; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:softhsm2-x64.dll
;engineCtrl = PIN:1234
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Enable support for the insecure SSLv3 protocol
options = -NO_SSLv3
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder *
; **************************************************************************
;include = conf.d
STunnel Service Specific Config
; TLS front-end to a web server
[https]
accept = 27015
connect = 172.31.4.10:9000
cert = mycert.pem
key = mycert.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
STunnel Debug
2022.10.15 11:16:08 LOG6[769]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2022.10.15 11:16:08 LOG3[769]: SSL_get_peer_tmp_key: Peer suddenly disconnected
2022.10.15 11:16:08 LOG7[769]: Compression: null, expansion: null
2022.10.15 11:16:08 LOG7[769]: Deallocating application specific data for session connect address
2022.10.15 11:16:08 LOG6[769]: s_connect: connecting x.x.x.x:9000
2022.10.15 11:16:08 LOG7[769]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds
2022.10.15 11:16:08 LOG7[769]: FD=792 ifds=--- ofds=r--
2022.10.15 11:16:08 LOG7[769]: FD=888 ifds=rwx ofds=---
2022.10.15 11:16:08 LOG5[769]: s_connect: connected x.x.x.x:9000
2022.10.15 11:16:08 LOG6[769]: persistence: x.x.x.x:9000 cached
2022.10.15 11:16:08 LOG5[769]: Service [https] connected remote server from x.x.x.x:52720
2022.10.15 11:16:08 LOG7[769]: Setting remote socket options (FD=888)
2022.10.15 11:16:08 LOG7[769]: Option TCP_NODELAY set on remote socket
2022.10.15 11:16:08 LOG7[769]: Remote descriptor (FD=888) initialized
2022.10.15 11:16:09 LOG6[769]: SSL_read: Socket is closed
2022.10.15 11:16:09 LOG6[769]: TLS socket closed (SSL_read)
2022.10.15 11:16:09 LOG7[769]: Sent socket write shutdown
Any assistance would be GREATLY appreciated!
Thank you.
_________________________________
Gary Jackson | Senior Systems Engineer
Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants
14607 Lake Bluff Place
Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified
that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.