Hello Michal,
Friday, January 13, 2012, 11:38:06 PM, you wrote:
yyy wrote:
Tried simply adding protocolHost=servername into client configuration section, but it did not work, because server returned default cert.
I was told I tend to behave like an oracle, but I'm not.
I can hardly diagnose your configuration without the output of "stunnel -version" and debug logs.
Sorry, here is output of "stunnel -version" (although in stunnel.conf, there is specified fips=no):
stunnel 4.52 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012 Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
Global options: debug = notice RNDbytes = 64 RNDoverwrite = yes taskbar = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 session = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Server is down
And here is log (debug=7):
2012.01.13 21:57:48 LOG7[2132:7704]: Service sni-client accepted FD=504 from 127.0.0.1:2541 2012.01.13 21:57:48 LOG7[2132:7704]: Creating a new thread 2012.01.13 21:57:48 LOG7[2132:7704]: New thread created 2012.01.13 21:57:48 LOG7[2132:7932]: Service sni-client started 2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client accepted connection from 127.0.0.1:2541 2012.01.13 21:57:48 LOG6[2132:7932]: connect_blocking: connecting 213.175.91.220:443 2012.01.13 21:57:48 LOG7[2132:7932]: connect_blocking: s_poll_wait 213.175.91.220:443: waiting 10 seconds 2012.01.13 21:57:48 LOG5[2132:7932]: connect_blocking: connected 213.175.91.220:443 2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client connected remote server from 10.0.0.151:2542 2012.01.13 21:57:48 LOG7[2132:7932]: Remote FD=448 initialized 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): before/connect initialization 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client hello A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server hello A 2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy@yyy.id.lv 2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy@yyy.id.lv 2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002 2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server key exchange A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate request A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server done A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client certificate A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client key exchange A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write certificate verify A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write change cipher spec A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write finished A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 flush data 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read server session ticket A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read finished A 2012.01.13 21:57:49 LOG7[2132:7932]: 1 items in the session cache 2012.01.13 21:57:49 LOG7[2132:7932]: 1 client connects (SSL_connect()) 2012.01.13 21:57:49 LOG7[2132:7932]: 1 client connects that finished 2012.01.13 21:57:49 LOG7[2132:7932]: 0 client renegotiations requested 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server connects (SSL_accept()) 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server connects that finished 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server renegotiations requested 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache hits 2012.01.13 21:57:49 LOG7[2132:7932]: 0 external session cache hits 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache misses 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache timeouts 2012.01.13 21:57:49 LOG7[2132:7932]: Peer certificate was cached (3611 bytes) 2012.01.13 21:57:49 LOG6[2132:7932]: SSL connected: new session negotiated 2012.01.13 21:57:49 LOG6[2132:7932]: Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 2012.01.13 21:57:49 LOG6[2132:7932]: Compression: null, expansion: null 2012.01.13 21:58:09 LOG3[2132:7932]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2012.01.13 21:58:09 LOG5[2132:7932]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.01.13 21:58:09 LOG7[2132:7932]: Service sni-client finished (0 left)
It connects just fine, just to default service.
s_client connects to proper service (using this command) C:\openssl s_client -connect 213.175.91.220:443 -cert cert.crt -key key.key -servername servername
Client authentications succeeds in either case (as expected)