I tried this config:
sslVersion = all options = NO_SSLv2 [myproxy] client = yes accept = 127.0.0.1:8080 connect = 192.168.10.111:443
And got this:
2016.07.22 02:10:01 LOG5[main]: Configuration successful 2016.07.22 02:10:01 LOG7[main]: Listening file descriptor created (FD=932) 2016.07.22 02:10:01 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2016.07.22 02:10:01 LOG7[main]: Service [secproxy] (FD=932) bound to 127.0.0.1:8080 2016.07.22 02:10:01 LOG7[main]: Signal pipe is empty 2016.07.22 02:10:50 LOG7[main]: Found 1 ready file descriptor(s) 2016.07.22 02:10:50 LOG7[main]: FD=516 ifds=r-x ofds=--- 2016.07.22 02:10:50 LOG7[main]: Service [secproxy] accepted (FD=972) from 127.0.0.1:22000 2016.07.22 02:10:50 LOG7[main]: Creating a new thread 2016.07.22 02:10:50 LOG7[main]: New thread created 2016.07.22 02:10:50 LOG7[7]: Service [secproxy] started 2016.07.22 02:10:50 LOG7[7]: Option TCP_NODELAY set on local socket 2016.07.22 02:10:50 LOG5[7]: Service [secproxy] accepted connection from 127.0.0.1:22000 2016.07.22 02:10:50 LOG6[7]: s_connect: connecting 192.168.10.111:443 2016.07.22 02:10:50 LOG7[7]: s_connect: s_poll_wait 192.168.10.111:443: waiting 10 seconds 2016.07.22 02:10:51 LOG5[7]: s_connect: connected 192.168.10.111:443 2016.07.22 02:10:51 LOG5[7]: Service [secproxy] connected remote server from 10.10.14.16:22001 2016.07.22 02:10:51 LOG7[7]: Option TCP_NODELAY set on remote socket 2016.07.22 02:10:51 LOG7[7]: Remote descriptor (FD=936) initialized 2016.07.22 02:10:51 LOG6[7]: SNI: sending servername: 192.168.10.111 2016.07.22 02:10:51 LOG6[7]: Peer certificate not required 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): before/connect initialization 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv2/v3 write client hello A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server hello A 2016.07.22 02:10:51 LOG6[7]: Certificate verification disabled 2016.07.22 02:10:51 LOG6[7]: Certificate verification disabled 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server certificate A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server key exchange A 2016.07.22 02:10:51 LOG6[7]: Client certificate not requested 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server done A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write client key exchange A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write change cipher spec A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write finished A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 flush data 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server session ticket A 2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read finished A 2016.07.22 02:10:51 LOG7[7]: 1 client connect(s) requested 2016.07.22 02:10:51 LOG7[7]: 1 client connect(s) succeeded 2016.07.22 02:10:51 LOG7[7]: 0 client renegotiation(s) requested 2016.07.22 02:10:51 LOG7[7]: 0 session reuse(s) 2016.07.22 02:10:51 LOG6[7]: SSL connected: new session negotiated 2016.07.22 02:10:51 LOG7[7]: Peer certificate was cached (1895 bytes) 2016.07.22 02:10:51 LOG6[7]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2016.07.22 02:10:51 LOG7[7]: Compression: null, expansion: null 2016.07.22 02:10:51 LOG6[7]: SSL socket closed (SSL_read) 2016.07.22 02:10:51 LOG7[7]: Sent socket write shutdown 2016.07.22 02:10:51 LOG5[7]: Connection closed: 517 byte(s) sent to SSL, 2428 byte(s) sent to socket 2016.07.22 02:10:51 LOG7[7]: Remote descriptor (FD=936) closed 2016.07.22 02:10:51 LOG7[7]: Local descriptor (FD=972) closed 2016.07.22 02:10:51 LOG7[7]: Service [secproxy] finished (0 left) 2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 58151 allocations 2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 55033 allocations 2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\a_object.c:346: 45704 allocations 2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\a_object.c:315: 45704 allocations 2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\asn1_lib.c:372: 42431 allocations
22.07.2016, 04:53, "Kirill Franko" frankokirill@yandex.ru:
Hi guys! I have SSL-proxy server which send me error "ssl handshake failure" in browser and other proxy-tools. But when I use ncat or openssl-tool the proxy work fine.
When i'm trying to use direct remoteSSLproxy.com as HTTPS-proxy (in Firefox for example) I'm getting an error:
HTTP/1.0 500 handshakefailed Via: 1.0 192.168.10.111 (Web Gateway) Connection: Close Content-Type: text/html Cache-Control: no-cache Content-Length: 1944
But when I'm connecting with openssl(openssl s_client -connect remoteSSLproxy.com:443 -tls1) or ncat (ncat --ssl remoteSSLproxy.com:443) proxy working fine.
Please help me to make working tunnel. I think I need tunnel like below: localhost->localhostSSLtl s1:443->remoteSSLproxy.com:443
Working examples: openssl s_client -connect remoteSSLproxy.com:443 -tls1 openssl s_client -connect remoteSSLproxy.com:443 -cipher HIGH openssl s_client -connect remoteSSLproxy.com:443 -cipher MEDIUM
Not working: $ openssl s_client -connect remoteSSLproxy.com:443 -cipher LOW CONNECTED(00000003) 17269:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s23_clnt.c:593:
Not working: $ openssl s_client -connect remoteSSLproxy.com:443 -ssl2 CONNECTED(00000003) 17261:error:140EC11B:SSL routines:SSL2_READ_INTERNAL:illegal padding:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s2_pkt.c:243:
Not working: $ openssl s_client -connect remoteSSLproxy.com:443 -ssl3 CONNECTED(00000003) 17262:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:1145:SSL alert number 40 17262:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:566:
Thanks! ,
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users