Hi Guys,
I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:
STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com sni = https:www.test.com connect = 192.168.64.220:80
[testing] sni = https:testing.com sni = https:www.testing.com connect = 192.168.64.253:80
I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com works but test.com does not. Its the same for testing.com and www.testing.com
This is what the log file show too:
2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)
I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.
Any thoughts?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Scott,
Your configuration should be either:
[https] accept = 443 connect = 80
[test_com] sni = https:test.com connect = 192.168.64.220:80
[www_test_com] sni = https:www.test.com connect = 192.168.64.220:80
[testing_com] sni = https:testing.com connect = 192.168.64.253:80
[www_testing_com] sni = https:www.testing.com connect = 192.168.64.253:80
or
[https] accept = 443 connect = 80
[test] sni = https:*test.com connect = 192.168.64.220:80
[testing] sni = https:*testing.com connect = 192.168.64.253:80
Mike
On 17.03.2015 14:46, Scott McKeown wrote:
Hi Guys,
I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:
STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com http://test.com sni = https:www.test.com http://www.test.com connect = 192.168.64.220:80 http://192.168.64.220:80
[testing] sni = https:testing.com http://testing.com sni = https:www.testing.com http://www.testing.com connect = 192.168.64.253:80 http://192.168.64.253:80
I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com http://www.test.com works but test.com http://test.com does not. Its the same for testing.com http://testing.com and www.testing.com http://www.testing.com
This is what the log file show too:
2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 http://192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 http://192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com http://testing.com 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com http://testing.com 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 http://192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 http://192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com http://testing.com 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com http://testing.com 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)
I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.
Any thoughts?
-- With Kind Regards.
Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK)
- +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll
Free)(24x7)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Scott McKeown