stunnel with smb from 2 networks behind firewalls
Hello, Here is my setup : [PCA]-------------[Firewall-A]---------------{INTERNET}-----------[45.212.56.178:21213|Firewall-B|192.168.0.1:8139]--------[PCB] PCA : Windows 7 stunnel.conf : [smb] client = yes accept = 10.232.232.232:139 connect = 45.212.56.178:21213 PCB : Ubuntu Oneiric 11.10 stunnel.conf : [smb] accept = 8139 connect = 139 When I try to connect a network drive from PCA to a remote drive of PCB here are the stunnel.log of PCA : 2012.03.19 13:47:02 LOG5[3744:2564]: Reading configuration from file stunnel.conf 2012.03.19 13:47:02 LOG5[3744:2564]: FIPS mode is enabled 2012.03.19 13:47:02 LOG7[3744:2564]: Compression not enabled 2012.03.19 13:47:02 LOG7[3744:2564]: Snagged 64 random bytes from C:/.rnd 2012.03.19 13:47:02 LOG7[3744:2564]: Wrote 0 new random bytes to C:/.rnd 2012.03.19 13:47:02 LOG7[3744:2564]: PRNG seeded successfully 2012.03.19 13:47:02 LOG6[3744:2564]: Initializing SSL context for service smb 2012.03.19 13:47:02 LOG7[3744:2564]: Certificate: stunnel.pem 2012.03.19 13:47:02 LOG7[3744:2564]: Certificate loaded 2012.03.19 13:47:02 LOG7[3744:2564]: Key file: stunnel.pem 2012.03.19 13:47:02 LOG7[3744:2564]: Private key loaded 2012.03.19 13:47:02 LOG7[3744:2564]: SSL options set: 0x01000004 2012.03.19 13:47:02 LOG6[3744:2564]: SSL context initialized 2012.03.19 13:47:02 LOG5[3744:2564]: Configuration successful 2012.03.19 13:47:02 LOG7[3744:2564]: Service smb closed FD=200 2012.03.19 13:47:13 LOG5[3744:3940]: Service smb accepted connection from 10.232.232.232:50004 2012.03.19 13:47:13 LOG5[3744:3940]: connect_blocking: connected 45.212.56.178:21213 2012.03.19 13:47:13 LOG5[3744:3940]: Service smb connected remote server from 192.168.3.4:50005 2012.03.19 13:47:43 LOG3[3744:3940]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2012.03.19 13:47:43 LOG5[3744:3940]: Connection reset: 143 bytes sent to SSL, 0 bytes sent to socket No logs on PCB it seems that the SSL connection doesn't cross the firewall B, if not I would saw logs in stunnel.log of PCB isn't it ? What can I do better to make this setup working ? Does the firewall B porforwarding is blocking the process ? Best regards Philippe
oups look like I was reading the false stunnel.log here is what does find logcheck : Mar 19 13:47:14 server stunnel: LOG5[21517:139783982704384]: Service smb accepted connection from 196.25.36.134:50005 Mar 19 13:47:14 server stunnel: LOG5[21517:139783982704384]: connect_blocking: connected 127.0.0.1:139 Mar 19 13:47:14 server stunnel: LOG5[21517:139783982704384]: Service smb connected remote server from 127.0.0.1:50215 Mar 19 13:47:44 server stunnel: LOG5[21517:139783982704384]: Error detected on SSL (read) file descriptor: Connection reset by peer (104) Mar 19 13:47:44 server stunnel: LOG5[21517:139783982704384]: Connection reset: 0 bytes sent to SSL, 143 bytes sent to socket So it looks like a SSL parameter problem. I have on both side : sslVersion = TLSv1 because the PCB stunnel doesn't start if I set SSLv2 and the PCA stunnel is crashing when I set SSLv3 What can I do then ? Best Philippe On Mon, 19 Mar 2012 13:57:44 +0100, Philippe wrote:
Hello,
Here is my setup :
[PCA]-------------[Firewall-A]---------------{INTERNET}-----------[45.212.56.178:21213|Firewall-B|192.168.0.1:8139]--------[PCB]
PCA : Windows 7 stunnel.conf :
[smb] client = yes accept = 10.232.232.232:139 connect = 45.212.56.178:21213
PCB : Ubuntu Oneiric 11.10 stunnel.conf :
[smb] accept = 8139 connect = 139
When I try to connect a network drive from PCA to a remote drive of PCB
here are the stunnel.log of PCA :
2012.03.19 13:47:02 LOG5[3744:2564]: Reading configuration from file stunnel.conf 2012.03.19 13:47:02 LOG5[3744:2564]: FIPS mode is enabled 2012.03.19 13:47:02 LOG7[3744:2564]: Compression not enabled 2012.03.19 13:47:02 LOG7[3744:2564]: Snagged 64 random bytes from C:/.rnd 2012.03.19 13:47:02 LOG7[3744:2564]: Wrote 0 new random bytes to C:/.rnd 2012.03.19 13:47:02 LOG7[3744:2564]: PRNG seeded successfully 2012.03.19 13:47:02 LOG6[3744:2564]: Initializing SSL context for service smb 2012.03.19 13:47:02 LOG7[3744:2564]: Certificate: stunnel.pem 2012.03.19 13:47:02 LOG7[3744:2564]: Certificate loaded 2012.03.19 13:47:02 LOG7[3744:2564]: Key file: stunnel.pem 2012.03.19 13:47:02 LOG7[3744:2564]: Private key loaded 2012.03.19 13:47:02 LOG7[3744:2564]: SSL options set: 0x01000004 2012.03.19 13:47:02 LOG6[3744:2564]: SSL context initialized 2012.03.19 13:47:02 LOG5[3744:2564]: Configuration successful 2012.03.19 13:47:02 LOG7[3744:2564]: Service smb closed FD=200 2012.03.19 13:47:13 LOG5[3744:3940]: Service smb accepted connection from 10.232.232.232:50004 2012.03.19 13:47:13 LOG5[3744:3940]: connect_blocking: connected 45.212.56.178:21213 2012.03.19 13:47:13 LOG5[3744:3940]: Service smb connected remote server from 192.168.3.4:50005 2012.03.19 13:47:43 LOG3[3744:3940]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2012.03.19 13:47:43 LOG5[3744:3940]: Connection reset: 143 bytes sent to SSL, 0 bytes sent to socket
No logs on PCB
it seems that the SSL connection doesn't cross the firewall B, if not I would saw logs in stunnel.log of PCB isn't it ? What can I do better to make this setup working ? Does the firewall B porforwarding is blocking the process ?
Best regards
Philippe
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
If I don't mention the sslVersion here are the stunnel logs : PCA : 2012.03.19 14:37:22 LOG5[3744:2564]: Reading configuration from file stunnel.conf 2012.03.19 14:37:22 LOG5[3744:2564]: FIPS mode is enabled 2012.03.19 14:37:22 LOG5[3744:2564]: Configuration successful 2012.03.19 14:37:22 LOG7[3744:2564]: Service smb bound FD=200 to 10.232.232.232:139 2012.03.19 14:37:22 LOG7[3744:2564]: Signal pipe is empty 2012.03.19 14:37:37 LOG7[3744:2564]: Service smb accepted FD=540 from 10.232.232.232:50020 2012.03.19 14:37:37 LOG7[3744:2564]: Creating a new thread 2012.03.19 14:37:37 LOG7[3744:2564]: New thread created 2012.03.19 14:37:37 LOG7[3744:2964]: Service smb started 2012.03.19 14:37:37 LOG5[3744:2964]: Service smb accepted connection from 10.232.232.232:50020 2012.03.19 14:37:37 LOG6[3744:2964]: connect_blocking: connecting 45.212.56.178:21213 2012.03.19 14:37:37 LOG7[3744:2964]: connect_blocking: s_poll_wait 45.212.56.178:21213: waiting 10 seconds 2012.03.19 14:37:37 LOG5[3744:2964]: connect_blocking: connected 45.212.56.178:21213 2012.03.19 14:37:37 LOG5[3744:2964]: Service smb connected remote server from 192.168.3.4:50021 2012.03.19 14:37:37 LOG7[3744:2964]: Remote FD=584 initialized 2012.03.19 14:37:38 LOG3[3744:2964]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2012.03.19 14:37:38 LOG5[3744:2964]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.03.19 14:37:38 LOG7[3744:2964]: Service smb finished (0 left) PCB : 2463 Mar 19 14:37:38 server stunnel: LOG5[2533:140145941337856]: Service smb accepted connection from 196.25.36.134:50021 2464 Mar 19 14:37:38 server stunnel: LOG3[2533:140145941337856]: SSL_accept: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 2465 Mar 19 14:37:38 server stunnel: LOG5[2533:140145941337856]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket So I'm lost ;) Best Philippe
On Mon, 19 Mar 2012 14:45:59 +0100, Philippe wrote:
If I don't mention the sslVersion [cut] 2012.03.19 14:37:22 LOG5[3744:2564]: FIPS mode is enabled [cut] 2012.03.19 14:37:38 LOG3[3744:2964]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2012.03.19 14:37:38 LOG5[3744:2964]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
FIPS mode only accepts TLSv1. It also rejects SSLv23 handshake. You may wish to either enable or disable FIPS on both ends. Mike
Thanks for your answer Mike,
FIPS mode only accepts TLSv1. It also rejects SSLv23 handshake. You may wish to either enable or disable FIPS on both ends.
so enabling fips on PCB "fips = yes" drive to an this error : Line 10: "fips = yes": Specified option name is not valid here in other hand, disabling fips "fips = no" drive to the same error Line 10: "fips = no": Specified option name is not valid here where do I need to put it ? I have tried to disabling fips on PCBA and set at both end "sslVersion = SSLv3" but same result as when I had "sslVersion = TLSv1" PCB log : Mar 19 15:04:55 server stunnel: LOG5[7789:140610069133056]: Error detected on SSL (read) file descriptor: Connection reset by peer (104) any idea ? Best Philippe
On Mon, 19 Mar 2012 15:13:25 +0100, Philippe wrote:
so enabling fips on PCB "fips = yes" drive to an this error : Line 10: "fips = yes": Specified option name is not valid here
in other hand, disabling fips "fips = no" drive to the same error Line 10: "fips = no": Specified option name is not valid here
Are you sure your OpenSSL is on this machine is compiled with FIPS support? Use "openssl version" or "stunnel -version" to check it. Mike
On Mon, 19 Mar 2012 15:24:00 +0100, Michal Trojnara wrote:
Are you sure your OpenSSL is on this machine is compiled with FIPS support?
no, i'm not sure it is the ubuntu oneiric 11.10 version I get with apt-get root@server:/etc# openssl version OpenSSL 1.0.0e 6 Sep 2011 root@server:/etc# stunnel -version Reading configuration from descriptor 3 Line 1: "verify = ersion": Bad verify level it look like this last command is buggy Best philippe
On Mon, 2012-03-19 at 15:30 +0100, Philippe wrote:
On Mon, 19 Mar 2012 15:24:00 +0100, Michal Trojnara wrote:
Are you sure your OpenSSL is on this machine is compiled with FIPS support?
no, i'm not sure it is the ubuntu oneiric 11.10 version I get with apt-get
If you're using the packaged version, then you don't have FIPS support. It's disabled because it requires static linking.
root@server:/etc# openssl version OpenSSL 1.0.0e 6 Sep 2011 root@server:/etc# stunnel -version Reading configuration from descriptor 3 Line 1: "verify = ersion": Bad verify level
You're calling the stunnel 3 wrapper script. Call stunnel4 Back when 4.x was new, in Debian we renamed the binary to stunnel4, because we wanted to give a clear migration path for scripts. It may be that the time to rename that wrapper to stunnel3 and reclaim the unversioned name for the binary has come ;-)
On Mon, 19 Mar 2012 10:39:32 -0700, Rodrigo Gallardo wrote:
If you're using the packaged version, then you don't have FIPS support. It's disabled because it requires static linking.
ok that's clear, but why things are not working when i disable fips on the PCB ? It should work with the setting sslVersion = SSLv3 at both ends. Best Philippe
On Tue, 20 Mar 2012 11:13:38 +0100, Philippe wrote:
ok that's clear, but why things are not working when i disable fips on the PCB ? It should work with the setting sslVersion = SSLv3 at both ends.
oups sorry I mean disabling fips on PCA, I recall the scheme : [PCA]-----[Firewall-A]-----{INTERNET}-----[45.212.56.178:21213|Firewall-B|192.168.0.1:8139]----[PCB] Best philippe
Hi, I have found more logs on the samba server (PCB) : Mar 21 12:20:52 server stunnel: LOG5[30981:140479608870656]: Service [smb] accepted connection from 193.252.168.91:50146 Mar 21 12:20:52 server stunnel: LOG5[30981:140479608870656]: connect_blocking: connected 127.0.0.1:139 Mar 21 12:20:52 server stunnel: LOG5[30981:140479608870656]: Service [smb] connected remote server from 127.0.0.1:60207 Mar 21 12:21:22 server stunnel: LOG5[30981:140479608870656]: Error detected on SSL (read) file descriptor: Connection reset by peer (104) Mar 21 12:21:22 server stunnel: LOG5[30981:140479608870656]: Connection reset: 0 byte(s) sent to SSL, 143 byte(s) sent to socket Mar 21 12:21:22 server smbd[6540]: [2012/03/21 12:21:22.172924, 0] lib/util_sock.c:474(read_fd_with_timeout) Mar 21 12:21:22 server smbd[6540]: [2012/03/21 12:21:22.173026, 0] lib/util_sock.c:1441(get_peer_addr_internal) Mar 21 12:21:22 server smbd[6540]: getpeername failed. Error was Transport endpoint is not connected Mar 21 12:21:22 server smbd[6540]: read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. So it seems that the connection is able to cross stunnel and reach samba, but does samba do this error because of stunnel or because of itself ? Best Philippe Le 20/03/2012 11:26, Philippe a écrit :
On Tue, 20 Mar 2012 11:13:38 +0100, Philippe wrote:
ok that's clear, but why things are not working when i disable fips on the PCB ? It should work with the setting sslVersion = SSLv3 at both ends.
oups sorry I mean disabling fips on PCA, I recall the scheme :
[PCA]-----[Firewall-A]-----{INTERNET}-----[45.212.56.178:21213|Firewall-B|192.168.0.1:8139]----[PCB]
Best
philippe
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
participants (4)
-
Michal Trojnara -
Philippe -
Philippe Schelté
-
Rodrigo Gallardo