stunnel user group,
Thanks Yucong Sun or your help. I have changed the configuration file values to the values that you recommended. I didn't read the documentation careful enough.
[https] accept = 3600 connect = partnerlogin.advancedmd.com https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a sp :443 (stopped and started the windows service to get the new configuration)
HOWEVER I'm still not getting stunnel to provide the interface to the https web server. I have a http client software which I have tried both GET and POST calls to https://localhost:3600/practicemanager/xmlrpc/processrequest.asp blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
Every time the interface comes back with the error "The Connection to the Server was Reset while the Page was Loading"
So I decided to try the page using a standard web browser (Firefox and IE) thinking that my client software may have a problem. I opened the browser and entered the address https://localhost:3600/practicemanager/xmlrpc/processrequest.asp blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp Got the same results.
So I changed the configuration to go to the same web site as gmail with the following configuration.
[https] accept = 3600 connect = mail.google.com:443
When I try to open the page with the browser to address https://localhost:3600/mail/?hl=en blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox &shva=1#inbox, I get the same error message.
NEXT I started WIRESHARK on the network and filtered for packets coming from/to my host computer. When I enter https://localhost:3600/mail/?hl=en blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox &shva=1#inbox on the browser. The following details were captured by WIRESHARK. Source Destination Protocol Lenth Info 74.125.225.53 192.168.1.70 TLSV1 107 Application Data Protocol: http 192.168.1.70 74.125.255.53 TCP 54 https [ACK] Seq=1 Ack=54 win=16181 Len=0 74.125.225.53 192.168.1.70 TLSV1 112 Application Data Protocol: http 192.168.1.70 74.125.255.53 TLSV1 81 Encrypted Alert 192.168.1.70 74.125.255.53 TCP 54 60089 > https [FIN, ACK] Seq=28 Ack=112 win=16167 Len=0 192.168.1.70 74.125.255.54 TCP 1484 [TCP segment of a reassembled PDU] 192.168.1.70 74.125.255.53 TLSv1 316 Application Data 74.125.225.53 192.168.1.70 TCP 60 https > 60089 [FIN, ACK] Seq=112 Ack=29 win=196 len=0 192.168.1.70 74.125.255.53 TCP 54 60089 > https [ACK] Seq=29 Ack=113 win=16167 Len=0 74.125.225.54 192.168.1.70 TCP 60 https > 60113 [ACK] Seq=1 Ack=1693 win=285 len=0 74.125.225.54 192.168.1.70 TLSV1 457 Application Data Protocol: http 192.168.1.70 74.125.255.54 TCP 54 60113 > https [ACK] Seq=1693 Ack=404 win=16445 Len=0 SO the packets are being sent and returned, but the protocol is erroring out for GOOGLE MAIL.
NEXT When I configure the service for the other https web server. https://localhost:3600/practicemanager/xmlrpc/processrequest.asp blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp I get a simular exchange, but more reference to change cipher Spec. and http RST for different ip address Source Destination Protocol Lenth Info 192.168.1.70 74.125.255.54 TCP 66 60840 > https [SYN] 74.125.225.54 192.168.1.70 TCP 66 https > 60840 [SYN, ACK] 192.168.1.70 74.125.255.54 TCP 54 60840 > https [ACK] 192.168.1.70 74.125.255.54 TLSv1 451 client Hello 74.125.225.54 192.168.1.70 TCP 60 https > 60840 [ACK] 74.125.225.54 192.168.1.70 TLSv1 97 change cipher Spec, Encrypted Handshake Message 192.168.1.70 74.125.255.54 TLSv1 162 Application Data 74.125.225.54 192.168.1.70 TCP 60 https > 60840 [ACK] 192.168.1.70 98.137.80.34 TCP 54 60819 > http [RST, ACK]
STUNNEL LOG for partnerlogin.advancedmd.com:443 NO OBVIOUS ERRORS 2011.07.08 21:31:21 LOG7[4960:4568]: No limit detected for the number of clients 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#1: FD=144 allocated (blocking mode) 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#2: FD=148 allocated (blocking mode) 2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_accept: FD=152 allocated (non-blocking mode) 2011.07.08 21:31:21 LOG5[4960:4568]: stunnel 4.39 on x86-pc-mingw32-gnu platform 2011.07.08 21:31:21 LOG5[4960:4568]: Compiled/running with OpenSSL 1.0.0d 8 Feb 2011 2011.07.08 21:31:21 LOG5[4960:4568]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2011.07.08 21:31:21 LOG5[4960:4568]: Reading configuration from file stunnel.conf 2011.07.08 21:31:21 LOG7[4960:4568]: Snagged 64 random bytes from C:/.rnd 2011.07.08 21:31:22 LOG7[4960:4568]: Wrote 1024 new random bytes to C:/.rnd 2011.07.08 21:31:22 LOG7[4960:4568]: PRNG seeded successfully 2011.07.08 21:31:22 LOG7[4960:4568]: Configuration SSL options: 0x01000000 2011.07.08 21:31:22 LOG7[4960:4568]: SSL options set: 0x01000004 2011.07.08 21:31:22 LOG7[4960:4568]: Certificate: stunnel.pem 2011.07.08 21:31:22 LOG7[4960:4568]: Certificate loaded 2011.07.08 21:31:22 LOG7[4960:4568]: Key file: stunnel.pem 2011.07.08 21:31:22 LOG7[4960:4568]: Private key loaded 2011.07.08 21:31:22 LOG7[4960:4568]: SSL context initialized for service http 2011.07.08 21:31:22 LOG5[4960:4568]: Configuration successful 2011.07.08 21:31:22 LOG7[4960:4568]: accept socket: FD=144 allocated (non-blocking mode) 2011.07.08 21:31:22 LOG7[4960:4568]: Option SO_REUSEADDR set on accept socket 2011.07.08 21:31:22 LOG7[4960:4568]: Service http bound to 0.0.0.0:3600 2011.07.08 21:31:22 LOG7[4960:4568]: Service http opened FD=144
Do I need to have the Public Key Certificate for the remote serve installed in stunnel for it to access the page?
I'm trying to find a simple configuration to prove out that the basic stunnel application is working. Any suggestions?
Is there something basic that I'm missing? If I send a GET request, I should get a response from the https server that CONNECT is configurred for. Is there a compatibility issue between OpenSSL and https web server?
Thanks in advance for the help. Dan
Daniel,
If you have an https web server, do you really need stunnel to connect to it? Most likely you don't. If you want to do GETs and POSTs you can do it with curl. You don't need stunnel in the middle.
If your stunnel is listening in port 3600 in client mode it expects a clear text connection, not an SSL one. That is, you should do http://localhost:3600/whatever, not https://localhost:3600/what ever. Try with verify=0 in the stunnel.conf to see if you get a connection.
Regards,
Jose -----Original Message----- From: "Daniel Pierce" dpierce@xpertassist.com Sender: stunnel-users-bounces@stunnel.org Date: Fri, 8 Jul 2011 22:16:24 To: stunnel-users@stunnel.org Subject: [stunnel-users] Windows 7 connection to HTTPS server
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Jose,
Thanks for your recommendation. I set verify = 0 and the connection started to work. Must be a certificate issue.
Based on the documentation I didn't define the value because it says
verify = level
verify peer certificate
level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default - no verify
Thanks again. Dan
-----Original Message----- From: josealf@rocketmail.com [mailto:josealf@rocketmail.com] Sent: Saturday, July 09, 2011 4:29 PM To: Daniel Pierce; stunnel-users-bounces@stunnel.org; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Windows 7 connection to HTTPS server
Daniel,
If you have an https web server, do you really need stunnel to connect to it? Most likely you don't. If you want to do GETs and POSTs you can do it with curl. You don't need stunnel in the middle.
If your stunnel is listening in port 3600 in client mode it expects a clear text connection, not an SSL one. That is, you should do http://localhost:3600/whatever, not https://localhost:3600/what ever. Try with verify=0 in the stunnel.conf to see if you get a connection.
Regards,
Jose -----Original Message----- From: "Daniel Pierce" dpierce@xpertassist.com Sender: stunnel-users-bounces@stunnel.org Date: Fri, 8 Jul 2011 22:16:24 To: stunnel-users@stunnel.org Subject: [stunnel-users] Windows 7 connection to HTTPS server
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
The certificates setup has been clarified in this list before. For me, the easiest way is to put individual CA (Certificate Authority) certificates (root and intermediate) in a directory, point stunnel to it, and run c_rehash to create the links...ah, but your're on windows. That creates a small problem, because most likely you won't have the support files handy (openssl.exe, c_rehash.pl, perl). So it's probably easier for you create a bundle text file with all required CA certificates in PEM format and point stunnel to it with the CAfile directive. You can find examples in the web.
Regards, Jose -----Original Message----- From: "Daniel Pierce" dpierce@xpertassist.com Date: Sat, 9 Jul 2011 21:36:39 To: josealf@rocketmail.com; stunnel-users-bounces@stunnel.org; stunnel-users@stunnel.org Subject: RE: [stunnel-users] Windows 7 connection to HTTPS server
Jose,
Thanks for your recommendation. I set verify = 0 and the connection started to work. Must be a certificate issue.
Based on the documentation I didn't define the value because it says
verify = level
verify peer certificate
level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default - no verify
Thanks again. Dan
-----Original Message----- From: josealf@rocketmail.com [mailto:josealf@rocketmail.com] Sent: Saturday, July 09, 2011 4:29 PM To: Daniel Pierce; stunnel-users-bounces@stunnel.org; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Windows 7 connection to HTTPS server
Daniel,
If you have an https web server, do you really need stunnel to connect to it? Most likely you don't. If you want to do GETs and POSTs you can do it with curl. You don't need stunnel in the middle.
If your stunnel is listening in port 3600 in client mode it expects a clear text connection, not an SSL one. That is, you should do http://localhost:3600/whatever, not https://localhost:3600/what ever. Try with verify=0 in the stunnel.conf to see if you get a connection.
Regards,
Jose -----Original Message----- From: "Daniel Pierce" dpierce@xpertassist.com Sender: stunnel-users-bounces@stunnel.org Date: Fri, 8 Jul 2011 22:16:24 To: stunnel-users@stunnel.org Subject: [stunnel-users] Windows 7 connection to HTTPS server
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Daniel Pierce -
josealf@rocketmail.com