HI all,
There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that's solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.
[SFDC reverse proxy test] debug=7 ;client = yes accept = 8008-->port used by sfdc client to connect to TIBCO server connect = localhost:8009 -->Tibco server that's running cert = stunnel.pem 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477 2016.11.23 08:31:56 LOG6[118]: Peer certificate not required 2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization 2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected 2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)
PFB the openssl snap shot looks odd C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts WARNING: can't open config file: /devel/win32/openssl/openssl.cnf CONNECTED(0000016C)
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________
www.accenture.com
Hi, there.
I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada anymore ;-) ): - I would try including the key as well as the cert in your stunnel config - I would enable debug on the openssl s_client call to see if it will indicate why it is reseting. Same with your SFDC client to get more info. - Question: is the "WARNING: can't open config file" message below indicative of a permissions or path problem? - Question: Is the stunnel cert and key compatible with the TIBCO server's certificate? They need to be using certs generated from the same key source, don't they? - You might want to fix the SSL version in the stunnel config file (i.e. sslVersion = TLSv1.2)
Good luck with your debugging.
Rodney
On 2016-11-22 07:43 PM, jothish.chokkalingam@accenture.commailto:jothish.chokkalingam@accenture.com wrote: HI all,
There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.
[SFDC reverse proxy test] debug=7 ;client = yes accept = 8008-->port used by sfdc client to connect to TIBCO server connect = localhost:8009 -->Tibco server that’s running cert = stunnel.pem 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477 2016.11.23 08:31:56 LOG6[118]: Peer certificate not required 2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization 2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected 2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)
PFB the openssl snap shot looks odd C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts WARNING: can't open config file: /devel/win32/openssl/openssl.cnf CONNECTED(0000016C)
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.commailto:Telstra.psm.tsd.tibco@accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________
www.accenture.comhttp://www.accenture.com
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
There are other tools for performing port forwarding with less overhead (I believe tappipe is one), although I make use stunnel to do this extensively.
In order forward a secure connection from one port to another is a two step process with stunnel:
A sample configuration segment would be:
[SFDC reverse in]
client = no
accept = 8008
connect = localhost:48008
[SFDC reverse out] client = yes accept = localhost:48008 connect = localhost:8009
On 11/23/2016 10:18 AM, Rodney Lott wrote:
Hi, there.
I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada anymore ;-) ):
- I would try including the key as well as the cert in your stunnel config
- I would enable debug on the openssl s_client call to see if it will
indicate why it is reseting. Same with your SFDC client to get more info.
- Question: is the "WARNING: can't open config file" message below
indicative of a permissions or path problem?
- Question: Is the stunnel cert and key compatible with the TIBCO
server's certificate? They need to be using certs generated from the same key source, don't they?
- You might want to fix the SSL version in the stunnel config file
(i.e. sslVersion = TLSv1.2)
Good luck with your debugging.
Rodney
On 2016-11-22 07:43 PM, jothish.chokkalingam@accenture.com wrote:
HI all,
There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.
[SFDC reverse proxy test]
debug=7
;client = yes
accept = 8008àport used by sfdc client to connect to TIBCO server
connect = localhost:8009 àTibco server that’s running
cert = stunnel.pem
2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started
2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket
2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477
2016.11.23 08:31:56 LOG6[118]: Peer certificate not required
2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization
2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected
2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed
2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)
PFB the openssl snap shot looks odd
C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts
*WARNING: can't open config file: /devel/win32/openssl/openssl.cnf*
CONNECTED(0000016C)
Thanks and Regards,
Jothish
TIBCO TSD
Ph. : +91 44 39263958
Mobile : +91 9884040171
Support : +91 9962007110
OC : jothish.chokkalingam
Group mail:- Telstra.psm.tsd.tibco@accenture.com
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________
www.accenture.com
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Is there a way to forward a Secure connection from one port to non secure port using stunnel. I am googling but unable to find. If you have can you let me know
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.com
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, November 23, 2016 9:30 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility
There are other tools for performing port forwarding with less overhead (I believe tappipe is one), although I make use stunnel to do this extensively.
In order forward a secure connection from one port to another is a two step process with stunnel:
A sample configuration segment would be:
[SFDC reverse in]
client = no
accept = 8008 connect = localhost:48008
[SFDC reverse out] client = yes accept = localhost:48008 connect = localhost:8009 On 11/23/2016 10:18 AM, Rodney Lott wrote: Hi, there.
I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada anymore ;-) ): - I would try including the key as well as the cert in your stunnel config - I would enable debug on the openssl s_client call to see if it will indicate why it is reseting. Same with your SFDC client to get more info. - Question: is the "WARNING: can't open config file" message below indicative of a permissions or path problem? - Question: Is the stunnel cert and key compatible with the TIBCO server's certificate? They need to be using certs generated from the same key source, don't they? - You might want to fix the SSL version in the stunnel config file (i.e. sslVersion = TLSv1.2)
Good luck with your debugging.
Rodney On 2016-11-22 07:43 PM, jothish.chokkalingam@accenture.commailto:jothish.chokkalingam@accenture.com wrote: HI all,
There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.
[SFDC reverse proxy test] debug=7 ;client = yes accept = 8008-->port used by sfdc client to connect to TIBCO server connect = localhost:8009 -->Tibco server that’s running cert = stunnel.pem 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477 2016.11.23 08:31:56 LOG6[118]: Peer certificate not required 2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization 2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected 2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)
PFB the openssl snap shot looks odd C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts WARNING: can't open config file: /devel/win32/openssl/openssl.cnf CONNECTED(0000016C)
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.commailto:Telstra.psm.tsd.tibco@accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________
www.accenture.comhttp://www.accenture.com
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-usershttps://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-usershttps://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=
Jothish,
Stunnel in server mode is what you need, with 99.9% confidence.
When you write:
[https] Accept=443 Connect=local host:80 Client=no
Stunnnel will expect TLS connections on port 443 and will forward then to your normal web server running on loopback port 80.
Is that clear?
Regards, Jose
El 24/11/2016, a las 2:29 a.m., jothish.chokkalingam@accenture.com jothish.chokkalingam@accenture.com escribió:
Is there a way to forward a Secure connection from one port to non secure port using stunnel. I am googling but unable to find. If you have can you let me know
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.com
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Carter Browne Sent: Wednesday, November 23, 2016 9:30 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility
There are other tools for performing port forwarding with less overhead (I believe tappipe is one), although I make use stunnel to do this extensively.
In order forward a secure connection from one port to another is a two step process with stunnel:
A sample configuration segment would be:
[SFDC reverse in]
client = no
accept = 8008
connect = localhost:48008
[SFDC reverse out] client = yes accept = localhost:48008 connect = localhost:8009
On 11/23/2016 10:18 AM, Rodney Lott wrote: Hi, there.
I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada anymore ;-) ):
- I would try including the key as well as the cert in your stunnel config
- I would enable debug on the openssl s_client call to see if it will indicate why it is reseting. Same with your SFDC client to get more info.
- Question: is the "WARNING: can't open config file" message below indicative of a permissions or path problem?
- Question: Is the stunnel cert and key compatible with the TIBCO server's certificate? They need to be using certs generated from the same key source, don't they?
- You might want to fix the SSL version in the stunnel config file (i.e. sslVersion = TLSv1.2)
Good luck with your debugging.
Rodney
On 2016-11-22 07:43 PM, jothish.chokkalingam@accenture.com wrote: HI all,
There is a problem we have currently connecting tibco client to SFDC sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the configuration in stunnel in server end to divert the traffic from 8008 to 8009, can you help here with the logs is the stunnel configuration is correct or there any missed/need to alter.
[SFDC reverse proxy test] debug=7 ;client = yes accept = 8008àport used by sfdc client to connect to TIBCO server connect = localhost:8009 àTibco server that’s running cert = stunnel.pem 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted connection from 101.167.198.14:54477 2016.11.23 08:31:56 LOG6[118]: Peer certificate not required 2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization 2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected 2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)
PFB the openssl snap shot looks odd C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 -prexit -showcerts WARNING: can't open config file: /devel/win32/openssl/openssl.cnf CONNECTED(0000016C)
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- Telstra.psm.tsd.tibco@accenture.com
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________
www.accenture.com
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Carter Browne -
Josealf.rm -
jothish.chokkalingam@accenture.com -
Rodney Lott