"stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004"

Hi, this is my first try with both SSL & STunnel, so please excuse me for any missunderstandings a.s.o.

I have problems running a STunnel in client-mode agains a SSL webservice. Our application does not support clientside-certificates, so i want to use STunnel to handle the SSL connection.

For now, our webservice-provider has disabled the need for client-certificates (to help us narrow our problem down) But it still dont work.

As a first step, i access whe webservice default-page through IE-Explorer. https://<ip>:3001/<path> and i am presented with the default-webpage.

As i second step, i start stunnel with following .conf

verify = 2 CApath = <path where i have saved all certificates as .pem:s with <hash>.0 filenames, from the direct-access example with explorer above> debug = 7 client = yes

[https] accept = 127.0.0.1:3000 connect = <ip>:3001 TIMEOUTclose = 0

and try to access http://127.0.0.1:3000/<path>

but i get: HTTP 404 File Not found.

I have tried the same approach against a microsoft webservice at: https://test.uddi.microsoft.com/extension.asmx Without any problems.

1. I see no errors in the log, as i understand it (se below) can any one else with a more skilled eye see any problem ?

2. Our webservice-provider has an invalid hostname in its certificate (no public hostname, just IP during testing, but server certificate state www.fora.se) might that cause a problem ? (i have tried localy with invalid hostname in certificate without any problem though)

3. Is it possible to enable/disable verification of hostname in STunnel ? (as i understand it, the "verify" option in the STunnel.conf concerns the whole certificate-validation-process, and not just the hostname validation ?)

4. Could the problem be a config-issue on the webservice-provider end ? Im not sure, as it works with IE-Explorer, but not through STunnel ?

5. Any clue on where to look would be greatly apriciated, i have been working with this for a week, and i have been able to use STunnel both as server & client, with & without client-certs against everything i have tested localy and public (tried between diffrent home-made applications, on a local webserver, against verisign website a.s.o.) and everything works fine, except where i need it to work (against our webservice-provider).

Regards /Staffan Sundell

STunnel log against our webservice-provider (when it doesnt work): 2005.10.10 16:50:23 LOG5[2760:2800]: stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004 2005.10.10 16:50:23 LOG7[2760:2332]: RAND_status claims sufficient entropy for the PRNG 2005.10.10 16:50:23 LOG6[2760:2332]: PRNG seeded successfully 2005.10.10 16:50:23 LOG7[2760:2332]: Verify directory set to w:\ws\certs 2005.10.10 16:50:23 LOG5[2760:2332]: No limit detected for the number of clients 2005.10.10 16:50:23 LOG7[2760:2332]: FD 1916 in non-blocking mode 2005.10.10 16:50:23 LOG7[2760:2332]: SO_REUSEADDR option set on accept socket 2005.10.10 16:50:23 LOG7[2760:2332]: https bound to 127.0.0.1:3000 2005.10.10 16:50:28 LOG7[2760:2332]: https accepted FD=1904 from 127.0.0.1:2975 2005.10.10 16:50:28 LOG7[2760:2332]: FD 1904 in non-blocking mode 2005.10.10 16:50:28 LOG7[2760:2332]: Creating a new thread 2005.10.10 16:50:28 LOG7[2760:2332]: New thread created 2005.10.10 16:50:28 LOG7[2760:3748]: https started 2005.10.10 16:50:28 LOG5[2760:3748]: https connected from 127.0.0.1:2975 2005.10.10 16:50:28 LOG7[2760:3748]: FD 1876 in non-blocking mode 2005.10.10 16:50:28 LOG7[2760:3748]: https connecting <webserviceprovider ip>:3001 2005.10.10 16:50:28 LOG7[2760:3748]: connect_wait: waiting 10 seconds 2005.10.10 16:50:28 LOG7[2760:3748]: connect_wait: connected 2005.10.10 16:50:28 LOG7[2760:3748]: Remote FD=1876 initialized 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): before/connect initialization 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write client hello A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read server hello A 2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=2, /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=1, /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=0, /C=SE/L=STOCKHOLM/O=Fora AB/OU=Member, VeriSign Trust Network/OU=Terms of use at www.verisign.se/rpa http://www.verisign.se/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=www.fora.se 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read server certificate A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read server done A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write client key exchange A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write change cipher spec A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write finished A 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 flush data 2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read finished A 2005.10.10 16:50:28 LOG7[2760:3748]: 1 items in the session cache 2005.10.10 16:50:28 LOG7[2760:3748]: 1 client connects (SSL_connect()) 2005.10.10 16:50:28 LOG7[2760:3748]: 1 client connects that finished 2005.10.10 16:50:28 LOG7[2760:3748]: 0 client renegotiatations requested 2005.10.10 16:50:28 LOG7[2760:3748]: 0 server connects (SSL_accept()) 2005.10.10 16:50:28 LOG7[2760:3748]: 0 server connects that finished 2005.10.10 16:50:28 LOG7[2760:3748]: 0 server renegotiatiations requested 2005.10.10 16:50:28 LOG7[2760:3748]: 0 session cache hits 2005.10.10 16:50:28 LOG7[2760:3748]: 0 session cache misses 2005.10.10 16:50:28 LOG7[2760:3748]: 0 session cache timeouts 2005.10.10 16:50:28 LOG6[2760:3748]: SSL connected: new session negotiated 2005.10.10 16:50:28 LOG6[2760:3748]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.10.10 16:50:45 LOG7[2760:3748]: SSL socket closed on SSL_read 2005.10.10 16:50:45 LOG7[2760:3748]: Socket write shutdown 2005.10.10 16:50:45 LOG5[2760:3748]: Connection closed: 407 bytes sent to SSL, 507 bytes sent to socket 2005.10.10 16:50:45 LOG7[2760:3748]: https finished (0 left)

STunnel log against microsoft (where it works) 2005.10.10 16:50:22 LOG5[2940:2556]: stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004 2005.10.10 16:50:22 LOG7[2940:1112]: RAND_status claims sufficient entropy for the PRNG 2005.10.10 16:50:22 LOG6[2940:1112]: PRNG seeded successfully 2005.10.10 16:50:22 LOG7[2940:1112]: Verify directory set to c:\ws\certs 2005.10.10 16:50:22 LOG5[2940:1112]: No limit detected for the number of clients 2005.10.10 16:50:22 LOG7[2940:1112]: FD 136 in non-blocking mode 2005.10.10 16:50:22 LOG7[2940:1112]: SO_REUSEADDR option set on accept socket 2005.10.10 16:50:22 LOG7[2940:1112]: https bound to 127.0.0.1:80 2005.10.10 16:50:32 LOG7[2940:1112]: https accepted FD=148 from 127.0.0.1:2977 2005.10.10 16:50:32 LOG7[2940:1112]: FD 148 in non-blocking mode 2005.10.10 16:50:32 LOG7[2940:1112]: Creating a new thread 2005.10.10 16:50:32 LOG7[2940:1112]: New thread created 2005.10.10 16:50:32 LOG7[2940:3904]: https started 2005.10.10 16:50:32 LOG5[2940:3904]: https connected from 127.0.0.1:2977 2005.10.10 16:50:32 LOG7[2940:3904]: FD 176 in non-blocking mode 2005.10.10 16:50:32 LOG7[2940:3904]: https connecting 207.46.197.39:443 2005.10.10 16:50:32 LOG7[2940:3904]: connect_wait: waiting 10 seconds 2005.10.10 16:50:33 LOG7[2940:3904]: connect_wait: connected 2005.10.10 16:50:33 LOG7[2940:3904]: Remote FD=176 initialized 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): before/connect initialization 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write client hello A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read server hello A 2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=3, /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root 2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=2, /CN=Microsoft Internet Authority 2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=1, /DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority 2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=0, /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=UDDI Test production site/CN=test.uddi.microsoft.com 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read server certificate A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read server done A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write client key exchange A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write change cipher spec A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write finished A 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 flush data 2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read finished A 2005.10.10 16:50:33 LOG7[2940:3904]: 1 items in the session cache 2005.10.10 16:50:33 LOG7[2940:3904]: 1 client connects (SSL_connect()) 2005.10.10 16:50:33 LOG7[2940:3904]: 1 client connects that finished 2005.10.10 16:50:33 LOG7[2940:3904]: 0 client renegotiatations requested 2005.10.10 16:50:33 LOG7[2940:3904]: 0 server connects (SSL_accept()) 2005.10.10 16:50:33 LOG7[2940:3904]: 0 server connects that finished 2005.10.10 16:50:33 LOG7[2940:3904]: 0 server renegotiatiations requested 2005.10.10 16:50:33 LOG7[2940:3904]: 0 session cache hits 2005.10.10 16:50:33 LOG7[2940:3904]: 0 session cache misses 2005.10.10 16:50:33 LOG7[2940:3904]: 0 session cache timeouts 2005.10.10 16:50:33 LOG6[2940:3904]: SSL connected: new session negotiated 2005.10.10 16:50:33 LOG6[2940:3904]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2005.10.10 16:51:38 LOG3[2940:3904]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2005.10.10 16:51:38 LOG5[2940:3904]: Connection reset: 203 bytes sent to SSL, 3214 bytes sent to socket 2005.10.10 16:51:38 LOG7[2940:3904]: https finished (0 left)