Greetings,
I was wondering if anyone's come across anything like this. I want to encrypt connections for MS SQL Server 2008 Express from a Windows XP client to a Windows 2003 Server. Following these instructions:
http://www.securityfocus.com/infocus/1677
I was able to configure encrypted connections by pointing SQL Server Management Studio to 127.0.0.1 on _either_ XP or Vista and then that gets tunneled over to the Windows 2003 Server running SQL Server 2008 Express. I can browse the database tables, etc.
Now the problem. I have users that make use of a thin client that connects directly to the SQL Server. It has one config file that I've pointed to 127.0.0.1. When I run this thin client on Vista, it works great, however, when running it on XP, stunnel tries to connect, but then gives up after several attempts.
Here's what I see in the server log before connecting:
2009.03.23 12:26:59 LOG7[284564:274684]: RAND_status claims sufficient entropy for the PRNG 2009.03.23 12:26:59 LOG7[284564:274684]: PRNG seeded successfully 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service vnc 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service mssql 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service rdp 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from CAcert.pem 2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup file 2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to certificates 2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation lookup directory 2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location certificates 2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service http 2009.03.23 12:26:59 LOG5[284564:274684]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008 2009.03.23 12:26:59 LOG5[284564:274684]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2009.03.23 12:26:59 LOG5[284564:289192]: No limit detected for the number of clients 2009.03.23 12:27:00 LOG7[284564:289192]: FD 268 in non-blocking mode 2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept socket 2009.03.23 12:27:00 LOG7[284564:289192]: mssql bound to WINDOWS_SQL_SERVER:14333 2009.03.23 12:27:00 LOG7[284564:289192]: FD 292 in non-blocking mode 2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept socket
And here's what I see after trying to connect from XP (this appears 16 more times in stunnel.log until stunnel gives up):
2009.03.23 12:29:48 LOG7[284564:289192]: mssql accepted FD=308 from Windows_XP_Client:1252 2009.03.23 12:29:48 LOG7[284564:289192]: Creating a new thread 2009.03.23 12:29:48 LOG7[284564:289192]: New thread created 2009.03.23 12:29:48 LOG7[284564:348604]: mssql started 2009.03.23 12:29:48 LOG7[284564:348604]: FD 308 in non-blocking mode 2009.03.23 12:29:48 LOG5[284564:348604]: mssql accepted connection from Windows_XP_Client:1252 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): before/accept initialization 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client hello A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write server hello A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write certificate A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write certificate request A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush data 2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed 2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=1, /C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure Labs/CN=CA/emailAddress=user@abc.com 2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed 2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=0, /C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure Labs/CN=VNC Client/emailAddress=user@abc.com 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client certificate A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read client key exchange A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read certificate verify A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read finished A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write change cipher spec A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write finished A 2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush data 2009.03.23 12:29:48 LOG7[284564:348604]: 1 items in the session cache 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects (SSL_connect()) 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects that finished 2009.03.23 12:29:48 LOG7[284564:348604]: 0 client renegotiations requested 2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects (SSL_accept()) 2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects that finished 2009.03.23 12:29:48 LOG7[284564:348604]: 0 server renegotiations requested 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache hits 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache misses 2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache timeouts 2009.03.23 12:29:48 LOG6[284564:348604]: SSL accepted: new session negotiated 2009.03.23 12:29:48 LOG6[284564:348604]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2009.03.23 12:29:48 LOG7[284564:348604]: FD 332 in non-blocking mode 2009.03.23 12:29:48 LOG7[284564:348604]: mssql connecting 127.0.0.1:1433 2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: waiting 10 seconds 2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: connected 2009.03.23 12:29:48 LOG5[284564:348604]: mssql connected remote server from 127.0.0.1:2001 2009.03.23 12:29:48 LOG7[284564:348604]: Remote FD=332 initialized 2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (read): warning: close notify 2009.03.23 12:29:48 LOG7[284564:348604]: SSL closed on SSL_read 2009.03.23 12:29:48 LOG7[284564:348604]: Socket write shutdown 2009.03.23 12:29:48 LOG7[284564:348604]: SSL write shutdown 2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (write): warning: close notify 2009.03.23 12:29:48 LOG6[284564:348604]: SSL_shutdown successfully sent close_notify 2009.03.23 12:29:48 LOG5[284564:348604]: Connection closed: 37 bytes sent to SSL, 52 bytes sent to socket 2009.03.23 12:29:48 LOG7[284564:348604]: mssql finished (0 left)
The server's stunnel.conf:
CAfile = CAcert.pem CApath = certificates cert = server.pem client = no verify = 3 debug = 7 output = stunnel.log
[mssql] accept = WINDOWS_SQL_SERVER:14333 connect = 127.0.0.1:1433
The client's stunnel.conf:
CAfile = CAcert.pem CApath = certificates cert = client.pem client = yes verify = 3 debug = 7 output = stunnel.log
[mssql] accept = 127.0.0.1:1433 connect = WINDOWS_SQL_SERVER:14333
Things I've tried:
- changed the compatibility settings of the thin client to work under ealier versions of Windows, this didn't help
- regenerated certificates, no good
- tried connecting without certificates, still no good
I still haven't tried earlier versions of stunnel, but I figured I'd just check and see if may anyone's run across something like this before. From what I can tell, the combination of XP, the thin client and stunnel does not work. The thin client does work on XP when I do not use stunnel, but I need to have the connection encrypted.
Any help greatly appreciated, thanks
I ran into the following link errors when I have the -DHAVE_LIBWRAP defined. obj/voyager_mm/libwrap.o: In function `check_libwrap': /sw-pool/jlau/branch-mountEden_v1222b9/voyager_mm/code/nettools/stunnel/src/libwrap.c:199: undefined reference to `request_init' /sw-pool/jlau/branch-mountEden_v1222b9/voyager_mm/code/nettools/stunnel/src/libwrap.c:200: undefined reference to `sock_host' /sw-pool/jlau/branch-mountEden_v1222b9/voyager_mm/code/nettools/stunnel/src/libwrap.c:201: undefined reference to `hosts_access' collect2: ld returned 1 exit status
Can someone tell me what is the -DHAVE_LIBWRAP is for and how I can resolve the above link error. Which library should I include?
Thanks. -Joe
DISCLAIMER: This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.
On Wed, Mar 25, 2009 at 03:45:26PM -0700, Joe Lau wrote:
I ran into the following link errors when I have the -DHAVE_LIBWRAP defined.
Can someone tell me what is the -DHAVE_LIBWRAP is for and how I can resolve the above link error. Which library should I include?
It's for Wietse Venema's TCP wrappers library, used for /etc/hosts.{deny,allow} support. The library is called libwrap0-dev in Debian, other OS's might have a different (but probably similar) name.
-
Joe Lau -
Rodrigo Gallardo -
zervakos