Re: [stunnel-users] Connect using TLS with public Web Server
From: Carlos Castro <carlos.castro.guerrero@gmail.com> Date: Fri, 2 Feb 2018 12:04:08 +0100
I have older application and now I need connect with external server HTTPS using TLS . My application doesn't support with TLS and I think use Stunnel to connect with this Server HTTPS.
Same requirement here. Have you tried this configuration? ; yourhost:/etc/stunnel4/stunnel.conf ... [https] client = yes accept = 443 transparent = destination Regards, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 Tel: +1 360 639 0202 Pender Is.: +1 250 629 3757 http://easthope.ca/Peter.html Bcc: peter at easthope. ca https://en.wikibooks.org/wiki/Medical_Suction_Machines https://en.wikibooks.org/wiki/Oberon
Hello , Thanks @Peter I'm trying to configure to connect with my PC to this Public server https://ctm.omgeo.net using TLS1.2 but i don't can. I'm need setup stunnel for old application doesn't support TLS , and this application need connect with this public server to send data. I'm using the Peter config , but nothing . I try this config : [omgeo] client = yes accept = 127.0.0.1:19201 connect = ctm.omgeo.net:443 verify = 2 CApath = /etc/ssl/certs/ I'm using Curl to try connect , I'm recive this error /etc/ssl/certs# curl -v https://127.0.0.1:19201 * Rebuilt URL to: https://127.0.0.1:19201/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() failed: The TLS connection was non-properly terminated. * Closing connection 0 curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. whitout STUNNEL , i recived this OUTPUT : curl -v https://ctm.omgeo.net * Rebuilt URL to: https://ctm.omgeo.net/ * Trying 88.221.6.124... * Connected to ctm.omgeo.net (88.221.6.124) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: *.omgeo.net (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=Massachusetts,L=Boston,O=Omgeo LLC,CN=*.omgeo.net * start date: Fri, 21 Jul 2017 00:00:00 GMT * expire date: Sat, 20 Oct 2018 23:59:59 GMT * issuer: C=US,O=Symantec Corporation,OU=Symantec Trust Network,CN=Symantec Class 3 Secure Server CA - G4 * compression: NULL * ALPN, server accepted to use http/1.1
GET / HTTP/1.1 Host: ctm.omgeo.net User-Agent: curl/7.47.0 Accept: */*
< HTTP/1.1 302 Moved Temporarily < Location: /cleartrust/ct_logon.jsp < Content-Length: 0 < Date: Mon, 05 Mar 2018 11:31:09 GMT < Connection: keep-alive < Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/ < * Connection #0 to host ctm.omgeo.net left intact Many Thanks Regards On 02/02/18 14:10, peter@easthope.ca wrote:
From: Carlos Castro <carlos.castro.guerrero@gmail.com> Date: Fri, 2 Feb 2018 12:04:08 +0100
I have older application and now I need connect with external server HTTPS using TLS . My application doesn't support with TLS and I think use Stunnel to connect with this Server HTTPS. Same requirement here. Have you tried this configuration?
; yourhost:/etc/stunnel4/stunnel.conf ... [https] client = yes accept = 443 transparent = destination
Regards, ... Peter E.
On Mon, Mar 05, 2018 at 12:32:41PM +0100, Carlos Castro wrote:
Hello ,
Thanks @Peter
I'm trying to configure to connect with my PC to this Public server https://ctm.omgeo.net using TLS1.2 but i don't can.
I'm need setup stunnel for old application doesn't support TLS , and this application need connect with this public server to send data.
I'm using the Peter config , but nothing . I try this config :
[omgeo] client = yes accept = 127.0.0.1:19201 connect = ctm.omgeo.net:443 verify = 2 CApath = /etc/ssl/certs/
I'm using Curl to try connect , I'm recive this error
/etc/ssl/certs# curl -v https://127.0.0.1:19201
Maybe I'm reading this wrong, but if your client application does not support TLS, then it won't speak HTTPS, it would speak plain HTTP. That's what the configuration you're using does - it tells stunnel to run in client mode, i.e. something will connect to stunnel using an unencrypted connection and stunnel will connect to a TLS server (in this case an HTTPS server). So what happens when you try almost the same query, but with the "http" scheme instead of the "https" one? curl -v http://127.0.0.1:19201 G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Hello Thanks @Peter Yes , my application not support TLS and I need the application connect using TLS , for this i using stunnel (i hope) When I make curl -v http://127.0.0.1:19021 : curl -v http://127.0.0.1:19201 * Rebuilt URL to: http://127.0.0.1:19201/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: 127.0.0.1:19201 User-Agent: curl/7.47.0 Accept: */*
* HTTP 1.0, assume close after body < HTTP/1.0 400 Bad Request < Server: AkamaiGHost < Mime-Version: 1.0 < Content-Type: text/html < Content-Length: 208 < Expires: Mon, 05 Mar 2018 12:25:53 GMT < Date: Mon, 05 Mar 2018 12:25:53 GMT < Connection: close The web ctm.omgeo.net only works in mode HTTPS , . Thanks Peter On 05/03/18 13:22, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 12:32:41PM +0100, Carlos Castro wrote:
Hello ,
Thanks @Peter
I'm trying to configure to connect with my PC to this Public server https://ctm.omgeo.net using TLS1.2 but i don't can.
I'm need setup stunnel for old application doesn't support TLS , and this application need connect with this public server to send data.
I'm using the Peter config , but nothing . I try this config :
[omgeo] client = yes accept = 127.0.0.1:19201 connect = ctm.omgeo.net:443 verify = 2 CApath = /etc/ssl/certs/
I'm using Curl to try connect , I'm recive this error
/etc/ssl/certs# curl -v https://127.0.0.1:19201 Maybe I'm reading this wrong, but if your client application does not support TLS, then it won't speak HTTPS, it would speak plain HTTP. That's what the configuration you're using does - it tells stunnel to run in client mode, i.e. something will connect to stunnel using an unencrypted connection and stunnel will connect to a TLS server (in this case an HTTPS server).
So what happens when you try almost the same query, but with the "http" scheme instead of the "https" one?
curl -v http://127.0.0.1:19201
G'luck, Peter
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
Hello
Thanks @Peter
Yes , my application not support TLS and I need the application connect using TLS , for this i using stunnel (i hope)
When I make curl -v http://127.0.0.1:19021 :
curl -v http://127.0.0.1:19201 * Rebuilt URL to: http://127.0.0.1:19201/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: 127.0.0.1:19201 User-Agent: curl/7.47.0 Accept: */*
* HTTP 1.0, assume close after body < HTTP/1.0 400 Bad Request < Server: AkamaiGHost < Mime-Version: 1.0 < Content-Type: text/html < Content-Length: 208 < Expires: Mon, 05 Mar 2018 12:25:53 GMT < Date: Mon, 05 Mar 2018 12:25:53 GMT < Connection: close
The web ctm.omgeo.net only works in mode HTTPS , .
TL;DR: can you actually try your application with this stunnel config? Yes, that's why you have stunnel - it will accept a pure HTTP connection from your application (or, in this case, from cURL), and then it will open a TLS (HTTPS) connection to ctm.omgeo.net. Actually, the "HTTP/1.0 400 Bad Request" response that you get shows that stunnel already works: the request to ctm.omgeo.net is sent via HTTPS, not plain HTTP. If you try to send a plain HTTP request to ctm.omgeo.net port 443, cURL will report a very different error: [roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/ * Trying 88.221.30.124... * TCP_NODELAY set * Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:443 User-Agent: curl/7.58.0 Accept: */*
* Recv failure: Connection reset by peer * stopped the pause stream! * Closing connection 0 curl: (56) Recv failure: Connection reset by peer [roam@straylight ~]$ This happens because ctm.omgeo.net expects a TLS Client Hello message on an incoming connection, and cURL sends it a plaintext HTTP request, so ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away". So I guess that the "400 Bad Request" response you get from ctm.omgeo.net means that 1. you have successfully sent a request to it and it considered it to be an HTTP request, and 2. it expected the application to send it a specific request, not just a "GET /", so it said "GET / is not a valid request for me, but thanks for speaking HTTPS". So it's time to test your actual application now; configure it to talk to 127.0.0.1:19201 and see what happens. If anything goes wrong, show us the stunnel log. Hope that helps! G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
Hello
Thanks @Peter
Yes , my application not support TLS and I need the application connect using TLS , for this i using stunnel (i hope)
When I make curl -v http://127.0.0.1:19021 :
curl -v http://127.0.0.1:19201 * Rebuilt URL to: http://127.0.0.1:19201/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: 127.0.0.1:19201 User-Agent: curl/7.47.0 Accept: */*
* HTTP 1.0, assume close after body < HTTP/1.0 400 Bad Request < Server: AkamaiGHost < Mime-Version: 1.0 < Content-Type: text/html < Content-Length: 208 < Expires: Mon, 05 Mar 2018 12:25:53 GMT < Date: Mon, 05 Mar 2018 12:25:53 GMT < Connection: close
The web ctm.omgeo.net only works in mode HTTPS , .
TL;DR: can you actually try your application with this stunnel config?
See below; I believe I've found the reason for the "Bad request" response, and you need to do something more to get it to work.
Yes, that's why you have stunnel - it will accept a pure HTTP connection from your application (or, in this case, from cURL), and then it will open a TLS (HTTPS) connection to ctm.omgeo.net.
Actually, the "HTTP/1.0 400 Bad Request" response that you get shows that stunnel already works: the request to ctm.omgeo.net is sent via HTTPS, not plain HTTP. If you try to send a plain HTTP request to ctm.omgeo.net port 443, cURL will report a very different error:
[roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/ * Trying 88.221.30.124... * TCP_NODELAY set * Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:443 User-Agent: curl/7.58.0 Accept: */*
* Recv failure: Connection reset by peer * stopped the pause stream! * Closing connection 0 curl: (56) Recv failure: Connection reset by peer [roam@straylight ~]$
This happens because ctm.omgeo.net expects a TLS Client Hello message on an incoming connection, and cURL sends it a plaintext HTTP request, so ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".
So I guess that the "400 Bad Request" response you get from ctm.omgeo.net means that 1. you have successfully sent a request to it and it considered it to be an HTTP request, and 2. it expected the application to send it a specific request, not just a "GET /", so it said "GET / is not a valid request for me, but thanks for speaking HTTPS". So it's time to test your actual application now; configure it to talk to 127.0.0.1:19201 and see what happens.
If anything goes wrong, show us the stunnel log.
OK, so there's another thing. If you tell cURL or your application to send an HTTP request to 127.0.0.1:19201, then it will send a request with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will not know which backend server to route it to. So both cURL and your application must be convinced to send a request that has a "Host: ctm.omgeo.net" header. The simplest way to do this is somewhat error-prone, not quite future-proof, but it may work for the present. Add "ctm.omgeo.net" to the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system, %WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443. This last part - hardcoding the IP address of the server - is the part that is error-prone and not future-proof, since omgeo.net (or Akamai) may decide to change that address at any time and things will stop working. There is a hackish solution - write a little tool that performs a real DNS lookup and, if the IP address has changed, regenerates the stunnel config and restarts stunnel, then run this tool every minute or so... Still, it worked for me: [roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts 127.0.0.1 localhost ctm.omgeo.net [roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201 * Rebuilt URL to: http://ctm.omgeo.net:19201/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:19201 User-Agent: curl/7.58.0 Accept: */*
< HTTP/1.1 302 Moved Temporarily < Location: /cleartrust/ct_logon.jsp < Content-Length: 0 < Date: Tue, 06 Mar 2018 09:41:48 GMT < Connection: keep-alive < Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/ < * Connection #0 to host ctm.omgeo.net left intact [roam@straylight /etc/stunnel]$ ...so that's a start. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
@Peter ... I'm sure you are the Best! :) Now it's works . I needed put ctm.omgeo.net in host file y ready :) Now i put http://ctm.omgeo.net:19201 and I can connect with https://ctm.omgeo.net (curl , firefox , application works!) Many thanks :) On 06/03/18 11:10, Peter Pentchev wrote:
On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
Hello
Thanks @Peter
Yes , my application not support TLS and I need the application connect using TLS , for this i using stunnel (i hope)
When I make curl -v http://127.0.0.1:19021 :
curl -v http://127.0.0.1:19201 * Rebuilt URL to: http://127.0.0.1:19201/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: 127.0.0.1:19201 User-Agent: curl/7.47.0 Accept: */*
* HTTP 1.0, assume close after body < HTTP/1.0 400 Bad Request < Server: AkamaiGHost < Mime-Version: 1.0 < Content-Type: text/html < Content-Length: 208 < Expires: Mon, 05 Mar 2018 12:25:53 GMT < Date: Mon, 05 Mar 2018 12:25:53 GMT < Connection: close
The web ctm.omgeo.net only works in mode HTTPS , . TL;DR: can you actually try your application with this stunnel config? See below; I believe I've found the reason for the "Bad request" response, and you need to do something more to get it to work.
Yes, that's why you have stunnel - it will accept a pure HTTP connection from your application (or, in this case, from cURL), and then it will open a TLS (HTTPS) connection to ctm.omgeo.net.
Actually, the "HTTP/1.0 400 Bad Request" response that you get shows that stunnel already works: the request to ctm.omgeo.net is sent via HTTPS, not plain HTTP. If you try to send a plain HTTP request to ctm.omgeo.net port 443, cURL will report a very different error:
[roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/ * Trying 88.221.30.124... * TCP_NODELAY set * Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:443 User-Agent: curl/7.58.0 Accept: */*
* Recv failure: Connection reset by peer * stopped the pause stream! * Closing connection 0 curl: (56) Recv failure: Connection reset by peer [roam@straylight ~]$
This happens because ctm.omgeo.net expects a TLS Client Hello message on an incoming connection, and cURL sends it a plaintext HTTP request, so ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".
So I guess that the "400 Bad Request" response you get from ctm.omgeo.net means that 1. you have successfully sent a request to it and it considered it to be an HTTP request, and 2. it expected the application to send it a specific request, not just a "GET /", so it said "GET / is not a valid request for me, but thanks for speaking HTTPS". So it's time to test your actual application now; configure it to talk to 127.0.0.1:19201 and see what happens.
If anything goes wrong, show us the stunnel log. OK, so there's another thing. If you tell cURL or your application to send an HTTP request to 127.0.0.1:19201, then it will send a request with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will not know which backend server to route it to. So both cURL and your application must be convinced to send a request that has a "Host: ctm.omgeo.net" header.
The simplest way to do this is somewhat error-prone, not quite future-proof, but it may work for the present. Add "ctm.omgeo.net" to the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system, %WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443. This last part - hardcoding the IP address of the server - is the part that is error-prone and not future-proof, since omgeo.net (or Akamai) may decide to change that address at any time and things will stop working. There is a hackish solution - write a little tool that performs a real DNS lookup and, if the IP address has changed, regenerates the stunnel config and restarts stunnel, then run this tool every minute or so... Still, it worked for me:
[roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts 127.0.0.1 localhost ctm.omgeo.net [roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201 * Rebuilt URL to: http://ctm.omgeo.net:19201/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1 Host: ctm.omgeo.net:19201 User-Agent: curl/7.58.0 Accept: */*
< HTTP/1.1 302 Moved Temporarily < Location: /cleartrust/ct_logon.jsp < Content-Length: 0 < Date: Tue, 06 Mar 2018 09:41:48 GMT < Connection: keep-alive < Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/ < * Connection #0 to host ctm.omgeo.net left intact [roam@straylight /etc/stunnel]$
...so that's a start.
G'luck, Peter
participants (3)
-
Carlos Castro -
Peter Pentchev -
peter@easthope.ca