Thanks to help from Nitin, I've made a tiny bit of progress with stunnel. I've created the certificates per Nitin's instructions at https://tunnelix.com/securing-mysql-traffic-with-stunnel-in-a-jail-environme... Certificates have permissions 0600.
I want to use a VNC client on Linux to connect to a VNC Server also on Linux. In between these two computers I have a Linux router which routes all request to port 1914 to port 3389 on the VNC Server.
stunnel on the server is run at the command line by root: 'stunnel /root/stunnel.conf'. Here is my VNC Server computer's stunnel.conf:
foreground = yes pid = /var/run/stunnel.pid debug = 7 ; output = /root/stunnel.log output = /dev/stdout
[x11vnc] accept = 3389 key = /root/privatekey.pem cert = /root/certificate.pem connect = 127.0.0.1:5900
stunnel on the client is run by a normal user, stunnel $HOME/.stunnel/stunnel.conf. Below is my client stunnel.conf:
foreground = yes verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes [x11vnc] accept = 5900 connect = mail.ohprs.org:1914
When I run stunnel on the client I get:
2018.03.13 13:21:17 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform 2018.03.13 13:21:17 LOG5[ui]: Compiled with OpenSSL 1.0.2h 3 May 2016 2018.03.13 13:21:17 LOG5[ui]: Running with OpenSSL 1.0.2n 7 Dec 2017 2018.03.13 13:21:17 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel 2018.03.13 13:21:17 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2018.03.13 13:21:17 LOG5[ui]: Reading configuration from file /home/mfoley/.stunnel/stunnel.conf 2018.03.13 13:21:17 LOG5[ui]: UTF-8 byte order mark not detected 2018.03.13 13:21:17 LOG5[ui]: FIPS mode disabled 2018.03.13 13:21:17 LOG4[ui]: Service [x11vnc] uses "verify = 2" without subject checks 2018.03.13 13:21:17 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates 2018.03.13 13:21:17 LOG5[ui]: Configuration successful
On the client, I then run tigerVNCViewer connecting to 127.0.0.1::5900. I get the following messages on the client:
2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] accepted connection from 127.0.0.1:35034 2018.03.13 13:22:03 LOG5[0]: s_connect: connected 98.102.63.107:1914 2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] connected remote server from 192.168.0.17:40512 2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2018.03.13 13:22:03 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Just guessing, but is it failing with the SSLVersion?
Help appreciated. Thanks, Mark
Does anyone have any ideas on what might be my problem? I re-ran with "sslVersion = TLSv1" and got basically the same log results except instead of
2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
when I ran with no "sslVersion" set, I got:
2018.03.13 13:36:02 LOG3[0]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
when I ran with "sslVersion = TLSv1".
So, I'm thinking that there is an issue with the sslVersion I'm using.
Also, the initial log messages have:
2018.03.13 13:35:32 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform 2018.03.13 13:35:32 LOG5[ui]: Compiled with OpenSSL 1.0.2h 3 May 2016 2018.03.13 13:35:32 LOG5[ui]: Running with OpenSSL 1.0.2n 7 Dec 2017 2018.03.13 13:35:32 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
I don't know if this is telling me to "Update OpenSSL" or what. The 'running' OpenSSL version is already more recent than the stunnel compiled version. Both packages are the most recent release on Slackware.
Thanks for any help on this.
--Mark
-----Original Message----- From: Mark Foley mfoley@novatec-inc.com Date: Tue, 13 Mar 2018 13:35:05 -0400 Organization: Novatec Software Engineering, LLC To: stunnel-users@stunnel.org
Thanks to help from Nitin, I've made a tiny bit of progress with stunnel. I've created the certificates per Nitin's instructions at https://tunnelix.com/securing-mysql-traffic-with-stunnel-in-a-jail-environme... Certificates have permissions 0600.
I want to use a VNC client on Linux to connect to a VNC Server also on Linux. In between these two computers I have a Linux router which routes all request to port 1914 to port 3389 on the VNC Server.
stunnel on the server is run at the command line by root: 'stunnel /root/stunnel.conf'. Here is my VNC Server computer's stunnel.conf:
foreground = yes pid = /var/run/stunnel.pid debug = 7 ; output = /root/stunnel.log output = /dev/stdout
[x11vnc] accept = 3389 key = /root/privatekey.pem cert = /root/certificate.pem connect = 127.0.0.1:5900
stunnel on the client is run by a normal user, stunnel $HOME/.stunnel/stunnel.conf. Below is my client stunnel.conf:
foreground = yes verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes [x11vnc] accept = 5900 connect = mail.ohprs.org:1914
When I run stunnel on the client I get:
2018.03.13 13:21:17 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform 2018.03.13 13:21:17 LOG5[ui]: Compiled with OpenSSL 1.0.2h 3 May 2016 2018.03.13 13:21:17 LOG5[ui]: Running with OpenSSL 1.0.2n 7 Dec 2017 2018.03.13 13:21:17 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel 2018.03.13 13:21:17 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2018.03.13 13:21:17 LOG5[ui]: Reading configuration from file /home/mfoley/.stunnel/stunnel.conf 2018.03.13 13:21:17 LOG5[ui]: UTF-8 byte order mark not detected 2018.03.13 13:21:17 LOG5[ui]: FIPS mode disabled 2018.03.13 13:21:17 LOG4[ui]: Service [x11vnc] uses "verify = 2" without subject checks 2018.03.13 13:21:17 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates 2018.03.13 13:21:17 LOG5[ui]: Configuration successful
On the client, I then run tigerVNCViewer connecting to 127.0.0.1::5900. I get the following messages on the client:
2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] accepted connection from 127.0.0.1:35034 2018.03.13 13:22:03 LOG5[0]: s_connect: connected 98.102.63.107:1914 2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] connected remote server from 192.168.0.17:40512 2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2018.03.13 13:22:03 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Just guessing, but is it failing with the SSLVersion?
Help appreciated. Thanks, Mark
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Mark Foley