Ludolf,
Thanks for your quick response. I have no clue on how to respond on the stunnel users list, so i'll try it this way. The support on the host we are trying to reach states to following:
It really sounds like the stunnel is not connecting to "something.host.com" but perhaps to the IP address behind it? The use of the hostname something.host.com is however an requirement.
Is there anyway we can force the stunnel to connect to the hostname instead of resolving it as an IP adress?
Met vriendelijke groeten,
H.N. Post en Zonen
Colin van der Zanden c.vanderzanden@duurzaam-transport.com c.vanderzanden@hnpostenzonen.nl dm.post@hnpostenzonen.nl ---------------------------------------------- Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Wilt u direct contact met ons opnemen indien deze e-mail bij vergissing bij u terecht is gekomen? Wij verzoeken u in dat geval de e-mail te vernietigen, de inhoud ervan niet te gebruiken en niet onder derden te verspreiden, omdat het bericht vertrouwelijke informatie kan bevatten, beschermd door een beroepsgeheim.
On Tue, 2015-01-20 20:17:11 +0100, Colin van der Zanden wrote:
Ludolf,
Thanks for your quick response. I have no clue on how to respond on the stunnel users list, so i'll try it this way.
By changing the recipient address to stunnel-users@stunnel.org?
The support on the host we are trying to reach states to following:
It really sounds like the stunnel is not connecting to "something.host.com" but perhaps to the IP address behind it?
Yes. Stunnel uses IP addresses for all connections, as the Internet is based on IP adresses. All programs that use the Internet do so. 'IP' stands for 'Internet Protocol'.
This is the same as for the telephone network. The telephone network is based on telephone numbers. Even if you select your dialog partner by selecting his name or his picture on a list on your mobile phone, you are (or your phone is) still dialling a telephone number if you start a call.
The use of the hostname something.host.com is however an requirement.
You should explain what you are trying to do and what does not work.
HTH,
Ludolf
Hi
On Tue, Jan 20, 2015 at 3:45 PM, Ludolf Holzheid lholzheid@bihl-wiedemann.de wrote:
The support on the host we are trying to reach states to following:
It really sounds like the stunnel is not connecting to "something.host.com" but perhaps to the IP address behind it?
This sounds like they need SNI to be passed properly. Try adding SNI = something.host.com in your client section.
Dmitry
Thanks Ludolf and Dmitry for replying. @Ludolf, I know what an IP adress is. It's just that it's not allowed by the host to connect on their IP. @Dmitry, I tried putting the SNI settings in the config file, but it didn't resolve our problem. This is whats in our stunnel log file: 2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] accepted connection from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: s_connect: connected 'EXTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] connected remote server from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Connection closed: 251 byte(s) sent to SSL, 188 byte(s) sent to socket The response from the host is: "403 Forbidden</h1> Request forbidden by administrative rules." Their support states it's because we are connecting to 'EXTERNAL-IP:PORT' and not 'SOMETHING.HOST.COM' . Thanks again, Colin
From: gromovd@gmail.com Date: Tue, 20 Jan 2015 20:50:37 -0500 CC: stunnel-users@stunnel.org Subject: Re: [stunnel-users] No DNS lookup?
Hi
On Tue, Jan 20, 2015 at 3:45 PM, Ludolf Holzheid lholzheid@bihl-wiedemann.de wrote:
The support on the host we are trying to reach states to following:
It really sounds like the stunnel is not connecting to "something.host.com" but perhaps to the IP address behind it?
This sounds like they need SNI to be passed properly. Try adding SNI = something.host.com in your client section.
Dmitry
-- //DG LOC(NJ) //* _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Wed, 2015-01-21 08:52:34 +0000, Colin vd Zanden wrote:
Thanks Ludolf and Dmitry for replying.
@Ludolf, I know what an IP adress is. It's just that it's not allowed by the host to connect on their IP. @Dmitry, I tried putting the SNI settings in the config file, but it didn't resolve our problem. This is whats in our stunnel log file: 2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] accepted connection from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: s_connect: connected 'EXTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Service [ SERVICENAME ] connected remote server from 'INTERNAL-IP:PORT'2015.01.21 09:30:00 LOG5[4684]: Connection closed: 251 byte(s) sent to SSL, 188 byte(s) sent to socket The response from the host is: "403 Forbidden</h1> Request forbidden by administrative rules." Their support states it's because we are connecting to 'EXTERNAL-IP:PORT' and not 'SOMETHING.HOST.COM' . Thanks again,
Ah, it seems we were talking at cross purposes.
On OSI layer 2 (Network) you don't have a chance to use something other than IP addresses.
On OSI layer 7 (Application) you may use whatever the protocol requires.
It seems you are using HTTP as layer 7 protocol, and it seems the server you are trying to connect needs to see a certain host name in the HTTP requests (possibly because there are multiple virtual hosts on the same machine, using a single IP address).
In the first instance, Stunnel doesn't touch the data in layer 5 and above, i.e. it forwards the HTTP requests unchanged. However, there are service level options for stunnel ("protocol...") to tweak upper-level data.
I didn't use them yet, maybe someone else could comment.
A possible solution for your problem would be to configure Stunnel to not change upper level data, but make the client resolve the DNS name of the server to the IP address Stunnel listens on, e.g. by adding an appropriate entry to the 'hosts' file.
HTH,
Ludolf
Hi,
As Ludof said, you may be trying to connect to a virtual web server and, or it is a very basic web server, or has some misconfiguration, because I use myself an old tiny web server that handles virtual severs without any problems.
Make sure your web server can read the "Host" HTTP header, and, in the client side, you are not blocking or spoofing it with a browser add-on.
You may need a HTTP sniffer.
I have kind of your configuration in my web server for IP Host requests and only happens when you input the IP directly in the browser. Stunnel, as a tunnel, is not the problem here. Are the client and server endpoints.
It not a DNS lookup problem.
Regards.
-
Colin van der Zanden -
Colin vd Zanden -
Dmitry Gromov -
Javier -
Ludolf Holzheid