Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log:
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
* Trying 192.168.1.17...
* Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1
Host: 192.168.1.17:1988
User-Agent: curl/7.43.0
Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 ...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- *Von:* "test rig" testrig@z1p.biz *Datum:* 09.10.2015 09:48:02 *An:* "stunnel-users@stunnel.org." stunnel-users@stunnel.org *Betreff:* Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
--- Ursprüngliche Nachricht --- *Von:* Adrián Mihálko *Datum:* 09.10.2015 08:15:19 *An:* stunnel-users@stunnel.org *Betreff:* [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25: -9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Some clarifications
1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel. 2. You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose
El 9 oct 2015, a las 5:44, Adrián Mihálko adriankoooo@gmail.com escribió:
Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log:
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
- Trying 192.168.1.17...
- Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
- TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1 Host: 192.168.1.17:1988 User-Agent: curl/7.43.0 Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 ...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" testrig@z1p.biz Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org." stunnel-users@stunnel.org Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server --- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Adrian, Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988%C2%A0%C2%A0%C2%A0and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10. You need to 2 stunnel stanzas to achive what you want. Something like:
[myservice] cert = stunnel.pem client = no accept = 0.0.0.0:1988 connect = localhost:1987
[myserviceaux] cert = stunnel.pem client = yes accept = localhost:1987 connect = localhost:4952
If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
Please try and let us know how it goes.
On Saturday, October 10, 2015 9:58 AM, Josealf.rm josealf@rocketmail.com wrote:
Some clarifications 1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.2. You can do a direct test with curl against you service (local) or openssl s_client. RegardsJose El 9 oct 2015, a las 5:44, Adrián Mihálko adriankoooo@gmail.com escribió:
Some good news, I remove client = yes as you suggested: 2015.10.09 12:39:29 LOG5[main]: Configuration successful2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:496712015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated2015.10.09 12:39:34 LOG6[60]: No peer certificate received2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #02015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:419522015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:419522015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:505982015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:496722015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated2015.10.09 12:39:34 LOG6[61]: No peer certificate received2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #12015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:419522015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:419522015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599 openssl_client log: http://pastebin.com/7bg3sf7J
The problem is now that the site loads forever, nothing happens. (this certificate (:1988) is other than the original (:41952). This is not problem? curl test: $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk* Trying 192.168.1.17...* Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384* Server certificate: localhost> GET /DYMO/DLS/Printing/Check HTTP/1.1> Host: 192.168.1.17:1988> User-Agent: curl/7.43.0> Accept: */*> waiting forever. 2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
In the first mail I wrote ports bad, of course in the log I am using the good ones. [myservice]cert = stunnel.pemclient = yesaccept = 0.0.0.0:1988connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com:
Sorry, curl was only for testing. Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks2015.10.09 12:23:21 LOG5[main]: Configuration successful2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:494542015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #02015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:419522015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:419522015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:505642015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket If I am connecting to the :41952: openssl s_client -connect 192.168.1.17:41952...
--- No client certificate CA names sent --- SSL handshake has read 1724 bytes and written 712 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" testrig@z1p.biz Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org." stunnel-users@stunnel.org Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
--- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users, I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988-%3E redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v * Trying 192.168.1.25... * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) * WARNING: using IP address, SNI is being disabled by the OS. * Unknown SSL protocol error in connection to 192.168.1.25:-9847 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.0909:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.0909:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
______________________________________________________ powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
______________________________________________________ powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Thank you for this idea.
The connection is now successful:
http://pastebin.com/idLxrzRA http://pastebin.com/idLxrzRA
But the application on :41952 is blocking the request.
Let me clarify:
The only URL what is working is: https://localhost:41952/DYMO/DLS/Printing/Check https://localhost:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23... https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0
Non working URL's:
https://127.0.0.1:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27... https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0
https://192.168.2.123:41952/DYMO/DLS/Printing/Check https://192.168.2.123:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46... https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0
From remote machine (trough stunnel) I get same error: https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23... https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0
Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working. I think the web service on :41952 checks the request header? Is there any way to fake this?
Regards, Adrian
On 10. 10. 2015, at 19:06, Jose Alf. josealf@rocketmail.com wrote:
Adrian,
Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988 https://192.168.1.10:1988/ https://192.168.1.10:1988/ and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
You need to 2 stunnel stanzas to achive what you want. Something like:
[myservice] cert = stunnel.pem client = no accept = 0.0.0.0:1988 http://0.0.0.0:1988/ connect = localhost:1987
[myserviceaux] cert = stunnel.pem client = yes accept = localhost:1987 http://0.0.0.0:1988/ connect = localhost:4952
If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
Please try and let us know how it goes.
On Saturday, October 10, 2015 9:58 AM, Josealf.rm josealf@rocketmail.com wrote:
Some clarifications
- Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
- You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose
El 9 oct 2015, a las 5:44, Adrián Mihálko <adriankoooo@gmail.com mailto:adriankoooo@gmail.com> escribió:
Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 http://192.168.1.25:49671/ 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 http://192.168.1.25:49672/ 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 http://127.0.0.1:41952/ 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 http://127.0.0.1:41952/ 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 http://127.0.0.1:41952/ cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599 http://127.0.0.1:50599/
openssl_client log:
http://pastebin.com/7bg3sf7J http://pastebin.com/7bg3sf7J
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
- Trying 192.168.1.17...
- Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
- TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1 Host: 192.168.1.17:1988 http://192.168.1.17:1988/ User-Agent: curl/7.43.0 Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo@gmail.com mailto:adriankoooo@gmail.com>: In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 http://0.0.0.0:1988/ connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo@gmail.com mailto:adriankoooo@gmail.com>: Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 http://192.168.1.17:1988/ CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 http://192.168.1.25:49454/ 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 http://192.168.1.17:41952/...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig <testrig@z1p.biz mailto:testrig@z1p.biz>:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" <testrig@z1p.biz mailto:testrig@z1p.biz> Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org." <stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org> Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server --- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 https://localhost:4952/ and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 https://192.168.1.10:1988/ -> redirect https://localhost:4952 https://localhost:4952/
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 http://0.0.0.0:1988/ connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 http://192.168.1.24:60748/ 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 http://127.0.0.1:41952/ 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 http://127.0.0.1:41952/ 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 http://127.0.0.1:50503/ 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com http://perfect-privacy.com/ / Secure-Mail.biz http://secure-mail.biz/ - anonymous and secure internet.
powered by Perfect-Privacy.com http://perfect-privacy.com/ / Secure-Mail.biz http://secure-mail.biz/ - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
You can set the host header in the request using curl. Try adding -H "HOST: localhost" to your command.
Not sure about regular browsers...
Regards Jose
El 10 oct 2015, a las 12:28, Adrián Mihálko adriankoooo@gmail.com escribió:
Thank you for this idea.
The connection is now successful:
But the application on :41952 is blocking the request.
Let me clarify:
The only URL what is working is: https://localhost:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23...
Non working URL's:
https://127.0.0.1:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27...
https://192.168.2.123:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46...
From remote machine (trough stunnel) I get same error: https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23...
Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working. I think the web service on :41952 checks the request header? Is there any way to fake this?
Regards, Adrian
On 10. 10. 2015, at 19:06, Jose Alf. josealf@rocketmail.com wrote:
Adrian,
Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988 and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
You need to 2 stunnel stanzas to achive what you want. Something like:
[myservice] cert = stunnel.pem client = no accept = 0.0.0.0:1988 connect = localhost:1987
[myserviceaux] cert = stunnel.pem client = yes accept = localhost:1987 connect = localhost:4952
If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
Please try and let us know how it goes.
On Saturday, October 10, 2015 9:58 AM, Josealf.rm josealf@rocketmail.com wrote:
Some clarifications
- Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
- You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose
El 9 oct 2015, a las 5:44, Adrián Mihálko adriankoooo@gmail.com escribió:
Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log:
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
- Trying 192.168.1.17...
- Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
- TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1 Host: 192.168.1.17:1988 User-Agent: curl/7.43.0 Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 ...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" testrig@z1p.biz Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org." stunnel-users@stunnel.org Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server --- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Yeah, curl works fine (THANK YOU!):
curl https://192.168.2.123:41951/DYMO/DLS/Printing/Check -vk -H "Host: localhost"
<html><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><body style="text-align:center;color:DarkGreen;font-size:2em;"><b>Congratulations! DLS Web Service is up and running. <br/>You can now print from supported web sites.
The biggest problem now, that I connect to this service from a javascript framework. And from there is still not working.
In the meantime I found in stunnel's TODO:
• Add user-defined headers to CONNECT proxy requests in order to impersonate other software (e.g. web browsers).
Maybe this is what I need now?
Regards, Adrian
On 10. 10. 2015, at 21:02, Josealf.rm josealf@rocketmail.com wrote:
You can set the host header in the request using curl. Try adding -H "HOST: localhost" to your command.
Not sure about regular browsers...
Regards Jose
El 10 oct 2015, a las 12:28, Adrián Mihálko adriankoooo@gmail.com escribió:
Thank you for this idea.
The connection is now successful:
But the application on :41952 is blocking the request.
Let me clarify:
The only URL what is working is: https://localhost:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23...
Non working URL's:
https://127.0.0.1:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27...
https://192.168.2.123:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46...
From remote machine (trough stunnel) I get same error: https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23...
Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working. I think the web service on :41952 checks the request header? Is there any way to fake this?
Regards, Adrian
On 10. 10. 2015, at 19:06, Jose Alf. josealf@rocketmail.com wrote:
Adrian,
Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988 and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
You need to 2 stunnel stanzas to achive what you want. Something like:
[myservice] cert = stunnel.pem client = no accept = 0.0.0.0:1988 connect = localhost:1987
[myserviceaux] cert = stunnel.pem client = yes accept = localhost:1987 connect = localhost:4952
If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
Please try and let us know how it goes.
On Saturday, October 10, 2015 9:58 AM, Josealf.rm josealf@rocketmail.com wrote:
Some clarifications
- Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
- You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose
El 9 oct 2015, a las 5:44, Adrián Mihálko adriankoooo@gmail.com escribió:
Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log:
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
- Trying 192.168.1.17...
- Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
- TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1 Host: 192.168.1.17:1988 User-Agent: curl/7.43.0 Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 ...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" testrig@z1p.biz Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org." stunnel-users@stunnel.org Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server --- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Yes. I recall reading about support for custom headers in stunnel. Look like's not there yet. Check your framework docs. you may be able to customise the request and add the required header.
Regards
El 10 oct 2015, a las 14:07, Adrián Mihálko adriankoooo@gmail.com escribió:
Yeah, curl works fine (THANK YOU!):
curl https://192.168.2.123:41951/DYMO/DLS/Printing/Check -vk -H "Host: localhost"
<html><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><body style="text-align:center;color:DarkGreen;font-size:2em;"><b>Congratulations! DLS Web Service is up and running. <br/>You can now print from supported web sites.
The biggest problem now, that I connect to this service from a javascript framework. And from there is still not working.
In the meantime I found in stunnel's TODO:
• Add user-defined headers to CONNECT proxy requests in order to impersonate other software (e.g. web browsers).
Maybe this is what I need now?
Regards, Adrian
On 10. 10. 2015, at 21:02, Josealf.rm josealf@rocketmail.com wrote:
You can set the host header in the request using curl. Try adding -H "HOST: localhost" to your command.
Not sure about regular browsers...
Regards Jose
El 10 oct 2015, a las 12:28, Adrián Mihálko adriankoooo@gmail.com escribió:
Thank you for this idea.
The connection is now successful:
But the application on :41952 is blocking the request.
Let me clarify:
The only URL what is working is: https://localhost:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23...
Non working URL's:
https://127.0.0.1:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27...
https://192.168.2.123:41952/DYMO/DLS/Printing/Check https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46...
From remote machine (trough stunnel) I get same error: https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23...
Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working. I think the web service on :41952 checks the request header? Is there any way to fake this?
Regards, Adrian
On 10. 10. 2015, at 19:06, Jose Alf. josealf@rocketmail.com wrote:
Adrian,
Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988 and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
You need to 2 stunnel stanzas to achive what you want. Something like:
[myservice] cert = stunnel.pem client = no accept = 0.0.0.0:1988 connect = localhost:1987
[myserviceaux] cert = stunnel.pem client = yes accept = localhost:1987 connect = localhost:4952
If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
Please try and let us know how it goes.
On Saturday, October 10, 2015 9:58 AM, Josealf.rm josealf@rocketmail.com wrote:
Some clarifications
- Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
- You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose
El 9 oct 2015, a las 5:44, Adrián Mihálko adriankoooo@gmail.com escribió:
Some good news, I remove client = yes as you suggested:
2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log:
The problem is now that the site loads forever, nothing happens.
(this certificate (:1988) is other than the original (:41952). This is not problem?
curl test:
$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
- Trying 192.168.1.17...
- Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
- TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Server certificate: localhost
GET /DYMO/DLS/Printing/Check HTTP/1.1 Host: 192.168.1.17:1988 User-Agent: curl/7.43.0 Accept: */*
waiting forever.
2015-10-09 12:34 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: In the first mail I wrote ports bad, of course in the log I am using the good ones.
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:41952
2015-10-09 12:32 GMT+02:00 Adrián Mihálko adriankoooo@gmail.com: Sorry, curl was only for testing.
Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
If I am connecting to the :41952:
openssl s_client -connect 192.168.1.17:41952 ...
No client certificate CA names sent
SSL handshake has read 1724 bytes and written 712 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ...
2015-10-09 10:55 GMT+02:00 test rig testrig@z1p.biz:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- Von: "test rig" testrig@z1p.biz Datum: 09.10.2015 09:48:02 An: "stunnel-users@stunnel.org." stunnel-users@stunnel.org Betreff: Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server --- Ursprüngliche Nachricht --- Von: Adrián Mihálko Datum: 09.10.2015 08:15:19 An: stunnel-users@stunnel.org Betreff: [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
- Trying 192.168.1.25...
- Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
- WARNING: using IP address, SNI is being disabled by the OS.
- Unknown SSL protocol error in connection to 192.168.1.25:-9847
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Adrián Mihálko -
Jose Alf. -
Josealf.rm