Re: [stunnel-users] Stunnel and Outlook Web Access Problems - stunnel-users

20 Nov 2007


      I see that you have client = yes in the config file.
When client = yes is set outside the service block, it becomes a global
setting that tells all the services that it should tunnel that they are
clients and not servers.
If you specify the client = yes within a service eg.
[pop3s]
client = yes
accept  = 995
connect = 110
then stunnel knows that the specified service alone is a client.
What I recommend is that you disable the client = yes in the global area and
change you config file to something like this:
I have removed the comments to shorten the config for explanation:
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CRLpath = crls
CRLfile = certnew.pem
debug = 7
output = stunnel.log
;client = yes
[https]
accept  = 443
connect = 192.168.0.5:443
TIMEOUTclose = 0
Try using this as your config and see if it works or not.
Cheers
Craig
From: Dan Vespa [mailto:dan@sideshow.sytes.net] 
Sent: 19 November 2007 05:07 PM
To: Craig Retief
Subject: RE: [stunnel-users] Stunnel and Outlook Web Access Problems
Craig,
Here it is....
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular
configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
;cert = stunnel.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = crls
; It's often easier to use CAfile
;CAfile = certnew.pem
; Don't forget to c_rehash CRLpath
CRLpath = crls
; Alternatively you can use CRLfile
CRLfile = certnew.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
;[pop3s]
;accept  = 995
;connect = 110
;[imaps]
;accept  = 993
;connect = 143
;[ssmtp]
;accept  = 465
;connect = 25
[https]
accept  = 443
connect = 192.168.0.5:443
TIMEOUTclose = 0
; vim:ft=dosini
_____
From: Craig Retief
Sent: Mon 19/11/2007 9:54 AM
To: 'Dan Vespa'
Cc: stunnel-users@mirt.net
Subject: RE: [stunnel-users] Stunnel and Outlook Web Access Problems
Please Post your stunnel configs.
Makes life easier.
Cheers
Craig
From: Dan Vespa [mailto:dan@sideshow.sytes.net] 
Sent: 19 November 2007 03:35 PM
To: Craig
Subject: RE: [stunnel-users] Stunnel and Outlook Web Access Problems
Craig,
I set the debug level higher and this is what my log outputs....
2007.11.19 08:25:54 LOG7[1596:2656]: RAND_status claims sufficient entropy
for the PRNG
2007.11.19 08:25:54 LOG7[1596:2656]: PRNG seeded successfully
2007.11.19 08:25:54 LOG7[1596:2656]: SSL context initialized for service
https
2007.11.19 08:25:54 LOG5[1596:2656]: stunnel 4.21 on x86-pc-mingw32-gnu with
OpenSSL 0.9.8g 19 Oct 2007
2007.11.19 08:25:54 LOG5[1596:2656]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2007.11.19 08:25:54 LOG5[1596:3012]: No limit detected for the number of
clients
2007.11.19 08:25:54 LOG7[1596:3012]: FD 188 in non-blocking mode
2007.11.19 08:25:54 LOG7[1596:3012]: SO_REUSEADDR option set on accept
socket
2007.11.19 08:25:54 LOG7[1596:3012]: https bound to 0.0.0.0:443
2007.11.19 08:26:32 LOG7[1596:3012]: https accepted FD=236 from
127.0.0.1:1409
2007.11.19 08:26:32 LOG7[1596:3012]: Creating a new thread
2007.11.19 08:26:32 LOG7[1596:3012]: New thread created
2007.11.19 08:26:32 LOG7[1596:2576]: https started
2007.11.19 08:26:32 LOG7[1596:2576]: FD 236 in non-blocking mode
2007.11.19 08:26:32 LOG7[1596:2576]: TCP_NODELAY option set on local socket
2007.11.19 08:26:32 LOG5[1596:2576]: https accepted connection from
127.0.0.1:1409
2007.11.19 08:26:32 LOG7[1596:2576]: FD 260 in non-blocking mode
2007.11.19 08:26:32 LOG7[1596:2576]: https connecting 192.168.0.5:443
2007.11.19 08:26:32 LOG7[1596:2576]: connect_wait: waiting 10 seconds
2007.11.19 08:26:32 LOG7[1596:2576]: connect_wait: connected
2007.11.19 08:26:32 LOG5[1596:2576]: https connected remote server from
192.168.0.24:1410
2007.11.19 08:26:32 LOG7[1596:2576]: Remote FD=260 initialized
2007.11.19 08:26:32 LOG7[1596:2576]: TCP_NODELAY option set on remote socket
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): before/connect
initialization
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 write client
hello A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 read server
hello A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 read server
certificate A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 read server
done A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 write client
key exchange A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 write change
cipher spec A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 write
finished A
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 flush data
2007.11.19 08:26:32 LOG7[1596:2576]: SSL state (connect): SSLv3 read
finished A
2007.11.19 08:26:32 LOG7[1596:2576]:    1 items in the session cache
2007.11.19 08:26:32 LOG7[1596:2576]:    1 client connects (SSL_connect())
2007.11.19 08:26:32 LOG7[1596:2576]:    1 client connects that finished
2007.11.19 08:26:32 LOG7[1596:2576]:    0 client renegotiations requested
2007.11.19 08:26:32 LOG7[1596:2576]:    0 server connects (SSL_accept())
2007.11.19 08:26:32 LOG7[1596:2576]:    0 server connects that finished
2007.11.19 08:26:32 LOG7[1596:2576]:    0 server renegotiations requested
2007.11.19 08:26:32 LOG7[1596:2576]:    0 session cache hits
2007.11.19 08:26:32 LOG7[1596:2576]:    0 session cache misses
2007.11.19 08:26:32 LOG7[1596:2576]:    0 session cache timeouts
2007.11.19 08:26:32 LOG6[1596:2576]: SSL connected: new session negotiated
2007.11.19 08:26:32 LOG6[1596:2576]: Negotiated ciphers: RC4-MD5 SSLv3
Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
2007.11.19 08:26:53 LOG7[1596:3012]: https accepted FD=288 from
127.0.0.1:1411
2007.11.19 08:26:53 LOG7[1596:3012]: Creating a new thread
2007.11.19 08:26:53 LOG7[1596:3012]: New thread created
2007.11.19 08:26:53 LOG7[1596:1060]: https started
2007.11.19 08:26:53 LOG7[1596:1060]: FD 288 in non-blocking mode
2007.11.19 08:26:53 LOG7[1596:1060]: TCP_NODELAY option set on local socket
2007.11.19 08:26:53 LOG5[1596:1060]: https accepted connection from
127.0.0.1:1411
2007.11.19 08:26:53 LOG7[1596:1060]: FD 312 in non-blocking mode
2007.11.19 08:26:53 LOG7[1596:1060]: https connecting 192.168.0.5:443
2007.11.19 08:26:53 LOG7[1596:1060]: connect_wait: waiting 10 seconds
2007.11.19 08:26:53 LOG7[1596:1060]: connect_wait: connected
2007.11.19 08:26:53 LOG5[1596:1060]: https connected remote server from
192.168.0.24:1412
2007.11.19 08:26:53 LOG7[1596:1060]: Remote FD=312 initialized
2007.11.19 08:26:53 LOG7[1596:1060]: TCP_NODELAY option set on remote socket
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): before/connect
initialization
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 write client
hello A
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 read server
hello A
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 read
finished A
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 write change
cipher spec A
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 write
finished A
2007.11.19 08:26:53 LOG7[1596:1060]: SSL state (connect): SSLv3 flush data
2007.11.19 08:26:53 LOG7[1596:1060]:    1 items in the session cache
2007.11.19 08:26:53 LOG7[1596:1060]:    2 client connects (SSL_connect())
2007.11.19 08:26:53 LOG7[1596:1060]:    2 client connects that finished
2007.11.19 08:26:53 LOG7[1596:1060]:    0 client renegotiations requested
2007.11.19 08:26:53 LOG7[1596:1060]:    0 server connects (SSL_accept())
2007.11.19 08:26:53 LOG7[1596:1060]:    0 server connects that finished
2007.11.19 08:26:53 LOG7[1596:1060]:    0 server renegotiations requested
2007.11.19 08:26:53 LOG7[1596:1060]:    1 session cache hits
2007.11.19 08:26:53 LOG7[1596:1060]:    0 session cache misses
2007.11.19 08:26:53 LOG7[1596:1060]:    0 session cache timeouts
2007.11.19 08:26:53 LOG6[1596:1060]: SSL connected: previous session reused
2007.11.19 08:26:53 LOG7[1596:1060]: SSL socket closed on SSL_read
2007.11.19 08:26:53 LOG7[1596:1060]: Socket write shutdown
2007.11.19 08:26:53 LOG5[1596:1060]: Connection closed: 70 bytes sent to
SSL, 164 bytes sent to socket
2007.11.19 08:26:53 LOG7[1596:1060]: https finished (1 left)
2007.11.19 08:27:53 LOG3[1596:2576]: readsocket: Connection reset by peer
(WSAECONNRESET) (10054)
2007.11.19 08:27:53 LOG5[1596:2576]: Connection reset: 1102 bytes sent to
SSL, 1241 bytes sent to socket
2007.11.19 08:27:53 LOG7[1596:2576]: https finished (0 left)
Does this make any sense to you????
Dan
_____
From: Craig
Sent: Mon 19/11/2007 1:34 AM
To: stunnel-users@mirt.net
Subject: Re: [stunnel-users] Stunnel and Outlook Web Access Problems
OWA rewrites the URL when you log in and I have found that it causes
problems when doing that with a Stunnel connection.
What I think might be happening is that your initial connection says
http://server.tld/ then when you log in OWA rewrites the URL to
https://server.tld/
What I think is happening is that your stunnel is listening on port 80 and
when you log in, OWA changes the listening port in the browser to port 443.
Try running the listening server (stunnel server) to listen on port 443
instead of port 80 and see if that fixes the problem.
Cheers
Craig
From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net]
On Behalf Of Dan Vespa
Sent: 17 November 2007 07:21 PM
To: stunnel-users@mirt.net
Subject: [stunnel-users] Stunnel and Outlook Web Access Problems
I am trying to use the latest version of stunnel to connect to OWA. I set
stunnel to listen on port 80 (localhost) and then connect to myserverip on
port 443. I get the login screen but can go no further after I Enter my
credentials and Click OK. Checking the stunnel log screen it shows that a
connect has been made? I don't understand why It won't connect any further??
OWA is on Exchange Server 2003 and I am using Windows XP SP2. I have also
updated to Open SSL latest version.
Thanks in Advance.
Dan