Hello, I am new to STunnel and I am running into a problem. Here is my setup.
I use an ASUS router with Merlin firmware. I have STunnel installed via Entware on this router.
Running "stunnel -version" gives me:
stunnel 5.41 on mipsel-openwrt-linux-gnu platform Compiled/running with OpenSSL 1.0.2k 26 Jan 2017 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: RNDbytes = 64 RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:!DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 debug = daemon.notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
-------------------------------------------------------------------------------------------
I use my own server certificate signed by my own CA. This cert has the proper SANs with correct DNS/IP entries. I use this server certificate both for my router's HTTPS web gui and for the "cert" and "key" files listed in the config file below. Also, the "CAfile" in the config is pointing to my Root CA's certificate. My Root CA is also imported in my Windows box's certificate store.
I can directly access my router's web gui from LAN side via these ports: 80 (HTTP), 2000 (HTTPS). Router's LAN subnet is 10.49.49.0/24 and the router's WAN IP is 10.76.5.3 (it is double NAT for testing, this router is for testing) Also, STunnel is running as a server accepting connections on port 443 (all interfaces) on the router.
-------------------------------------------------------------------------------------------
I want to use Chrome directly as an STunnel client on my Windows box. So, I don't run STunnel on my Windows box in the client mode.
SITUATION 1: WORKS FINE!!
-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443" This should forward to the router's port 80 (HTTP protocol used).
My STunnel config file on the router has:
setuid = nobody setgid = nobody foreground foreground = yes syslog = yes debug = 7
[Test-Service] accept = 443 connect = 10.49.49.1:80 requireCert = yes verifyChain = yes CAfile = /mnt/Merlin/entware/etc/stunnel/ca.crt cert = /mnt/Merlin/entware/etc/stunnel/server.crt key = /mnt/Merlin/entware/etc/stunnel/server.key
SITUATION 2: DOES NOT WORK!!
-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443" This should forward to the router's port 2000 (HTTPS protocol used).
There is only one change from the Situation 1 config file. The line for "connect" changed to "connect = 10.49.49.1:2000)
This does not work. Note that I can directly access my router's web gui over https with "https://LAN_IP:2000" via Chrome, with no warnings.
------------------------------------------------------------------------------ My thoughts:
So, my current path is Chrome (Acting as STunnel Client) --> STunnel Server (on the router) --> Router's Web GUI. The "Chrome --> STunnel" Server connection is fine. Chrome prompts for private key and STunnel server correctly shows this incoming Chrome connection.
The problem is the "STunnel Server --> Router" relay that uses HTTPS protocol.
1. STunnel does not like HTTPS to HTTPS relay. HTTP to HTTPS works, but not HTTPS to HTTPS. 2. STunnel server on my router is a client to my router's web gui. Is STunnel verifying the certificate of my router's HTTPS certificate? 3. If the above answer is yes, my guess is that STunnel sees a self signed certificate for this router and kills the connection? 4. How do I tell STunnel server to ignore certificate warnings for a remote connection, like when connecting to this router? 5. Or how do I explicitly tell STunnel to trust my Root CA while making this connection to my router? I couldn't find any options in STunnel for this.
Regards,
Dipen Doshi
Hi,
Chrome is not able to know that behind the SSL connection there will be another SSL connection and not plain HTTP, that's your problem.
In order to achive your goal for point 2 (btw I don't think that this kind of configuration has any sense honestly) you need to run an instance of stunnel in client mode on your computer that connects to the 443 endpoint of stunnel server. Then it will listen on a port that you decide (i.e. 8443). At this point you have to point chrome to https://localhost:8443 and all will works *but* with some problems about certificate. This time chrome will get an handshake with the webserver and not with stunnel server.
I hope that you understand that this is not a normal configuration and there is no need to double encrypt the HTTP connection.
Kind regards.
Manuele--
Yes, SSL over SSL was more of an academic exercise, rather than a practical concern. But, thanks for the explanation. Chrome encrypts the connection, sends it to the STunnel server, which then decrypts. This means that any traffic flowing out of STunnel server past this point is non-SSL. The STunnel server then makes a connection to my router's HTTPS port 443. This fails because the HTTPS server expects SSL traffic over 443, but the actual traffic it gets is not SSL and hence, rejects the connection. I think I am understanding it correctly.
I followed your suggestion to run an STunnel client on my computer and Chrome going via it and it works. Alternatively, inserting an instance of STunnel client between the STunnel server and HTTPS server (all 3 running on the router) also works.
On a related note, while reading the documentation, I came across the "protocol" configuration parameter. One of the values it can take is "connect". I haven't had the chance to test it, but it is intriguing. I am wondering if putting "protocol = connect" in my STunnel server's service options will force STunnel to make a HTTPS connection to the HTTPS server... Any idea?
Thanks,
Dipen Doshi
________________________________ From: Manuele Trimarchi info@trimarchimanuele.it Sent: Monday, October 2, 2017 12:32 AM To: Dipen Doshi; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Using Chrome directly as an STunnel Client to connect to an STunnel Server
Hi,
Chrome is not able to know that behind the SSL connection there will be another SSL connection and not plain HTTP, that's your problem.
In order to achive your goal for point 2 (btw I don't think that this kind of configuration has any sense honestly) you need to run an instance of stunnel in client mode on your computer that connects to the 443 endpoint of stunnel server. Then it will listen on a port that you decide (i.e. 8443). At this point you have to point chrome to https://localhost:8443 and all will works *but* with some problems about certificate. This time chrome will get an handshake with the webserver and not with stunnel server.
I hope that you understand that this is not a normal configuration and there is no need to double encrypt the HTTP connection.
Kind regards. -- Manuele Trimarchi
Hi,
As you can see on documentation (
https://www.stunnel.org/static/stunnel.html ) the "connect" value for "protocol" parameter is only possible when you are configuring your stunnel service *only* in *client* mode. So no, that's not the case.
Kind regards
-
Dipen Doshi -
Manuele Trimarchi