Hi Alexey,

For protocols that require interaction with unencrypted SSL this would boil down to a classic chicken-and-egg problem. Fortunately, the PROXY protocol is not one of them. The following patch should fix your problem:

--- protocol.c.orig 2014-04-10 18:20:17.000000000 +0200 +++ protocol.c 2014-04-10 18:20:52.000000000 +0200 @@ -75,7 +75,7 @@ FUNCTION func; } handlers[2]; } protocols[]={ - {"proxy", {{PROTOCOL_PRE_SSL, proxy_server}, {PROTOCOL_PRE_SSL, NULL}}}, + {"proxy", {{PROTOCOL_POST_SSL, proxy_server}, {PROTOCOL_PRE_SSL, NULL}}}, {"cifs", {{PROTOCOL_PRE_CONNECT, cifs_server}, {PROTOCOL_PRE_SSL, cifs_client}}}, {"pgsql", {{PROTOCOL_PRE_CONNECT, pgsql_server}, {PROTOCOL_PRE_SSL, pgsql_client}}}, {"smtp", {{PROTOCOL_PRE_SSL, smtp_server}, {PROTOCOL_PRE_SSL, smtp_client}}},

Mike

On 2014-04-09 00:48, Alexey V. Drozdov wrote:

Hi, Mike!

I have analyze your fix and found mistake :( We will switch to target SNI section after init_ssl(c) only, thereby init_remote(c) will be connect to wrong destination.

if(!c->opt->option.client && c->opt->protocol<0

#ifndef OPENSSL_NO_TLSEXT && !c->opt->servername_list_head #endif ) { /* server mode and no protocol negotiation needed */ init_ssl(c); init_remote(c); } else { /* client mode or protocol negotiation enabled */ protocol(c, PROTOCOL_PRE_CONNECT); init_remote(c); <<<<<<<<<< Incorrect destination protocol(c, PROTOCOL_PRE_SSL); init_ssl(c); <<<<<<<<<<< switch to target SNI config section only there protocol(c, PROTOCOL_POST_SSL); }

/Alexey V. Drozdov e-mail: anyquist@yandex.ru _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users