We have an STunnel configuration running to take encrypted TLS traffic from customers and pass it to our application unencrypted. We have purchased a CA signed certificate, but we are receiving an error when negotiating. We have tried many searches/configurations with no progress.
STunnel General Config
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may be useful for troubleshooting) debug = debug output = stunnel.log
; Enable FIPS 140-2 mode if needed for compliance ;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS
;sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2
; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later ;securityLevel = 0
ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-;RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-;SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-;AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256
curves = X25519:P-256:X448:P-521:P-384
; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234
; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Enable support for the insecure SSLv3 protocol options = -NO_SSLv3
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; **************************************************************************
;include = conf.d
STunnel Service Specific Config ; TLS front-end to a web server [https] accept = 27015 connect = 172.31.4.10:9000 cert = mycert.pem key = mycert.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks TIMEOUTclose = 0
STunnel Debug 2022.10.15 11:16:08 LOG6[769]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 11:16:08 LOG3[769]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 11:16:08 LOG7[769]: Compression: null, expansion: null 2022.10.15 11:16:08 LOG7[769]: Deallocating application specific data for session connect address 2022.10.15 11:16:08 LOG6[769]: s_connect: connecting x.x.x.x:9000 2022.10.15 11:16:08 LOG7[769]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 11:16:08 LOG7[769]: FD=792 ifds=--- ofds=r-- 2022.10.15 11:16:08 LOG7[769]: FD=888 ifds=rwx ofds=--- 2022.10.15 11:16:08 LOG5[769]: s_connect: connected x.x.x.x:9000 2022.10.15 11:16:08 LOG6[769]: persistence: x.x.x.x:9000 cached 2022.10.15 11:16:08 LOG5[769]: Service [https] connected remote server from x.x.x.x:52720 2022.10.15 11:16:08 LOG7[769]: Setting remote socket options (FD=888) 2022.10.15 11:16:08 LOG7[769]: Option TCP_NODELAY set on remote socket 2022.10.15 11:16:08 LOG7[769]: Remote descriptor (FD=888) initialized 2022.10.15 11:16:09 LOG6[769]: SSL_read: Socket is closed 2022.10.15 11:16:09 LOG6[769]: TLS socket closed (SSL_read) 2022.10.15 11:16:09 LOG7[769]: Sent socket write shutdown
Any assistance would be GREATLY appreciated!
Thank you. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.
2nd and third lines of the log suggest that the client end could not negotiate a compatible encryption method, and your stunnel config appears to only have GCM ciphers enabled. Do you have a very old client that can only do CBC mode encryption?
-- Mike Spooner
Thank you very much for your help. Doesn't the TLS negotiation below at the line "TLS accepted: New Session Negotiated"?
2022.10.15 15:04:28 LOG7[main]: New thread created 2022.10.15 15:04:28 LOG7[149]: Service [https] started 2022.10.15 15:04:28 LOG7[149]: Setting local socket options (FD=728) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on local socket 2022.10.15 15:04:28 LOG5[149]: Service [https] accepted connection from x.x.x.x:64014 2022.10.15 15:04:28 LOG6[149]: Peer certificate not required 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: Decrypt session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: SNI: no virtual services defined 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write certificate 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read finished 2022.10.15 15:04:28 LOG7[149]: Generate session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write session ticket 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write finished 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) requested 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) succeeded 2022.10.15 15:04:28 LOG7[149]: 0 server renegotiation(s) requested 2022.10.15 15:04:28 LOG7[149]: 0 session reuse(s) 2022.10.15 15:04:28 LOG7[149]: 6 internal session cache item(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache fill-up(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache miss(es) 2022.10.15 15:04:28 LOG7[149]: 0 external session cache hit(s) 2022.10.15 15:04:28 LOG7[149]: 0 expired session(s) retrieved 2022.10.15 15:04:28 LOG6[149]: TLS accepted: new session negotiated 2022.10.15 15:04:28 LOG6[149]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 15:04:28 LOG3[149]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 15:04:28 LOG7[149]: Compression: null, expansion: null 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG6[149]: s_connect: connecting x.x.x.x:9000 2022.10.15 15:04:28 LOG7[149]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 15:04:28 LOG7[149]: FD=648 ifds=rwx ofds=--- 2022.10.15 15:04:28 LOG5[149]: s_connect: connected x.x.x.x:9000 2022.10.15 15:04:28 LOG6[149]: persistence: x.x.x.x:9000 cached 2022.10.15 15:04:28 LOG5[149]: Service [https] connected remote server from x.x.x.x:62317 2022.10.15 15:04:28 LOG7[149]: Setting remote socket options (FD=648) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on remote socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) initialized 2022.10.15 15:04:28 LOG6[149]: SSL_read: Socket is closed 2022.10.15 15:04:28 LOG6[149]: TLS socket closed (SSL_read) 2022.10.15 15:04:28 LOG7[149]: Sent socket write shutdown 2022.10.15 15:04:28 LOG5[149]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) closed 2022.10.15 15:04:28 LOG7[149]: Local descriptor (FD=728) closed 2022.10.15 15:04:28 LOG7[149]: Service [https] finished (1 left) _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.
-----Original Message----- From: mikes@aalin.co.uk mikes@aalin.co.uk Sent: Saturday, October 15, 2022 2:08 PM To: stunnel-users@stunnel.org Subject: [stunnel-users] [SPAM] SSL Termination Issue
2nd and third lines of the log suggest that the client end could not negotiate a compatible encryption method, and your stunnel config appears to only have GCM ciphers enabled. Do you have a very old client that can only do CBC mode encryption?
-- Mike Spooner
_______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
I also wanted to be clear on what we are trying to accomplish
Client sends us data over TLS1.2----->We accept the traffic at STunnel (Port 27015) and Decrypt the Traffic------> We send traffic to another internal server unencrypted.
We have tried to limit to only the following cipher:
ECDHE-RSA-AES256-SHA384
However when we try and reload the config it will not load.
Thanks again for your help. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.
-----Original Message----- From: Gary Jackson Sent: Saturday, October 15, 2022 3:09 PM To: 'mikes@aalin.co.uk' mikes@aalin.co.uk; stunnel-users@stunnel.org Subject: RE: [stunnel-users] [SPAM] SSL Termination Issue
Thank you very much for your help. Doesn't the TLS negotiation below at the line "TLS accepted: New Session Negotiated"?
2022.10.15 15:04:28 LOG7[main]: New thread created 2022.10.15 15:04:28 LOG7[149]: Service [https] started 2022.10.15 15:04:28 LOG7[149]: Setting local socket options (FD=728) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on local socket 2022.10.15 15:04:28 LOG5[149]: Service [https] accepted connection from x.x.x.x:64014 2022.10.15 15:04:28 LOG6[149]: Peer certificate not required 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: Decrypt session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: SNI: no virtual services defined 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write certificate 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read finished 2022.10.15 15:04:28 LOG7[149]: Generate session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write session ticket 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write finished 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) requested 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) succeeded 2022.10.15 15:04:28 LOG7[149]: 0 server renegotiation(s) requested 2022.10.15 15:04:28 LOG7[149]: 0 session reuse(s) 2022.10.15 15:04:28 LOG7[149]: 6 internal session cache item(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache fill-up(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache miss(es) 2022.10.15 15:04:28 LOG7[149]: 0 external session cache hit(s) 2022.10.15 15:04:28 LOG7[149]: 0 expired session(s) retrieved 2022.10.15 15:04:28 LOG6[149]: TLS accepted: new session negotiated 2022.10.15 15:04:28 LOG6[149]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 15:04:28 LOG3[149]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 15:04:28 LOG7[149]: Compression: null, expansion: null 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG6[149]: s_connect: connecting x.x.x.x:9000 2022.10.15 15:04:28 LOG7[149]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 15:04:28 LOG7[149]: FD=648 ifds=rwx ofds=--- 2022.10.15 15:04:28 LOG5[149]: s_connect: connected x.x.x.x:9000 2022.10.15 15:04:28 LOG6[149]: persistence: x.x.x.x:9000 cached 2022.10.15 15:04:28 LOG5[149]: Service [https] connected remote server from x.x.x.x:62317 2022.10.15 15:04:28 LOG7[149]: Setting remote socket options (FD=648) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on remote socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) initialized 2022.10.15 15:04:28 LOG6[149]: SSL_read: Socket is closed 2022.10.15 15:04:28 LOG6[149]: TLS socket closed (SSL_read) 2022.10.15 15:04:28 LOG7[149]: Sent socket write shutdown 2022.10.15 15:04:28 LOG5[149]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) closed 2022.10.15 15:04:28 LOG7[149]: Local descriptor (FD=728) closed 2022.10.15 15:04:28 LOG7[149]: Service [https] finished (1 left) _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940
IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245
The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited.
-----Original Message----- From: mikes@aalin.co.uk mikes@aalin.co.uk Sent: Saturday, October 15, 2022 2:08 PM To: stunnel-users@stunnel.org Subject: [stunnel-users] [SPAM] SSL Termination Issue
2nd and third lines of the log suggest that the client end could not negotiate a compatible encryption method, and your stunnel config appears to only have GCM ciphers enabled. Do you have a very old client that can only do CBC mode encryption?
-- Mike Spooner
_______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
-
Gary Jackson -
Mike Spooner