Hi,
I am trying to use stunnel to exchange data with a service hosted on Akamai Servers. There is a need to implement SNI.
In posts dated from 2016 which I found online, Stunnel did not support Host Headers. Is there a workaround, or has Stunnel implemented this functionality?
I will be testing using postman. A sample config to get me going would really be appreciated.
The URL is related to plivo. It is ak-api.plivo.com.
Thank you in anticipation.
Hi,
The docs on https://www.stunnel.org/static/stunnel.html for the most recent stunnel version suggest that SNI is supported:
*sni* = SERVER_NAME (client mode)
Use the parameter as the value of TLS Server Name Indication (RFC 3546) extension.
Empty SERVER_NAME disables sending the SNI extension.
The /sni/ option is only available when compiled with *OpenSSL 1.0.0* and later.
On 12.09.2021 06:30, Alan C. Bonnici wrote:
Hi,
I am trying to use stunnel to exchange data with a service hosted on Akamai Servers. There is a need to implement SNI.
In posts dated from 2016 which I found online, Stunnel did not support Host Headers. Is there a workaround, or has Stunnel implemented this functionality?
I will be testing using postman. A sample config to get me going would really be appreciated.
The URL is related to plivo. It is ak-api.plivo.com http://ak-api.plivo.com.
Thank you in anticipation.
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Hello,
I am encountering a problem using SNI with host headers.
This doesn't seem to work.
Thanks
On Sun, 12 Sep 2021, 13:41 Norbert Hanke, norbert.hanke@gmx.ch wrote:
Hi,
The docs on https://www.stunnel.org/static/stunnel.html for the most recent stunnel version suggest that SNI is supported: *sni* = SERVER_NAME (client mode)
Use the parameter as the value of TLS Server Name Indication (RFC 3546) extension.
Empty SERVER_NAME disables sending the SNI extension.
The *sni* option is only available when compiled with *OpenSSL 1.0.0* and later. On 12.09.2021 06:30, Alan C. Bonnici wrote:
Hi,
I am trying to use stunnel to exchange data with a service hosted on Akamai Servers. There is a need to implement SNI.
In posts dated from 2016 which I found online, Stunnel did not support Host Headers. Is there a workaround, or has Stunnel implemented this functionality?
I will be testing using postman. A sample config to get me going would really be appreciated.
The URL is related to plivo. It is ak-api.plivo.com.
Thank you in anticipation.
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Hi,
We need to implement SNI functionality to connect to a web service hosted on Akamai. Can anyone share a process and config on how they manage it?
My stunnel config is the following:
[plivo-sni] client = yes accept = :23443 connect = api-ak.plivo.com:443 sni = *.plivo.com
I have a hosts file entry that redirects api-ak.plivo.com to 127.0.0.1.
Below is the stunnel log file:
2021.10.06 16:17:12 LOG6[main]: Initializing inetd mode configuration 2021.10.06 16:17:12 LOG7[main]: Running on Windows 6.2 2021.10.06 16:17:12 LOG7[main]: No limit detected for the number of clients 2021.10.06 16:17:12 LOG5[main]: stunnel 5.60 on x64-pc-mingw32-gnu platform 2021.10.06 16:17:12 LOG5[main]: Compiled/running with OpenSSL 1.1.1k 25 Mar 2021 2021.10.06 16:17:12 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2021.10.06 16:17:12 LOG7[main]: errno: (*_errno()) 2021.10.06 16:17:12 LOG7[service]: GUI message loop initialized 2021.10.06 16:17:12 LOG6[main]: Initializing inetd mode configuration 2021.10.06 16:17:12 LOG7[main]: Running on Windows 6.2 2021.10.06 16:17:12 LOG5[main]: Reading configuration from file stunnel.conf 2021.10.06 16:17:12 LOG5[main]: UTF-8 byte order mark detected 2021.10.06 16:17:12 LOG5[main]: FIPS mode disabled 2021.10.06 16:17:12 LOG6[main]: Compression enabled: 0 methods 2021.10.06 16:17:12 LOG7[main]: No PRNG seeding was required 2021.10.06 16:17:12 LOG6[main]: Initializing service [plivo] 2021.10.06 16:17:13 LOG6[main]: stunnel default security level set: 2 2021.10.06 16:17:13 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2021.10.06 16:17:13 LOG7[main]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2021.10.06 16:17:13 LOG7[main]: TLS options: 0x02100004 (+0x00000000, -0x00000000) 2021.10.06 16:17:13 LOG6[main]: Session resumption enabled 2021.10.06 16:17:13 LOG6[main]: Loading certificate from file: stunnel.pem 2021.10.06 16:17:13 LOG6[main]: Certificate loaded from file: stunnel.pem 2021.10.06 16:17:13 LOG6[main]: Loading private key from file: stunnel.pem 2021.10.06 16:17:13 LOG6[main]: Private key loaded from file: stunnel.pem 2021.10.06 16:17:13 LOG7[main]: Private key check succeeded 2021.10.06 16:17:13 LOG6[main]: DH initialization skipped: client section 2021.10.06 16:17:13 LOG7[main]: ECDH initialization 2021.10.06 16:17:13 LOG7[main]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2021.10.06 16:17:13 LOG6[main]: Initializing service [plivo-sni] 2021.10.06 16:17:13 LOG6[main]: stunnel default security level set: 2 2021.10.06 16:17:13 LOG7[main]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2021.10.06 16:17:13 LOG7[main]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2021.10.06 16:17:13 LOG7[main]: TLS options: 0x02100004 (+0x00000000, -0x00000000) 2021.10.06 16:17:13 LOG6[main]: Session resumption enabled 2021.10.06 16:17:13 LOG7[main]: No certificate or private key specified 2021.10.06 16:17:13 LOG4[main]: Service [plivo-sni] needs authentication to prevent MITM attacks 2021.10.06 16:17:13 LOG6[main]: DH initialization skipped: client section 2021.10.06 16:17:13 LOG7[main]: ECDH initialization 2021.10.06 16:17:13 LOG7[main]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2021.10.06 16:17:13 LOG5[main]: Configuration successful 2021.10.06 16:17:13 LOG7[main]: Deallocating deployed section defaults 2021.10.06 16:17:13 LOG7[main]: Binding service [plivo] 2021.10.06 16:17:13 LOG7[main]: Listening file descriptor created (FD=668) 2021.10.06 16:17:13 LOG7[main]: Setting accept socket options (FD=668) 2021.10.06 16:17:13 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2021.10.06 16:17:13 LOG6[main]: Service [plivo] (FD=668) bound to 127.0.0.1:32443 2021.10.06 16:17:13 LOG7[main]: Binding service [plivo-sni] 2021.10.06 16:17:13 LOG7[main]: Listening file descriptor created (FD=672) 2021.10.06 16:17:13 LOG7[main]: Setting accept socket options (FD=672) 2021.10.06 16:17:13 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2021.10.06 16:17:13 LOG6[main]: Service [plivo-sni] (FD=672) bound to 127.0.0.1:23443 2021.10.06 16:17:18 LOG7[cron]: Cron thread initialized 2021.10.06 16:17:18 LOG6[cron]: Executing cron jobs 2021.10.06 16:17:18 LOG6[cron]: Cron jobs completed in 0 seconds 2021.10.06 16:17:18 LOG7[cron]: Waiting 86400 seconds 2021.10.06 16:23:40 LOG7[main]: Found 1 ready file descriptor(s) 2021.10.06 16:23:40 LOG7[main]: FD=580 ifds=r-x ofds=--- 2021.10.06 16:23:40 LOG7[main]: FD=668 ifds=r-x ofds=--- 2021.10.06 16:23:40 LOG7[main]: FD=672 ifds=r-x ofds=r-- 2021.10.06 16:23:40 LOG7[main]: Service [plivo-sni] accepted (FD=656) from 127.0.0.1:64364 2021.10.06 16:23:40 LOG7[main]: Creating a new thread 2021.10.06 16:23:40 LOG7[main]: New thread created 2021.10.06 16:23:40 LOG7[0]: Service [plivo-sni] started 2021.10.06 16:23:40 LOG7[0]: Setting local socket options (FD=656) 2021.10.06 16:23:40 LOG7[0]: Option TCP_NODELAY set on local socket 2021.10.06 16:23:40 LOG5[0]: Service [plivo-sni] accepted connection from 127.0.0.1:64364 2021.10.06 16:23:40 LOG6[0]: s_connect: connecting 127.0.0.1:443 2021.10.06 16:23:40 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:443: waiting 10 seconds 2021.10.06 16:23:40 LOG7[0]: FD=700 ifds=rwx ofds=--- 2021.10.06 16:23:42 LOG3[0]: s_connect: connect 127.0.0.1:443: Connection refused (WSAECONNREFUSED) (10061) 2021.10.06 16:23:42 LOG3[0]: No more addresses to connect 2021.10.06 16:23:42 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2021.10.06 16:23:42 LOG7[0]: Local descriptor (FD=656) closed 2021.10.06 16:23:42 LOG7[0]: Service [plivo-sni] finished (0 left)
Thanks in anticipation.
Regards, AC
Hi,
If I have the following in my stunnel [plivo-sni] client = yes accept = :23443 connect = api-ak.plivo.com:443 sni = *.plivo.com
And the following in my windows host file: 127.0.0.1 api-ak.plivo.com
Would that create a circular reference in STunnel?
Thanks
On Wed, Oct 06, 2021 at 05:04:24PM +0200, Alan C. Bonnici wrote:
Hi,
If I have the following in my stunnel [plivo-sni] client = yes accept = :23443 connect = api-ak.plivo.com:443 sni = *.plivo.com
And the following in my windows host file: 127.0.0.1 api-ak.plivo.com
Would that create a circular reference in STunnel?
Yes, that's why the log that you posted contains lines like:
2021.10.06 16:23:40 LOG6[0]: s_connect: connecting 127.0.0.1:443
...and then "connection refused", since your local machine does not have anything listening on port 443.
So... yeah. I'm not sure what would be the best way to handle this. If this were not Windows, I'd suggest running stunnel in a chroot environment that does *not* have api-ak.plivo.com in its hosts file, but unfortunately I have no idea how to achieve something like that under Windows.
G'luck, Peter
Thank you Peter.
This would be a blocking point for Web Farms that rely on host headers.
On Wed, 6 Oct 2021 at 17:44, Peter Pentchev roam@ringlet.net wrote:
On Wed, Oct 06, 2021 at 05:04:24PM +0200, Alan C. Bonnici wrote:
Hi,
If I have the following in my stunnel [plivo-sni] client = yes accept = :23443 connect = api-ak.plivo.com:443 sni = *.plivo.com
And the following in my windows host file: 127.0.0.1 api-ak.plivo.com
Would that create a circular reference in STunnel?
Yes, that's why the log that you posted contains lines like:
2021.10.06 16:23:40 LOG6[0]: s_connect: connecting 127.0.0.1:443
...and then "connection refused", since your local machine does not have anything listening on port 443.
So... yeah. I'm not sure what would be the best way to handle this. If this were not Windows, I'd suggest running stunnel in a chroot environment that does *not* have api-ak.plivo.com in its hosts file, but unfortunately I have no idea how to achieve something like that under Windows.
G'luck, Peter
-- Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
-
Alan C. Bonnici -
Norbert Hanke -
Peter Pentchev