Hello,
I have 2 servers in different locations across the country. I am using them as a paired tunnel that both act as server and client
Server A has this configuration (cert definitions left out on purpose, but exist and are valid)
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4 setuid = stunnel4 setgid = stunnel4
; PID is created inside chroot jail pid = /stunnel.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle TIMEOUTclose=0
; 128-bit or highter only ciphers = HIGH:MEDIUM
; Workaround for Eudora bug options = DONT_INSERT_EMPTY_FRAGMENTS options = NO_SSLv2
; Some debugging stuff useful for troubleshooting debug = local7.info ;warning
[Tunnel from Server B] accept = 1.2.3.4:443 connect = 127.0.0.1:8082
[Tunnel to Server B] accept = 5.6.7.8:3132 connect = 9.10.11.12:4000 client = yes
Server B (cert definitions left out on purpose, but exist and are valid)
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4 setuid = stunnel4 setgid = stunnel4
; PID is created inside chroot jail pid = /stunnel.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle TIMEOUTclose=0
; 128-bit or highter only ciphers = HIGH:MEDIUM
; Workaround for Eudora bug options = DONT_INSERT_EMPTY_FRAGMENTS options = NO_SSLv2
; Some debugging stuff useful for troubleshooting debug = local7.debug ;warning
[Tunnel to Server A] accept = 10.1.2.3:9443 connect = 1.2.3.4:443 client = yes
[Tunnel from Server A] accept = 9.10.11.12:4000 connect = 10.4.5.6:3132
Communication through Server A (client) to Server B (server) works as expected
Communication through Server B (client) back to Server A (server) recieves this error
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (this is all the further it gets, the client says hello and the server responds with this)
If I skip the local stunnel config and pass the traffic publicly through to Server A (running in client mode), from Server B, I get the expected http response I setup to test the tunnel.
Im just assuming that if I am passing from Stunnel from one system to stunnel on another, one of them should be client and the other should be server. This works well on our old configurations and as far as I can see from a stunnel and network route perspective all rules are identical.
Why would it work from Server B to Server A on the response if I go directly to Server A, but fail locally? The configuration looks correct, what else could I check?
Michael Curran wrote:
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (this is all the further it gets, the client says hello and the server responds with this)
[cut]
The configuration looks correct, what else could I check?
Your curl reports an SSL error, so you're using its native SSL support instead of stunnel client.
Remove all non-essential configuration file options. If you don't understand an option, just leave it at its default instead of using a random value.
Collect stunnel debug logs on both ends. Hopefully this will help you find the solution by yourself, without asking 536 subscribers of this mailing list for help.
Mike
-
Michael Curran -
Michal Trojnara