Re: [stunnel-users] stunnel-users Digest, Vol 181, Issue 1 - stunnel-users

20 Aug 2019


      Your mileage may vary.
###############################################################################
# From internal application to external host
###############################################################################
# [Int_Init] -> [Int_Term] -> [Ext_Init] -> [Ext_Term] ###############################################################################
# [internal_initiator]  ---ssl--->  [Internal terminator]
# [Internal terminator] ---http---> [external Initiator]
# [external Initiator]  ---tls--->  [external terminator] ###############################################################################
# https://www.stunnel.org/static/stunnel.html ###############################################################################
[Internal_Terminator]
options = SSLv3
client = no
accept = host_ip:443
connect = localhost:54321
CAfile         = int_init_wallet.pem
cert           =  int_term_pub.pem
key            =  int_term_priv.pem
[External_Initiator]
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
verify = 3?
client = yes
options = TLSv1.2
accept = localhost:54321
connect = externalhostname:443
verifyChain    = yes
renegotiation  = no
CAfile         =  ext_term_wallet.pem
cert           = ext_init_pub.pem
key            =  ext_init_priv.pem
----------------------------------------------------------------------
Date: Mon, 19 Aug 2019 18:21:18 +0000
From: Daniel Trickett daniel.trickett@milliporesigma.com
To: "stunnel-users@stunnel.org" stunnel-users@stunnel.org
Subject: [stunnel-users] https to https proxy
Hi,
Our punchout vendor switched their site to only accept tls 1.2 over the weekend. Unfortunately our application will only support SSL.
We are using stunnel with other vendors but can control the inbound host name. This recent one is one we can't manage as it is the software provider.
I found a solution for doing https to https. I'm unclear how I get the first https traffic to route to stunnel as the initial call will be from the application will be to the external host..
Any thoughts on whether this would work for my situation?  Appreciate any thoughts..
[Tunnel_in]
client = yes
accept = host_ip:443
connect = localhost:54321
[Tunnel_out]
client = no
accept = localhost:54321
connect = externalhostname:443
Best regards,
Dan