It looks like server name for client side SNI is defined as name to connect to in connect option. According to RFC, this name must be FQDN. It is the only place where it is defined and server name for SNI cannot be defined outside connect option. Is that right?
Server side SNI has some good examples. Searching for "client side SNI" did not yield anything useful.
I am trying to run multiple independent services over the same port there is no DNS infrastructure in place, so those server names would be random strings not refering to anything. Both ends would be stunnel. If it is as it seems, it will not work, because defined server name (at client) must be working DNS name (FQDN).
yyy wrote:
It looks like server name for client side SNI is defined as name to connect to in connect option. According to RFC, this name must be FQDN. It is the only place where it is defined and server name for SNI cannot be defined outside connect option. Is that right?
Well... Not really. There is an undocumented method to do it. Use "protocolHost" option.
What I'm going to do is to modify "sni" option, to specify client-side SNI name in a client-mode section ("client = yes").
I am trying to run multiple independent services over the same port there is no DNS infrastructure in place, so those server names would be random strings not refering to anything.
You don't really need DNS for this. You could also specify your names in /etc/hosts on your client.
Mike
Well... Not really. There is an undocumented method to do it. Use "protocolHost" option.
How to use it? Tried simply adding protocolHost=servername into client configuration section, but it did not work, because server returned default cert. "servername" in this case is not a recognized DNS name, it exists only in stunnel configuration files. Server were able to return proper cert and connect to proper service, tested it by openssl s_client. (default server is http, additional server (used with SNI) is vnc, they have different certs). Here is client configuration (not working): [sni-client] cert = clcert.crt key = clkey.key verify = 2 CAfile = ca.crt client = yes accept=5992 protocolHost=servername:443 connect=yyy.id.lv:443 TIMEOUTclose=0
What I'm going to do is to modify "sni" option, to specify client-side SNI name in a client-mode section ("client = yes").
I am trying to run multiple independent services over the same port there is no DNS infrastructure in place, so those server names would be random strings not refering to anything.
You don't really need DNS for this. You could also specify your names in /etc/hosts on your client.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
yyy wrote:
Tried simply adding protocolHost=servername into client configuration section, but it did not work, because server returned default cert.
I was told I tend to behave like an oracle, but I'm not.
I can hardly diagnose your configuration without the output of "stunnel -version" and debug logs.
Mike
Hello Michal,
Friday, January 13, 2012, 11:38:06 PM, you wrote:
yyy wrote:
Tried simply adding protocolHost=servername into client configuration section, but it did not work, because server returned default cert.
I was told I tend to behave like an oracle, but I'm not.
I can hardly diagnose your configuration without the output of "stunnel -version" and debug logs.
Sorry, here is output of "stunnel -version" (although in stunnel.conf, there is specified fips=no):
stunnel 4.52 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012 Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
Global options: debug = notice RNDbytes = 64 RNDoverwrite = yes taskbar = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 session = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Server is down
And here is log (debug=7):
2012.01.13 21:57:48 LOG7[2132:7704]: Service sni-client accepted FD=504 from 127.0.0.1:2541 2012.01.13 21:57:48 LOG7[2132:7704]: Creating a new thread 2012.01.13 21:57:48 LOG7[2132:7704]: New thread created 2012.01.13 21:57:48 LOG7[2132:7932]: Service sni-client started 2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client accepted connection from 127.0.0.1:2541 2012.01.13 21:57:48 LOG6[2132:7932]: connect_blocking: connecting 213.175.91.220:443 2012.01.13 21:57:48 LOG7[2132:7932]: connect_blocking: s_poll_wait 213.175.91.220:443: waiting 10 seconds 2012.01.13 21:57:48 LOG5[2132:7932]: connect_blocking: connected 213.175.91.220:443 2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client connected remote server from 10.0.0.151:2542 2012.01.13 21:57:48 LOG7[2132:7932]: Remote FD=448 initialized 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): before/connect initialization 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client hello A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server hello A 2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy@yyy.id.lv 2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy@yyy.id.lv 2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002 2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server key exchange A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate request A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server done A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client certificate A 2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client key exchange A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write certificate verify A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write change cipher spec A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write finished A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 flush data 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read server session ticket A 2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read finished A 2012.01.13 21:57:49 LOG7[2132:7932]: 1 items in the session cache 2012.01.13 21:57:49 LOG7[2132:7932]: 1 client connects (SSL_connect()) 2012.01.13 21:57:49 LOG7[2132:7932]: 1 client connects that finished 2012.01.13 21:57:49 LOG7[2132:7932]: 0 client renegotiations requested 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server connects (SSL_accept()) 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server connects that finished 2012.01.13 21:57:49 LOG7[2132:7932]: 0 server renegotiations requested 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache hits 2012.01.13 21:57:49 LOG7[2132:7932]: 0 external session cache hits 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache misses 2012.01.13 21:57:49 LOG7[2132:7932]: 0 session cache timeouts 2012.01.13 21:57:49 LOG7[2132:7932]: Peer certificate was cached (3611 bytes) 2012.01.13 21:57:49 LOG6[2132:7932]: SSL connected: new session negotiated 2012.01.13 21:57:49 LOG6[2132:7932]: Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 2012.01.13 21:57:49 LOG6[2132:7932]: Compression: null, expansion: null 2012.01.13 21:58:09 LOG3[2132:7932]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 2012.01.13 21:58:09 LOG5[2132:7932]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.01.13 21:58:09 LOG7[2132:7932]: Service sni-client finished (0 left)
It connects just fine, just to default service.
s_client connects to proper service (using this command) C:\openssl s_client -connect 213.175.91.220:443 -cert cert.crt -key key.key -servername servername
Client authentications succeeds in either case (as expected)
yyy wrote:
stunnel 4.52 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
OpenSSL supports SNI since version 1.0.0.
FIPS module compatible with OpenSSL 1.x.x is scheduled for release in February 2012: http://www.openssl.org/docs/fips/fipsvalidation.html I will update stunnel binary distribution for Windows as soon as FIPS 2.0 is available.
Mike
Hello Michal,
Saturday, January 14, 2012, 9:37:28 AM, you wrote:
yyy wrote:
stunnel 4.52 on x86-pc-mingw32-gnu platform Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
OpenSSL supports SNI since version 1.0.0.
FIPS module compatible with OpenSSL 1.x.x is scheduled for release in February 2012: http://www.openssl.org/docs/fips/fipsvalidation.html I will update stunnel binary distribution for Windows as soon as FIPS 2.0 is available.
Mike
Yeah, it appears that fips=no option has no effect (at least on "stunnel -version" output).
-
Michal Trojnara -
yyy