[stunnel-users] Clearer and Detailed version of the mail Stunnel for HTTP encription

Carter Browne cbrowne at cbcs-usa.com
Thu Jul 20 17:16:10 CEST 2006


I would suggest changing the accept on the server to read
accept = 123

As I understand the logic, the server is only listening on the loop back 
TCP address, not the public one.

Carter

LoopBack Inc wrote:
> Hello.
> I rewrote some parts of the question, and illustrated it by a small 
> ASCII picture to clearifiy the whole situation.
> I don't know why I haven't got  a single answer, because over 350 people 
> are subscribed to the list, so
> I hope that I'll get some help now.
> It would be grateful.
> 
> I use SocksCap to forward the iexplore cnnections to another port, a 
> port on which stunnel listens.
> 
> On PC1, the client, stunnel is listening on port 500. So when I start 
> iexplore.exe with SocksCap every connection goes to 127.0.0.1:500.
> PC1 connects to PC2, with
> connect = 192.168.0.2:123
> 
> On PC2, the server, stunnel listens on port 500. then is connects to the 
> internet with
> connect = 127.0.0.1:80.
> 
> 
> Here is the problem, stunnel doesn't connect to the internet over 
> 127.0.0.1:80.
> I don't know why, but it doesnt.
> 
> 
> ---Stunnel.conf SERVER---
> ..
> [inet]
> accept = 127.0.0.1:123
> connect = 127.0.0.1:80
> 
> ---Stunnel.conf CLIENT---
> ..
> [inet]
> accept = 127.0.0.1:500
> connect = 192.168.0.2:123
> 
> 
> 
> LOGs from the SERVER:
> 
> 2006.07.18 16:56:07 LOG7[2332:2720]: inet accepted FD=208 from 
> 192.168.0.1:2156
> 2006.07.18 16:56:07 LOG7[2332:2720]: Creating a new thread
> 2006.07.18 16:56:07 LOG7[2332:2720]: New thread created
> 2006.07.18 16:56:07 LOG7[2332:1880]: inet started
> 2006.07.18 16:56:07 LOG7[2332:1880]: FD 208 in non-blocking mode
> 2006.07.18 16:56:07 LOG5[2332:1880]: inet connected from 192.168.0.1:2156
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): before/accept 
> initialization
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 read 
> client hello A
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 write 
> server hello A
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 write 
> change cipher spec A
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 write 
> finished A
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 flush data
> 2006.07.18 16:56:07 LOG7[2332:1880]: SSL state (accept): SSLv3 read 
> finished A
> 2006.07.18 16:56:07 LOG7[2332:1880]:    1 items in the session cache
> 2006.07.18 16:56:07 LOG7[2332:1880]:    0 client connects (SSL_connect())
> 2006.07.18 16:56:07 LOG7[2332:1880]:    0 client connects that finished
> 2006.07.18 16:56:07 LOG7[2332:1880]:    0 client renegotiations requested
> 2006.07.18 16:56:07 LOG7[2332:1880]:    7 server connects (SSL_accept())
> 2006.07.18 16:56:07 LOG7[2332:1880]:    7 server connects that finished
> 2006.07.18 16:56:07 LOG7[2332:1880]:    0 server renegotiations requested
> 2006.07.18 16:56:07 LOG7[2332:1880]:    5 session cache hits
> 2006.07.18 16:56:07 LOG7[2332:1880]:    1 session cache misses
> 2006.07.18 16:56:07 LOG7[2332:1880]:    1 session cache timeouts
> 2006.07.18 16:56:07 LOG6[2332:1880]: SSL accepted: previous session reused
> 2006.07.18 16:56:07 LOG7[2332:1880]: FD 244 in non-blocking mode
> 2006.07.18 16:56:07 LOG7[2332:1880]: inet connecting 127.0.0.1:80
> 2006.07.18 16:56:07 LOG7[2332:1880]: connect_wait: waiting 10 seconds
> 2006.07.18 16:56:07 LOG7[2332:1880]: connect_wait: connected
> 2006.07.18 16:56:07 LOG7[2332:1880]: Remote FD=244 initialized
> 
> After nothing happend for 52 seconds I aborted in the iexplore.exe to 
> open the page.
> 
> 2006.07.18 16:56:59 LOG7[2332:1880]: SSL alert (read): warning: close 
> notify
> 2006.07.18 16:56:59 LOG7[2332:1880]: SSL closed on SSL_read
> 2006.07.18 16:56:59 LOG7[2332:1880]: Socket write shutdown
> 2006.07.18 16:56:59 LOG7[2332:1880]: SSL write shutdown
> 2006.07.18 16:56:59 LOG7[2332:1880]: SSL alert (write): warning: close 
> notify
> 2006.07.18 16:56:59 LOG6[2332:1880]: SSL_shutdown successfully sent 
> close_notify
> 2006.07.18 16:56:59 LOG5[2332:1880]: Connection closed: 0 bytes sent to 
> SSL, 3 bytes sent to socket
> 2006.07.18 16:56:59 LOG7[2332:1880]: inet finished (0 left)
> 
> 
> 
> 
> LOGs from the CLIENT:
> 
> 2006.07.18 17:10:11 LOG7[1756:4756]: inet accepted FD=444 from 
> 127.0.0.1:2284
> 2006.07.18 17:10:11 LOG7[1756:4756]: Creating a new thread
> 2006.07.18 17:10:11 LOG7[1756:4756]: New thread created
> 2006.07.18 17:10:11 LOG7[1756:2840]: inet started
> 2006.07.18 17:10:11 LOG7[1756:2840]: FD 444 in non-blocking mode
> 2006.07.18 17:10:11 LOG7[1756:2840]: TCP_NODELAY option set on local socket
> 2006.07.18 17:10:11 LOG5[1756:2840]: inet connected from 127.0.0.1:2284
> 2006.07.18 17:10:11 LOG7[1756:2840]: FD 348 in non-blocking mode
> 2006.07.18 17:10:11 LOG7[1756:2840]: inet connecting 192.168.0.2:123
> 2006.07.18 17:10:11 LOG7[1756:2840]: connect_wait: waiting 10 seconds
> 2006.07.18 17:10:11 LOG7[1756:2840]: connect_wait: connected
> 2006.07.18 17:10:11 LOG7[1756:2840]: Remote FD=348 initialized
> 2006.07.18 17:10:11 LOG7[1756:2840]: TCP_NODELAY option set on remote 
> socket
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): before/connect 
> initialization
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 write 
> client hello A
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 read 
> server hello A
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 read 
> finished A
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 write 
> change cipher spec A
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 write 
> finished A
> 2006.07.18 17:10:11 LOG7[1756:2840]: SSL state (connect): SSLv3 flush data
> 2006.07.18 17:10:11 LOG7[1756:2840]:   17 items in the session cache
> 2006.07.18 17:10:11 LOG7[1756:2840]:   65 client connects (SSL_connect())
> 2006.07.18 17:10:11 LOG7[1756:2840]:   65 client connects that finished
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 client renegotiations requested
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 server connects (SSL_accept())
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 server connects that finished
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 server renegotiations requested
> 2006.07.18 17:10:11 LOG7[1756:2840]:   48 session cache hits
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 session cache misses
> 2006.07.18 17:10:11 LOG7[1756:2840]:    0 session cache timeouts
> 2006.07.18 17:10:11 LOG6[1756:2840]: SSL connected: previous session reused
> 
> Nothing happendend, I aborted iexplore.exe
> 
> 2006.07.18 17:10:25 LOG7[1756:2840]: Socket closed on read
> 2006.07.18 17:10:25 LOG7[1756:2840]: SSL write shutdown
> 2006.07.18 17:10:25 LOG7[1756:2840]: SSL alert (write): warning: close 
> notify
> 2006.07.18 17:10:25 LOG7[1756:2840]: SSL_shutdown retrying
> 2006.07.18 17:10:25 LOG7[1756:2840]: SSL doesn't need to read or write
> 2006.07.18 17:10:25 LOG7[1756:2840]: SSL alert (read): warning: close 
> notify
> 2006.07.18 17:10:26 LOG7[1756:2840]: SSL closed on SSL_read
> 2006.07.18 17:10:26 LOG7[1756:2840]: Socket write shutdown
> 2006.07.18 17:10:26 LOG5[1756:2840]: Connection closed: 3 bytes sent to 
> SSL, 0 bytes sent to socket
> 2006.07.18 17:10:26 LOG7[1756:2840]: inet finished (0 left)
> 
> 
> 
> So the problem is that stunnel doesn't connect to the internet on PC2.
> I think i have to use something different than connect = 127.0.0.1:80 on 
> PC2, but not sure.
> 
> The version of stunnel is 4.15
> I'm using Windows.
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's 
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> ------------------------------------------------------------------------------------------------------------------------ 
> 
> 
>     PC1                                     PC2
>    192.168.0.1                                    192.168.0.2
>    Stunnel Client                                Stunnel Server
> 
>                    -------------------------
> 
> 
> -------------------------------------
> - Sockscap opens Iexplore.exe          -
> - I enter the address of a webpage  -
> - Iexplrore.exe --> 127.0.0.1:500   -
> -------------------------------------
> 
>       :       ******************************************************
>       :      *  Sockscap is only to redirect the connections       *
>       :      *  of the Webbroswer to Stunnel, normally the         *
>       :      *  webbrowser would direclty connect to the Internet  *
>       :      *  on port 80 and then going to the destination site. *
>       :      *  In this case the webrowser connects to stunnel on  *
>       :      *  port 500 where stunnel is listening.               *
>       :      *******************************************************
>       :
>       :
>       :
>       :
>       :
>       :
> 
> 
> -------------------------------------------------------------------------------------------------------------------- 
> 
> -     Stunnel Client                                Stunnel 
> Server                -
>       --------------                                     
> --------------                 -
> -  Listening on port 500                  Encripted         Listening on 
> port 123               -
> -  The Browser sends to port 500             ---------->>        Gets 
> Browser data, encripted        -
> -  Encription                                    
> Decription                    -
> -  Connecting to 192.168.0.2:123    Encripted                  Connects 
> to 127.0.0.1:80        -
> -                                        
> .                                   -
> -                                           
> .                                   -
> -                                        
> .                                   -
> -                                          
> .                                   -
> -                                           
> +.+++++++++++++++++++++++++++++++++  -
> -                                           +..---> Should connect to 
> Internet+  -
> -                                           
> +++++++++++++++++++++++++++++++++++  -
> -                                                               -
> -                                                                    -
> --------------------------------------------------------------------------------------------------------------------- 
> 
> ------------------------------------------------------------------------------------------------------------------------ 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cbrowne.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20060720/cd6b3ef4/attachment.vcf>


More information about the stunnel-users mailing list