[stunnel-users] https problems over TLSv1

Al Gonzalez Al_Gonzalez at raytheon.com
Tue Oct 20 02:02:08 CEST 2009 

Thank you in advance for any assistance you can provide...

 

I am trying to talk to a UHF radio (from a PC) over a secure channel, but 
having some difficulties.  Please let me provide just a little background 
so you know why I’m doing what I’m doing.  In the existing system, 
Internet Explorer (IE) is the client that talks to this radio.  When the 
radio boots up, it sends a webpage over Ethernet to IE and (after the user 
login), a secure link is established, and the radio can be controlled from 
IE – the various webpages change as the user maneuvers through the various 
dropdowns, etc.  We’ve been asked to automate this interface now for a 
production environment.  The client is going to be replaced with a PC 
connected to a great deal of test equipment, and the server will now send 
XML instead of html to the client.  The client is being developed in 
LabVIEW (from National Instruments) – this has made this task even more 
challenging.

As all of this secure stuff is new to me, I spent many hours just trying 
to understand the problem(s) and the lingo.  As LabVIEW has some 
limitations in this area, I found that Stunnel was my best option.  Using 
TCP/IP and sending http to the radio (shown below), I’ve been able (in a 
non-secure mode, without Stunnel) to communicate and get the opening 
screen (html) to be returned to me (the XML server output is currently 
being developed) and displayed in a LabVIEW window.

GET / HTTP/1.1
Host: 10.4.32.1
Connection: Keep-Alive
Authorization: Basic YWRtaW46UgEkJHdvtmQx
Credentials: admin:Password

I downloaded the binary version of Stunnel.exe (version 4.27 with OpenSSL 
0.9.8k dated Mar 2009), then modified the LabVIEW code to call (using a 
command line approach) Stunnel.  In this way, I can’t provide any (dash) 
options, so it’s completely dependent on the stunnel.conf file.  After a 
number of attempts, I was able to get the client to bind to the server (I 
think), but I see nothing being returned to me (no html).  I must use 
TLSv1, and ciphers = DES-CBC3-SHA.

I’ve seen examples on stunnel.org that show a great deal more handshaking 
information than I’m seeing, so I’m wondering if I’m missing some detail 
in my conf file.  For example, my log file ends like this

2009.10.16 13:18:49 LOG7[4812:4776]: FD 208 in non-blocking mode
2009.10.16 13:18:49 LOG7[4812:4776]: SO_REUSEADDR option set on accept 
socket
2009.10.16 13:18:49 LOG7[4812:4776]: https bound to 10.4.1.8:443

But the example I mentioned goes on after the “https bound” and adds 
things like …

2009.08.04 12:15:55 LOG7[16648:22996]: proxy accepted FD=320 from 
127.0.0.1:48086
2009.08.04 12:15:55 LOG7[16648:22996]: Creating a new thread
2009.08.04 12:15:55 LOG7[16648:22996]: New thread created
2009.08.04 12:15:55 LOG7[16648:8540]: proxy started
2009.08.04 12:15:55 LOG7[16648:8540]: FD 320 in non-blocking mode
2009.08.04 12:15:55 LOG7[16648:8540]: TCP_NODELAY option set on local 
socket
2009.08.04 12:15:55 LOG5[16648:8540]: proxy accepted connection from 
127.0.0.1:48086
2009.08.04 12:15:55 LOG7[16648:8540]: FD 340 in non-blocking mode
2009.08.04 12:15:55 LOG7[16648:8540]: proxy connecting 89.149.253.125:8080
2009.08.04 12:15:55 LOG7[16648:8540]: connect_wait: waiting 10 seconds
2009.08.04 12:15:56 LOG7[16648:8540]: connect_wait: connected
2009.08.04 12:15:56 LOG5[16648:8540]: proxy connected remote server from 
192.168.2.3:48088
2009.08.04 12:15:56 LOG7[16648:8540]: Remote FD=340 initialized
2009.08.04 12:15:56 LOG7[16648:8540]: TCP_NODELAY option set on remote 
socket
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): before/connect 
initialization
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): SSLv3 write 
client hello A
2009.08.04 12:15:56 LOG7[16648:8540]: SSL state (connect): SSLv3 read 
server hello A
.
.
.
2009.08.04 12:15:57 LOG6[16648:8540]: SSL connected: new session 
negotiated
2009.08.04 12:15:57 LOG6[16648:8540]: Negotiated ciphers: AES256-SHA SSLv3 
Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

That make’s me think that I’m not quite there yet.  I’ve attached my 
stunnel.conf, my log file, and the http request I’m making (above).  I’m 
hoping you can find some flaws in my conf file that will get me closer. 
Other than receiving html, I’m not sure how to know that I truly have a 
secure connection.  I’m thinking I should see a little more in my log 
file, but I’m not sure. 

The other thing I’m not sure about (as I’ve heard differing thoughts) is 
whether I have to Encrypt my http commands, or does stunnel take care of 
that somehow?  If I have to encypt, how would I go about doing this? Also, 
(and I’m getting ahead of myself) do I have to open and close a session 
every time I want to talk, or do I somehow leave the channel open?   I’ve 
read about Session Resumption, but I’m not sure if that is something I 
need to setup in the conf file, or if that can even be controlled by 
Stunnel.

 
Al Gonzalez
Principal Software Engineer
Compass Call Programs
Offensive Information Warfare
Raytheon Company

260.429.4354
260.429.5829 fax
Al_Gonzalez at raytheon.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20091019/7051e76f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log_101609_124pm.log
Type: application/octet-stream
Size: 1448 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20091019/7051e76f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel.conf
Type: application/octet-stream
Size: 1328 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20091019/7051e76f/attachment-0001.obj>

More information about the stunnel-users mailing list