[stunnel-users] newb: setting up and debugging a windows stunnel

Jay Sprenkle jsprenkle at gmail.com
Mon Apr 19 20:49:15 CEST 2010 

Good afternoon,

I'm trying to use stunnel to secure a legacy application's communications. I
can't seem to get it setup and working. Can anyone provide any hints where
I'm going wrong?


Here's what I'm trying to accomplish:

A windows service on a client machine connects to a server on port 7000
using TCP. I'd like to encrypt the communication between client and server.


Here's what I've tried:

Created a new server that accepts ssl connections on port 7443. Got a
certificate for the server and installed it.

Installed stunnel on my windows machine (version 7.43 from the distribution
archive file).
Installed libssl32.dll and libeay32.dll in the same directory as stunnel.exe
( from the openssl-0.9.8h-1 binary distribution).

Installed it as a service using "stunnel -install"

Configured stunnel as follows:
debug=7
output=C:\p4\internal\Utility\Proxy\proxy.log
service=Proxy
taskbar=no

[exchange]
accept=7000
client=yes
connect=proxy.blah.com:7443

I changed my hosts file to trick the old application:

server.blah.com  127.0.0.1
proxy.blah.com  IP-address-of-server.blah.com

"server.blah.com" now resolves to the machine it's running on (i.e.
stunnel).
"proxy.blah.com" goes to the real server. stunnel should connect to the
server.

I start the stunnel service and try to connect. It looks like it's working
but the stunnel service just shuts down with no message.


2010.04.19 13:16:21 LOG5[4924:3716]: stunnel 4.33 on x86-pc-mingw32-gnu with
OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:16:21 LOG5[4924:3716]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange accepted connection
from 127.0.0.1:4134
2010.04.19 13:16:49 LOG6[4924:3748]: connect_blocking: connecting
x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: connect_blocking: connected
x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange connected remote
server from x.253.120.19:4135
2010.04.19 13:20:24 LOG5[3668:3856]: Reading configuration from file
stunnel.conf
2010.04.19 13:20:24 LOG7[3668:3856]: Snagged 64 random bytes from C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: Wrote 1024 new random bytes to C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: RAND_status claims sufficient entropy
for the PRNG
2010.04.19 13:20:24 LOG7[3668:3856]: PRNG seeded successfully
2010.04.19 13:20:24 LOG7[3668:3856]: SSL context initialized for service
exchange
2010.04.19 13:20:24 LOG5[3668:3856]: Configuration successful
2010.04.19 13:20:24 LOG5[3668:3856]: No limit detected for the number of
clients
2010.04.19 13:20:24 LOG7[3668:3856]: FD=312 in non-blocking mode
2010.04.19 13:20:24 LOG7[3668:3856]: Option SO_REUSEADDR set on accept
socket
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange bound to 0.0.0.0:7000
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange opened FD=312
2010.04.19 13:20:24 LOG5[3668:3856]: stunnel 4.33 on x86-pc-mingw32-gnu with
OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:20:24 LOG5[3668:3856]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2010.04.19 13:21:02 LOG7[3668:4556]: Service exchange accepted FD=372 from
127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:4556]: Creating a new thread
2010.04.19 13:21:02 LOG7[3668:4556]: New thread created
2010.04.19 13:21:02 LOG7[3668:3756]: Service exchange started
2010.04.19 13:21:02 LOG7[3668:3756]: FD=372 in non-blocking mode
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange accepted connection
from 127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:3756]: FD=396 in non-blocking mode
2010.04.19 13:21:02 LOG6[3668:3756]: connect_blocking: connecting
x.80.60.32:7443
2010.04.19 13:21:02 LOG7[3668:3756]: connect_blocking: s_poll_wait
x.80.60.32:7443: waiting 10 seconds
2010.04.19 13:21:02 LOG5[3668:3756]: connect_blocking: connected
x.80.60.32:7443
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange connected remote
server from x.253.120.19:4157
2010.04.19 13:21:02 LOG7[3668:3756]: Remote FD=396 initialized
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): before/connect
initialization
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client
hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server
hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server
certificate A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server
done A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client
key exchange A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write change
cipher spec A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write
finished A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 flush data
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read
finished A

The client thinks the connection is closed:

No connection could be made because the target machine actively refused it
127.0.0.1:7000
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot,
SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at Service.ConnUtility.Connect()

Any suggestions?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100419/db06d14c/attachment.html>

More information about the stunnel-users mailing list