[stunnel-users] Windows 7 connection to HTTPS server
Daniel Pierce
dpierce at xpertassist.com
Sat Jul 9 05:16:24 CEST 2011
stunnel user group,
Thanks Yucong Sun or your help. I have changed the configuration file
values to the values that you recommended. I didn't read the documentation
careful enough.
[https]
accept = 3600
connect = partnerlogin.advancedmd.com
<https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a
sp> :443
(stopped and started the windows service to get the new configuration)
HOWEVER
I'm still not getting stunnel to provide the interface to the https web
server.
I have a http client software which I have tried both GET and POST calls to
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp>
Every time the interface comes back with the error "The Connection to the
Server was Reset while the Page was Loading"
So I decided to try the page using a standard web browser (Firefox and IE)
thinking that my client software may have a problem.
I opened the browser and entered the address
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp>
Got the same results.
So I changed the configuration to go to the same web site as gmail with the
following configuration.
[https]
accept = 3600
connect = mail.google.com:443
When I try to open the page with the browser to address
https://localhost:3600/mail/?hl=en
<blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox, I
get the same error message.
NEXT
I started WIRESHARK on the network and filtered for packets coming from/to
my host computer.
When I enter https://localhost:3600/mail/?hl=en
<blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox on
the browser. The following details were captured by WIRESHARK.
Source Destination Protocol Lenth Info
74.125.225.53 192.168.1.70 TLSV1 107 Application
Data Protocol: http
192.168.1.70 74.125.255.53 TCP 54 https
[ACK] Seq=1 Ack=54 win=16181 Len=0
74.125.225.53 192.168.1.70 TLSV1 112 Application
Data Protocol: http
192.168.1.70 74.125.255.53 TLSV1 81 Encrypted
Alert
192.168.1.70 74.125.255.53 TCP 54 60089 >
https [FIN, ACK] Seq=28 Ack=112 win=16167 Len=0
192.168.1.70 74.125.255.54 TCP 1484 [TCP segment
of a reassembled PDU]
192.168.1.70 74.125.255.53 TLSv1 316 Application
Data
74.125.225.53 192.168.1.70 TCP 60 https >
60089 [FIN, ACK] Seq=112 Ack=29 win=196 len=0
192.168.1.70 74.125.255.53 TCP 54 60089 >
https [ACK] Seq=29 Ack=113 win=16167 Len=0
74.125.225.54 192.168.1.70 TCP 60 https >
60113 [ACK] Seq=1 Ack=1693 win=285 len=0
74.125.225.54 192.168.1.70 TLSV1 457 Application
Data Protocol: http
192.168.1.70 74.125.255.54 TCP 54 60113 >
https [ACK] Seq=1693 Ack=404 win=16445 Len=0
SO the packets are being sent and returned, but the protocol is erroring
out for GOOGLE MAIL.
NEXT
When I configure the service for the other https web server.
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp>
I get a simular exchange, but more reference to change cipher Spec. and http
RST for different ip address
Source Destination Protocol Lenth Info
192.168.1.70 74.125.255.54 TCP 66 60840 >
https [SYN]
74.125.225.54 192.168.1.70 TCP 66 https >
60840 [SYN, ACK]
192.168.1.70 74.125.255.54 TCP 54 60840 >
https [ACK]
192.168.1.70 74.125.255.54 TLSv1 451 client
Hello
74.125.225.54 192.168.1.70 TCP 60 https >
60840 [ACK]
74.125.225.54 192.168.1.70 TLSv1 97 change
cipher Spec, Encrypted Handshake Message
192.168.1.70 74.125.255.54 TLSv1 162 Application
Data
74.125.225.54 192.168.1.70 TCP 60 https >
60840 [ACK]
192.168.1.70 98.137.80.34 TCP 54 60819 >
http [RST, ACK]
STUNNEL LOG for partnerlogin.advancedmd.com:443 NO OBVIOUS ERRORS
2011.07.08 21:31:21 LOG7[4960:4568]: No limit detected for the number of
clients
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#1: FD=144
allocated (blocking mode)
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#2: FD=148
allocated (blocking mode)
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_accept: FD=152
allocated (non-blocking mode)
2011.07.08 21:31:21 LOG5[4960:4568]: stunnel 4.39 on x86-pc-mingw32-gnu
platform
2011.07.08 21:31:21 LOG5[4960:4568]: Compiled/running with OpenSSL 1.0.0d 8
Feb 2011
2011.07.08 21:31:21 LOG5[4960:4568]: Threading:WIN32 SSL:ENGINE Auth:none
Sockets:SELECT,IPv6
2011.07.08 21:31:21 LOG5[4960:4568]: Reading configuration from file
stunnel.conf
2011.07.08 21:31:21 LOG7[4960:4568]: Snagged 64 random bytes from C:/.rnd
2011.07.08 21:31:22 LOG7[4960:4568]: Wrote 1024 new random bytes to C:/.rnd
2011.07.08 21:31:22 LOG7[4960:4568]: PRNG seeded successfully
2011.07.08 21:31:22 LOG7[4960:4568]: Configuration SSL options: 0x01000000
2011.07.08 21:31:22 LOG7[4960:4568]: SSL options set: 0x01000004
2011.07.08 21:31:22 LOG7[4960:4568]: Certificate: stunnel.pem
2011.07.08 21:31:22 LOG7[4960:4568]: Certificate loaded
2011.07.08 21:31:22 LOG7[4960:4568]: Key file: stunnel.pem
2011.07.08 21:31:22 LOG7[4960:4568]: Private key loaded
2011.07.08 21:31:22 LOG7[4960:4568]: SSL context initialized for service
http
2011.07.08 21:31:22 LOG5[4960:4568]: Configuration successful
2011.07.08 21:31:22 LOG7[4960:4568]: accept socket: FD=144 allocated
(non-blocking mode)
2011.07.08 21:31:22 LOG7[4960:4568]: Option SO_REUSEADDR set on accept
socket
2011.07.08 21:31:22 LOG7[4960:4568]: Service http bound to 0.0.0.0:3600
2011.07.08 21:31:22 LOG7[4960:4568]: Service http opened FD=144
Do I need to have the Public Key Certificate for the remote serve installed
in stunnel for it to access the page?
I'm trying to find a simple configuration to prove out that the basic
stunnel application is working. Any suggestions?
Is there something basic that I'm missing?
If I send a GET request, I should get a response from the https server that
CONNECT is configurred for.
Is there a compatibility issue between OpenSSL and https web server?
Thanks in advance for the help.
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110708/858d7912/attachment.html>
More information about the stunnel-users
mailing list