[stunnel-users] Windows 7 connection to HTTPS server

Daniel Pierce dpierce at xpertassist.com
Sat Jul 9 05:16:24 CEST 2011 

stunnel user group,
 
Thanks Yucong Sun or your help.  I have changed the configuration file
values to the values that you recommended.  I didn't read the documentation
careful enough.
 
[https]
accept = 3600
connect = partnerlogin.advancedmd.com
<https://partnerlogin.advancedmd.com/practicemanager/xmlrpc/processrequest.a
sp> :443
(stopped and started the windows service to get the new configuration)
 
HOWEVER
I'm still not getting stunnel to provide the interface to the https web
server.  
I have a http client software which I have tried both GET and POST calls to
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp> 
 
Every time the interface comes back with the error "The Connection to the
Server was Reset while the Page was Loading"
 
So I decided to try the page using a standard web browser (Firefox and IE)
thinking that my client software may have a problem.  
I opened the browser and entered the address
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp>
Got the same results.
 
So I changed the configuration to go to the same web site as gmail with the
following configuration.
 
[https]
accept = 3600
connect = mail.google.com:443
 
When I try to open the page with the browser to address
https://localhost:3600/mail/?hl=en
<blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox,  I
get the same error message.
 
NEXT
I started WIRESHARK on the network and filtered for packets coming from/to
my host computer.
When I enter https://localhost:3600/mail/?hl=en
<blocked::https://localhost:3600/mail/?hl=en&shva=1#inbox> &shva=1#inbox on
the browser.  The following details were captured by WIRESHARK.
Source        Destination              Protocol        Lenth        Info
74.125.225.53    192.168.1.70      TLSV1         107            Application
Data Protocol: http
192.168.1.70      74.125.255.53    TCP              54            https
[ACK] Seq=1 Ack=54 win=16181 Len=0
74.125.225.53    192.168.1.70      TLSV1         112            Application
Data Protocol: http
192.168.1.70      74.125.255.53    TLSV1          81            Encrypted
Alert
192.168.1.70      74.125.255.53    TCP             54            60089 >
https [FIN, ACK] Seq=28 Ack=112 win=16167 Len=0
192.168.1.70      74.125.255.54    TCP           1484           [TCP segment
of a reassembled PDU]
192.168.1.70      74.125.255.53    TLSv1          316            Application
Data
74.125.225.53    192.168.1.70      TCP             60            https >
60089 [FIN, ACK] Seq=112 Ack=29 win=196 len=0
192.168.1.70      74.125.255.53    TCP              54            60089 >
https [ACK] Seq=29 Ack=113 win=16167 Len=0
74.125.225.54    192.168.1.70      TCP             60            https >
60113 [ACK] Seq=1 Ack=1693 win=285 len=0
74.125.225.54    192.168.1.70      TLSV1         457            Application
Data Protocol: http
192.168.1.70      74.125.255.54    TCP             54           60113 >
https [ACK] Seq=1693 Ack=404 win=16445 Len=0
SO the packets are  being sent and returned, but the protocol is erroring
out for GOOGLE MAIL.
 
NEXT
When I configure the service for the other https web server.
https://localhost:3600/practicemanager/xmlrpc/processrequest.asp
<blocked::https://localhost:3600/practicemanager/xmlrpc/processrequest.asp> 
I get a simular exchange, but more reference to change cipher Spec. and http
RST for different ip address
Source        Destination              Protocol        Lenth        Info
192.168.1.70      74.125.255.54    TCP              66            60840 >
https [SYN]
74.125.225.54    192.168.1.70      TCP              66            https >
60840 [SYN, ACK]
192.168.1.70      74.125.255.54    TCP              54            60840 >
https [ACK]
192.168.1.70      74.125.255.54   TLSv1            451           client
Hello
74.125.225.54    192.168.1.70      TCP              60            https >
60840 [ACK]
74.125.225.54    192.168.1.70     TLSv1            97            change
cipher Spec, Encrypted Handshake Message
192.168.1.70      74.125.255.54   TLSv1            162          Application
Data
74.125.225.54    192.168.1.70      TCP              60            https >
60840 [ACK]
192.168.1.70      98.137.80.34      TCP              54            60819 >
http [RST, ACK]
 
 
STUNNEL LOG for partnerlogin.advancedmd.com:443  NO OBVIOUS ERRORS
2011.07.08 21:31:21 LOG7[4960:4568]: No limit detected for the number of
clients
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#1: FD=144
allocated (blocking mode)
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_socket#2: FD=148
allocated (blocking mode)
2011.07.08 21:31:21 LOG7[4960:4568]: make_sockets: s_accept: FD=152
allocated (non-blocking mode)
2011.07.08 21:31:21 LOG5[4960:4568]: stunnel 4.39 on x86-pc-mingw32-gnu
platform
2011.07.08 21:31:21 LOG5[4960:4568]: Compiled/running with OpenSSL 1.0.0d 8
Feb 2011
2011.07.08 21:31:21 LOG5[4960:4568]: Threading:WIN32 SSL:ENGINE Auth:none
Sockets:SELECT,IPv6
2011.07.08 21:31:21 LOG5[4960:4568]: Reading configuration from file
stunnel.conf
2011.07.08 21:31:21 LOG7[4960:4568]: Snagged 64 random bytes from C:/.rnd
2011.07.08 21:31:22 LOG7[4960:4568]: Wrote 1024 new random bytes to C:/.rnd
2011.07.08 21:31:22 LOG7[4960:4568]: PRNG seeded successfully
2011.07.08 21:31:22 LOG7[4960:4568]: Configuration SSL options: 0x01000000
2011.07.08 21:31:22 LOG7[4960:4568]: SSL options set: 0x01000004
2011.07.08 21:31:22 LOG7[4960:4568]: Certificate: stunnel.pem
2011.07.08 21:31:22 LOG7[4960:4568]: Certificate loaded
2011.07.08 21:31:22 LOG7[4960:4568]: Key file: stunnel.pem
2011.07.08 21:31:22 LOG7[4960:4568]: Private key loaded
2011.07.08 21:31:22 LOG7[4960:4568]: SSL context initialized for service
http
2011.07.08 21:31:22 LOG5[4960:4568]: Configuration successful
2011.07.08 21:31:22 LOG7[4960:4568]: accept socket: FD=144 allocated
(non-blocking mode)
2011.07.08 21:31:22 LOG7[4960:4568]: Option SO_REUSEADDR set on accept
socket
2011.07.08 21:31:22 LOG7[4960:4568]: Service http bound to 0.0.0.0:3600
2011.07.08 21:31:22 LOG7[4960:4568]: Service http opened FD=144
 
Do I need to have the Public Key Certificate for the remote serve installed
in stunnel for it to access the page?
 
I'm trying to find a simple configuration to prove out that the basic
stunnel application is working. Any suggestions?
 
Is there something basic that I'm missing?
If I send a GET request, I should get a response from the https server that
CONNECT is configurred for.
Is there a compatibility issue between OpenSSL and https web server?
 
Thanks in advance for the help.
Dan
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110708/858d7912/attachment.html>

More information about the stunnel-users mailing list