[stunnel-users] client side SNI

yyy yyy at yyy.id.lv
Sat Jan 14 06:07:51 CET 2012 

Hello Michal,

Friday, January 13, 2012, 11:38:06 PM, you wrote:

> yyy wrote:
>> Tried simply adding protocolHost=servername into client
>> configuration section, but it did not work, because server returned
>> default cert.

> I was told I tend to behave like an oracle, but I'm not.

> I can hardly diagnose your configuration without the output of  
> "stunnel -version" and debug logs.

Sorry, here is output of "stunnel -version"
(although in stunnel.conf, there is specified fips=no):

stunnel 4.52 on x86-pc-mingw32-gnu platform
Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
 
Global options:
debug           = notice
RNDbytes        = 64
RNDoverwrite    = yes
taskbar         = yes
 
Service-level options:
ciphers         = FIPS (with "fips = yes")
ciphers         = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no")
curve           = prime256v1
session         = 300 seconds
sslVersion      = TLSv1 (with "fips = yes")
sslVersion      = TLSv1 for client, all for server (with "fips = no")
stack           = 65536 bytes
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

Server is down




And here is log (debug=7):

2012.01.13 21:57:48 LOG7[2132:7704]: Service sni-client accepted FD=504 from 127.0.0.1:2541
2012.01.13 21:57:48 LOG7[2132:7704]: Creating a new thread
2012.01.13 21:57:48 LOG7[2132:7704]: New thread created
2012.01.13 21:57:48 LOG7[2132:7932]: Service sni-client started
2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client accepted connection from 127.0.0.1:2541
2012.01.13 21:57:48 LOG6[2132:7932]: connect_blocking: connecting 213.175.91.220:443
2012.01.13 21:57:48 LOG7[2132:7932]: connect_blocking: s_poll_wait 213.175.91.220:443: waiting 10 seconds
2012.01.13 21:57:48 LOG5[2132:7932]: connect_blocking: connected 213.175.91.220:443
2012.01.13 21:57:48 LOG5[2132:7932]: Service sni-client connected remote server from 10.0.0.151:2542
2012.01.13 21:57:48 LOG7[2132:7932]: Remote FD=448 initialized
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): before/connect initialization
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client hello A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server hello A
2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy at yyy.id.lv
2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=1, /C=lv/L=Salaspils/CN=yyyCA/emailAddress=yyy at yyy.id.lv
2012.01.13 21:57:48 LOG7[2132:7932]: Starting certificate verification: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002
2012.01.13 21:57:48 LOG5[2132:7932]: Certificate accepted: depth=0, /C=lv/CN=afm.yyy.id.lv/description=\x00s\x00e\x00r\x00v\x00e\x00r\x00a\x00 \x00s\x00e\x00r\x00t\x00i\x00f\x00i\x00k\x01\x01\x00t\x00s\x00 \x00l\x00i\x00e\x00t\x00o\x01a\x00a\x00n\x00a\x00i\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00i\x00e\x00m\x00,\x00 \x00k\x00a\x00m\x00 \x00j\x01\x01\x00s\x00l\x01\x13\x00d\x00z\x00a\x00s\x00 \x00k\x00l\x01\x01\x00t\x00 \x00a\x00r\x00 \x00e\x005\x002
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server key exchange A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server certificate request A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 read server done A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client certificate A
2012.01.13 21:57:48 LOG7[2132:7932]: SSL state (connect): SSLv3 write client key exchange A
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write certificate verify A
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write change cipher spec A
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 write finished A
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 flush data
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read server session ticket A
2012.01.13 21:57:49 LOG7[2132:7932]: SSL state (connect): SSLv3 read finished A
2012.01.13 21:57:49 LOG7[2132:7932]:    1 items in the session cache
2012.01.13 21:57:49 LOG7[2132:7932]:    1 client connects (SSL_connect())
2012.01.13 21:57:49 LOG7[2132:7932]:    1 client connects that finished
2012.01.13 21:57:49 LOG7[2132:7932]:    0 client renegotiations requested
2012.01.13 21:57:49 LOG7[2132:7932]:    0 server connects (SSL_accept())
2012.01.13 21:57:49 LOG7[2132:7932]:    0 server connects that finished
2012.01.13 21:57:49 LOG7[2132:7932]:    0 server renegotiations requested
2012.01.13 21:57:49 LOG7[2132:7932]:    0 session cache hits
2012.01.13 21:57:49 LOG7[2132:7932]:    0 external session cache hits
2012.01.13 21:57:49 LOG7[2132:7932]:    0 session cache misses
2012.01.13 21:57:49 LOG7[2132:7932]:    0 session cache timeouts
2012.01.13 21:57:49 LOG7[2132:7932]: Peer certificate was cached (3611 bytes)
2012.01.13 21:57:49 LOG6[2132:7932]: SSL connected: new session negotiated
2012.01.13 21:57:49 LOG6[2132:7932]: Negotiated ciphers: ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
2012.01.13 21:57:49 LOG6[2132:7932]: Compression: null, expansion: null
2012.01.13 21:58:09 LOG3[2132:7932]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
2012.01.13 21:58:09 LOG5[2132:7932]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.01.13 21:58:09 LOG7[2132:7932]: Service sni-client finished (0 left)


It connects just fine, just to default service.

s_client connects to proper service (using this command)
C:\openssl s_client -connect 213.175.91.220:443
-cert cert.crt -key key.key -servername servername

Client authentications succeeds in either case (as expected)

More information about the stunnel-users mailing list