[stunnel-users] SNI with protocol=proxy ?

Marek Majkowski majek04 at gmail.com
Thu Mar 29 17:07:01 CEST 2012 

On Tue, Mar 27, 2012 at 21:35, Michal Trojnara <Michal.Trojnara at mirt.net> wrote:
> yyy wrote:
>>
>> What does server log says? Is it accepting connection at https_one?
>> (I had a similar problem, server worked as expected (at least when
>> connecting from openssl s_client), but client did not appear to
>> support sni).
>
> Great reply.  Some debug logs might indeed be useful.

Right. I assumed this is a known issue.

> Also "proxy" protocol is implemented before SSL protocol negotiation.
> The option should be supplied in the master (accepting) service.

Good to know. Even better if that was documented somewhere :)

Extract from my config:

[https_default]
accept       = 443
protocol     = proxy
connect      = 10443
TIMEOUTclose = 0
session      = 86400
cert         = xxx.crt
key          = xxx.key

[https_yyy]
sni          = https_default:yyy.xxx.org
connect      = 10442
TIMEOUTclose = 0
session      = 86400
cert         = yyy.crt
key          = yyy.key


Haproxy listens on 10443, nobody listens on 10442.

Connecting to yyy.xxx.org, I would expect it to be
closed/refused/dropped as nobody is listening on 10442, but instead:

2012.03.29 15:04:24 LOG5[22022:3076066080]: stunnel 4.52 on
i686-pc-linux-gnu platform
2012.03.29 15:04:24 LOG5[22022:3076066080]: Compiled/running with
OpenSSL 1.0.1 14 Mar 2012
[...]
2012.03.29 15:00:54 LOG7[21966:3076729632]: Service https_default
accepted FD=17 from aaa:56413
2012.03.29 15:00:54 LOG7[21966:3076373360]: Service https_default started
2012.03.29 15:00:54 LOG5[21966:3076373360]: Service https_default
accepted connection from aaa:56413
2012.03.29 15:00:54 LOG6[21966:3076373360]: connect_blocking:
connecting 127.0.0.1:10443
2012.03.29 15:00:54 LOG7[21966:3076373360]: connect_blocking:
s_poll_wait 127.0.0.1:10443: waiting 10 seconds
2012.03.29 15:00:54 LOG5[21966:3076373360]: connect_blocking:
connected 127.0.0.1:10443
2012.03.29 15:00:54 LOG5[21966:3076373360]: Service https_default
connected remote server from 127.0.0.1:53832
2012.03.29 15:00:54 LOG7[21966:3076373360]: Remote FD=18 initialized
2012.03.29 15:00:54 LOG6[21966:3076373360]: Server-mode proxy protocol
negotiations started
2012.03.29 15:00:54 LOG7[21966:3076373360]:  -> PROXY TCP4 aaa bbb 56413 443
2012.03.29 15:00:54 LOG6[21966:3076373360]: Server-mode proxy protocol
negotiations succeeded
2012.03.29 15:00:54 LOG5[21966:3076373360]: SNI: switched to section https_yyy

So, 'connect' option in the slave service seems to be ignored, and
stunnel happily connects to 10443.

Also, slave / SNI seems to be working otherwise as the browser doesn't
complain about bad certificate for yyy.xxx.org.

Marek

More information about the stunnel-users mailing list