[stunnel-users] (no subject)

Adrián Mihálko adriankoooo at gmail.com
Fri Oct 9 12:44:01 CEST 2015


Some good news, I remove client = yes as you suggested:

2015.10.09 12:39:29 LOG5[main]: Configuration successful
2015.10.09 12:39:29 LOG5[main]: Logging to
C:\Users\adrianmihalko\AppData\Local\stunnel.log
2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)
2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445
byte(s) sent to socket
2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from
192.168.1.25:49671
2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated
2015.10.09 12:39:34 LOG6[60]: No peer certificate received
2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite
ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0
2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952
2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952
2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached
2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server
from ::1:50598
2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)
2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0
byte(s) sent to socket
2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from
192.168.1.25:49672
2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated
2015.10.09 12:39:34 LOG6[61]: No peer certificate received
2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite
ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1
2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952
2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952
2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached
2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server
from 127.0.0.1:50599

openssl_client log:

http://pastebin.com/7bg3sf7J

The problem is now that the site loads forever, nothing happens.

(this certificate (:1988) is other than the original (:41952). This is not
problem?

curl test:

$ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk

*   Trying 192.168.1.17...

* Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate: localhost

> GET /DYMO/DLS/Printing/Check HTTP/1.1

> Host: 192.168.1.17:1988

> User-Agent: curl/7.43.0

> Accept: */*

>
waiting forever.

2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com>:

> In the first mail I wrote ports bad, of course in the log I am using the
> good ones.
>
> [myservice]
> cert = stunnel.pem
> client = yes
> accept = 0.0.0.0:1988
> connect = localhost:41952
>
>
> 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com>:
>
>> Sorry, curl was only for testing.
>>
>> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect
>> 192.168.1.17:1988
>> CONNECTED(00000003)
>> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
>>
>> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file
>> stunnel.conf
>> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected
>> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]
>> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem
>> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem
>> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication
>> to prevent MITM attacks
>> 2015.10.09 12:23:21 LOG5[main]: Configuration successful
>> 2015.10.09 12:23:21 LOG5[main]: Logging to
>> C:\Users\adrianmihalko\AppData\Local\stunnel.log
>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection
>> from 192.168.1.25:49454
>> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0
>> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952
>> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952
>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server
>> from ::1:50564
>> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost
>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated
>> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA
>> (128-bit encryption)
>> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)
>> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL,
>> 505 byte(s) sent to socket
>>
>> If I am connecting to the :41952:
>>
>> openssl s_client -connect 192.168.1.17:41952
>> ...
>>
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1724 bytes and written 712 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 4096 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>> ...
>>
>>
>> 2015-10-09 10:55 GMT+02:00 test rig <testrig at z1p.biz>:
>>
>>>
>>> Ouch #2 missing...
>>>
>>> Hi Adrian, looks good to me so far - mostly. Try to replace the
>>> client=yes with a client=no on the server
>>>
>>> You are connection to :9999 with curl(?)
>>> Try verify it via "openssl s_client -connect yourserverip:1988" command
>>>
>>> Best Regards
>>> Michael
>>>
>>> --- Ursprüngliche Nachricht ---
>>> *Von:* "test rig" <testrig at z1p.biz>
>>> *Datum:* 09.10.2015 09:48:02
>>> *An:* "stunnel-users at stunnel.org." <stunnel-users at stunnel.org>
>>> *Betreff:* Re: [stunnel-users] (no subject)
>>>
>>> Hi Adrian, looks good to me so far - mostly. Try to replace the
>>> client=yes with a client=no on the server
>>>
>>> --- Ursprüngliche Nachricht ---
>>> *Von:* Adrián Mihálko
>>> *Datum:* 09.10.2015 08:15:19
>>> *An:* stunnel-users at stunnel.org
>>> *Betreff:* [stunnel-users] (no subject)
>>>
>>> Dear stunnel users,
>>>
>>> I have a little service which listen only on https://localhost:4952 and
>>> checks source hostname. I want to connect on "listen:1988" and redirect
>>> requests with stunnel to "localhost:4952"
>>>
>>> https://192.168.1.10:1988 -> redirect https://localhost:4952
>>>
>>>
>>>  I am trying to configure stunnel like this
>>>
>>> [myservice]
>>> cert = stunnel.pem
>>> client = yes
>>> accept = 0.0.0.0:1988
>>> connect = localhost:4952
>>>
>>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check
>>> -v
>>> *   Trying 192.168.1.25...
>>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
>>> * WARNING: using IP address, SNI is being disabled by the OS.
>>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847
>>> * Closing connection 0
>>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:
>>> -9847
>>>
>>> stunnel.log:
>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection
>>> from 192.168.1.24:60748
>>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1
>>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952
>>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952
>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote
>>> server from 127.0.0.1:50503
>>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost
>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated
>>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA
>>> (128-bit encryption)
>>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read)
>>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to
>>> SSL, 505 byte(s) sent to socket
>>>
>>> I am tried verify = 1 to 4, either works. :(
>>>
>>> Best Regards,
>>> Adrian
>>>
>>>
>>>
>>> ______________________________________________________
>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure
>>> internet.
>>>
>>>
>>>
>>> ______________________________________________________
>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure
>>> internet.
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20151009/c7cff5fa/attachment.html>


More information about the stunnel-users mailing list