[stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility

Carter Browne cbcs at comcast.net
Wed Nov 23 16:59:41 CET 2016


There are other tools for performing port forwarding with less overhead 
(I believe tappipe is one), although I make use stunnel to do this 
extensively.

In order forward a secure connection from one port to another is a two 
step process with stunnel:

A sample configuration segment would be:

[SFDC reverse in]

client = no

accept = 8008

connect = localhost:48008


[SFDC reverse out]
client = yes
accept = localhost:48008
connect = localhost:8009

On 11/23/2016 10:18 AM, Rodney Lott wrote:
> Hi, there.
>
> I'm no stunnel expert, but here's my $0.05 (we have no pennies in 
> Canada anymore ;-) ):
> - I would try including the key as well as the cert in your stunnel config
> - I would enable debug on the openssl s_client call to see if it will 
> indicate why it is reseting. Same with your SFDC client to get more info.
> - Question: is the "WARNING: can't open config file" message below 
> indicative of a permissions or path problem?
> - Question: Is the stunnel cert and key compatible with the TIBCO 
> server's certificate? They need to be using certs generated from the 
> same key source, don't they?
> - You might want to fix the SSL version in the stunnel config file 
> (i.e. sslVersion = TLSv1.2)
>
> Good luck with your debugging.
>
> Rodney
>
> On 2016-11-22 07:43 PM, jothish.chokkalingam at accenture.com wrote:
>>
>> HI all,
>>
>> There is a problem we have currently connecting tibco client to SFDC 
>> sever via TLS v1.2 and that’s solved by using stunnel in client mode. 
>> And the communication from SFDC client to tibco server applications 
>> w.r.t TLS V1.2 I am unable to solve using stunnel. Below is the 
>> configuration in stunnel in server end to divert the traffic from 
>> 8008 to 8009, can you help here with the logs is the stunnel 
>> configuration is correct or there any missed/need to alter.
>>
>> [SFDC reverse proxy test]
>>
>> debug=7
>>
>> ;client = yes
>>
>> accept = 8008àport used by sfdc client to connect to TIBCO server
>>
>> connect = localhost:8009 àTibco server that’s running
>>
>> cert = stunnel.pem
>>
>> 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started
>>
>> 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket
>>
>> 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] 
>> accepted connection from 101.167.198.14:54477
>>
>> 2016.11.23 08:31:56 LOG6[118]: Peer certificate not required
>>
>> 2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept 
>> initialization
>>
>> 2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected
>>
>> 2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to 
>> SSL, 0 byte(s) sent to socket
>>
>> 2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed
>>
>> 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] 
>> finished (0 left)
>>
>> PFB the openssl snap shot looks odd
>>
>> C:\Program Files (x86)\stunnel\bin>openssl s_client -connect 
>> localhost:8008 -prexit -showcerts
>>
>> *WARNING: can't open config file: /devel/win32/openssl/openssl.cnf*
>>
>> CONNECTED(0000016C)
>>
>> Thanks and Regards,
>>
>> Jothish
>>
>> TIBCO TSD
>>
>> Ph. : +91 44 39263958
>>
>> Mobile : +91 9884040171
>>
>> Support : +91 9962007110
>>
>> OC : jothish.chokkalingam
>>
>> Group mail:- Telstra.psm.tsd.tibco at accenture.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> This message is for the designated recipient only and may contain 
>> privileged, proprietary, or otherwise confidential information. If 
>> you have received it in error, please notify the sender immediately 
>> and delete the original. Any other use of the e-mail by you is 
>> prohibited. Where allowed by local law, electronic communications 
>> with Accenture and its affiliates, including e-mail and instant 
>> messaging (including content), may be scanned by our systems for the 
>> purposes of information security and assessment of internal 
>> compliance with Accenture policy.
>> ______________________________________________________________________________________
>>
>> www.accenture.com
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20161123/4dcb5cf8/attachment.html>


More information about the stunnel-users mailing list