[stunnel-users] HTTP to HTTPS

Константин Кручинин kruchinin.c at gmail.com
Thu Dec 27 10:27:08 CET 2018


Hi Peter,
Thanks for the help, but I still need help with the certificates.

Stunnel is installed on windows and the firewall is disabled.
In the application settings, the address will be "stunserv: 5432", the
application is not located on the same host as stunnel.
At the moment, for easier testing, I use a browser. I have the opportunity
to go to tdl.externalhost.com:9443, do I truly understand that when stunnel
is configured correctly, I should see the same result when going to
stunserv: 54321?

I have a server root certificate that is currently installed at trusted
root certification authorities (the chain looks like this: CA.cer ->
externalhost.cer)
The CApath directory contains the root certificate for the
tdl.externalhost.com server and revocation lists.
What certificates should I use? How to correctly specify the certificates
in the config. Do I need to create any certificates?

Current config:

sslVersion = all

options = NO_SSLv2

options = NO_SSLv3

fips = no



[https]

client = yes

connect = tdl.externalhost.com:9443

accept = stunserv:54321

TIMEOUTclose = 0

TIMEOUTconnect = 200

TIMEOUTidle = 86400

sni = tdl.externalhost.com

checkHost = tdl.externalhost.com

verifyChain = yes
CApath = "C:\Program Files (x86)\stunnel\config\ssl"


Connections log:

2018.12.27 11:34:19 LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform

2018.12.27 11:34:19 LOG5[main]: Compiled/running with OpenSSL 1.1.1a  20
Nov 2018

2018.12.27 11:34:19 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,OCSP,PSK,SNI

2018.12.27 11:34:19 LOG5[main]: Reading configuration from file stunnel.conf

2018.12.27 11:34:19 LOG5[main]: UTF-8 byte order mark detected

2018.12.27 11:34:19 LOG5[main]: Configuration successful

2018.12.27 11:34:31 LOG5[0]: Service [https] accepted connection from
fe80::1cc0:e238:fbbc:7767%12:53218

2018.12.27 11:34:52 LOG3[0]: s_connect: connect tdl.externalhost.com:9443:
Connection timed out (WSAETIMEDOUT) (10060)

2018.12.27 11:34:52 LOG3[0]: No more addresses to connect
2018.12.27 11:34:52 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket

ср, 26 дек. 2018 г. в 23:00, Eric Eberhard <flash at vicsmba.com>:

> There once was an open source libcsoap to do SOAP.  It appeared abandoned
> 5-10 years ago but was available on line.
>
> I downloaded that ages ago and made a fully functional libcsoap -- this
> includes "nanohttp" which will POST via HTTP, HTTPS, 1.0, 1.1, etc.
>
> I only use this on AIX -- and my inability to do the craziness that the
> open source community does so well to make it work on all platforms and a
> lack of a real place to put it -- it never really got out.
>
> You are welcome to the code.  It is in C.  You can build nanohttp apart
> from libcsoap.  If it has a few gotchas because of your O/S they should be
> easy to fix (I did make a couple AIX changes).
>
> The code is small and easy to link into C (or anything else that links to
> a .a or .so) -- and it can be set up as a server (never tried it).
>
> It DOES require openssl be installed (for the HTTPS I think).
>
> If you want it, email me and I'll put it on my FTP site.
>
> Eric
>
> -----Original Message-----
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf
> Of Peter Pentchev
> Sent: Wednesday, December 26, 2018 8:40 AM
> To: Константин Кручинин <kruchinin.c at gmail.com>
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] HTTP to HTTPS
>
> On Wed, Dec 26, 2018 at 04:54:34PM +0300, Константин Кручинин wrote:
> > Good day!
> > Is it possible to realize the means of Stunnel, the following
> functionality?
> > There is an application that is not able to SSL, I need to send data
> > to the server over HTTPS.
>
> As I noted in a recent message, stunnel may be used as a client for an
> HTTPS service; the configuration is pretty much what you have shown below,
> but there are several more details to configure.  See
> https://www.stunnel.org/pipermail/stunnel-users/2018-December/006233.html
>
> First off, do you have control over the source code of your application -
> the one that sends the HTTP query that actually needs to reach an HTTPS
> server?  If you do, is it possible to modify the source so that it
> establishes a TCP connection to a specified IP address and port and
> *then* sends an HTTP request over that connection, with the actual
> server's hostname in the HTTP request?  Some HTTP client libraries do give
> you this opportunity, although it is rare.  If you can do that, then it may
> not be necessary to do the hosts file trickery and chase the server's IP
> address - specify the server by name in stunnel's configuration and let the
> client connect to the address stunnel listens to and send an HTTP request
> containing the real server's name.
>
> If you cannot do that, or if it would be too much hassle, then there is
> always the solution that I outlined in my message - specify a numeric IP
> address in stunnel's configuration and put the server's name in your
> system's hosts file (/etc/hosts on Unix, %WINDIR%\system32\drivers\etc\hosts
> on Windows) entry for the IP address that stunnel listens on.
>
> One more thing that I forgot to mention in my previous message: with HTTPS
> it might be good to specify the "sni" option so that stunnel asks the
> server for the correct virtual host to connect to.
>
> > How can this be implemented without installing an instance of Stunnel
> > on the server side?
>
> If there is an HTTPS server on the server side, you should be able to do
> this with stunnel as a client, with pretty much the configuration that you
> have shown.
>
> > Do I need to specify the certificate when implementing the above, if
> > so, what kind of certificates are needed?
>
> Stunnel will want - and for good reasons, it will really be a good idea -
> to verify the certificate of the server that it is connecting to, so that
> it (stunnel) does not mislead your application by saying "here, this is a
> connection to the server you requested" and handing it a connection to a
> man-in-the-middle server controlled by an attacker.  So you will need to
> obtain the certificate of the HTTPS server and either point stunnel to it
> directly or point stunnel to a directory containing the certificate of the
> entity that issued the server's certificate (e.g. Let's Encrypt or your
> organization's internal CA or something).
>
> > At the moment I have the following config.
> >
> > sslVersion = all
> > options = NO_SSLv2
> > options = NO_SSLv3
> > fips = no
> >
> > [https]
> > client = yes
> > connect = externalhost:9443
> > accept = localhost:54321
> > TIMEOUTclose = 0
> > TIMEOUTconnect = 200
> > TIMEOUTidle = 86400
>
> If there is already an HTTPS server listening on externalhost:9443, then
> this is very close to what you will need.  The modifications may need to
> include specifying an IP address instead of a hostname in the "connect"
> directive (see the discussion about the hosts file above), then adding an
> "sni = serverhostname" line so that stunnel asks for the correct virtual
> host to connect to, then adding a "checkHost = serverhostname"
> line (or a similar line; in some cases the server that responds may have a
> slightly different common name, but this should be rare), and then adding
> some "verify" and "CAfile" or "CApath" lines to point stunnel to the
> certificate of the server or the certificate of the CA that issued the
> server's certificate.
>
> If all of this is making your head spin, let me know and I may try to
> explain it step by step in more detail :)  We've all been there, just
> thrown into the deep by some "you have to learn how to do this *now*"
> task that comes out of nowhere...
>
> Hope at least some of this helps! :)
>
> G'luck,
> Peter
>
> --
> Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
> PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
> Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
>
>
>

-- 

С уважением и наилучшими пожеланиями,

*Конс**тантин Кручинин*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181227/3cadbc9b/attachment.html>


More information about the stunnel-users mailing list