[stunnel-users] TR: using sTunnel with Chrome

Pierre DUPONT pierre.dupont at nedap.fr
Fri Sep 6 08:55:28 CEST 2019



De : Pierre DUPONT
Envoyé : jeudi 5 septembre 2019 16:55
À : 'stunnel-users at stunnel.org' <stunnel-users at stunnel.org>
Cc : _sav.bibli <sav.bibli at nedap.fr>; Philippe ANQUETIN <philippe.anquetin at nedap.fr>
Objet : using sTunnel with Chrome

Good day to all. So far, I can't succeed to use Chrome with sTunnel.
I use these versions
sTunnel : 5.55 (downloaded today...)
Chrome is 76.0.3809 132
[cid:image002.png at 01D5640A.99D102C0]

Here is my configuration for sTunnel :
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2019
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may be useful for troubleshooting)
;debug = info
;output = stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes

; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi
; You also need to disable TLS 1.2 or later, because the CryptoAPI engine
; currently does not support PSS
;sslVersionMax = TLSv1.1

; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:softhsm2.dll
;engineCtrl = PIN:1234

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = conf.d

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

; ***************************************** Example TLS client mode services

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CAfile = ca-certs.pem
checkHost = imap.gmail.com
OCSPaia = yes

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes

; Encrypted HTTP proxy authenticated with a client certificate
; located in the Windows certificate store
;[example-proxy]
;client = yes
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = capi

; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
;[example-pkcs11]
;client = yes
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = pkcs11
;cert = pkcs11:token=MyToken;object=MyCert
;key = pkcs11:token=MyToken;object=MyKey

; ***************************************** Example TLS server mode services

;[pop3s]
;accept  = 995
;connect = 110
;cert = stunnel.pem

;[imaps]
;accept  = 993
;connect = 143
;cert = stunnel.pem

; Either only expose this service to trusted networks, or require
; authentication when relaying emails originated from loopback.
; Otherwise the following configuration creates an open relay.
;[ssmtp]
;accept  = 465
;connect = 25
;cert = stunnel.pem

; TLS front-end to a web server
[https]
accept  = 443
connect = 81
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

; Remote cmd.exe protected with PSK-authenticated TLS
; Create "secrets.txt" containing IDENTITY:KEY pairs
;[cmd]
;accept = 1337
;exec = c:\windows\system32\cmd.exe
;execArgs = cmd.exe
;PSKsecrets = secrets.txt

; vim:ft=dosini



The 81 connect port is used by our local webservice : http://localhost:81/nedaprfidwebservice.asmx which runs OK
[cid:image007.png at 01D5640A.99D102C0]


The problem is when I try to import the certificate. It looks OK giving these informations
[cid:image008.png at 01D5640A.99D102C0]
[cid:image016.png at 01D5640A.99D102C0]

However, I cannot connect on https
[cid:image017.png at 01D5640A.99D102C0]

I tried several things found browsing the list, like building a certificate with
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.crt -keyout stunnel.crt

No result so the only solution I see now is to call you for some help...

With kind regards,


Cordiales salutations de
Pierre Dupont
Support S.A.V. & Développement Bibliothèques

Courriel S.A.V. : sav.bibli at nedap.fr<mailto:sav.bibli at nedap.fr>
Téléphone :  06 13 99 69 38 - 01.61.03.03 18
8/10 Chemin d'Andrésy
95610 Eragny sur Oise
[NEDAP LOGO - INLINE - RGB]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 39208 bytes
Desc: image002.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 65279 bytes
Desc: image007.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 56078 bytes
Desc: image008.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image016.png
Type: image/png
Size: 76208 bytes
Desc: image016.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image017.png
Type: image/png
Size: 34169 bytes
Desc: image017.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image018.jpg
Type: image/jpeg
Size: 2662 bytes
Desc: image018.jpg
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190906/dca7f8a8/attachment-0001.jpg>


More information about the stunnel-users mailing list