On Mon, 23 Jul 2007 23:03:18 +0200 Jean-Philippe THIERRY <[EMAIL PROTECTED]> wrote:
> Bonsoir, > > je me débats un peu avec la configuration de stunnel4. Je voudrais créer un > tunnel https mon serveur web ne m'implémentant pas. Initialement tout > fonctionnait, mais depuis une mise à jour, impossible de me connecter de > l'extérieur. L'erreur que j'obtiens est la suivante : > > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe > 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with > code 0 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from > 217.79.216.190:41560 permitted by libwrap > 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from > 217.79.216.190:41560 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/accept > initialization > 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to > SSL, 0 bytes sent to socket > 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left) > > Ma configuration est la suivante : > > ; Sample stunnel configuration file by Michal Trojnara 2002-2006 > ; Some options used here may not be adequate for your particular configuration > ; Please make sure you understand them (especially the effect of chroot jail) > > ; Certificate/key is needed in server mode and optional in client mode > cert = /etc/stunnel/stunnel.pem > ;key = /etc/stunnel/mail.pem > ; Protocol version (all, SSLv2, SSLv3, TLSv1) > sslVersion = SSLv3 > > ; Some security enhancements for UNIX systems - comment them out on Win32 > chroot = /var/lib/stunnel4/ > setuid = stunnel4 > setgid = stunnel4 > ; PID is created inside chroot jail > pid = /stunnel4.pid > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ;compression = rle > > ; Workaround for Eudora bug > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > ; Authentication stuff > ;verify = 2 > ; Don't forget to c_rehash CApath > ; CApath is located inside chroot jail > ;CApath = /certs > ; It's often easier to use CAfile > ;CAfile = /etc/stunnel/certs.pem > ; Don't forget to c_rehash CRLpath > ; CRLpath is located inside chroot jail > ;CRLpath = /crls > ; Alternatively you can use CRLfile > ;CRLfile = /etc/stunnel/crls.pem > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = /var/log/stunnel4/stunnel.log > > ; Use it for client mode > ;client = yes > > ; Service-level configuration > > [https] > accept = 443 > connect = 192.168.0.6:80 > > Je suis à court d'idées alors si l'un d'entre-vous en a une... > > Jean-Philippe > > après quelques recherches supplémentaires, j'ai légèrement modifié stunnel.conf : client=no sslVersion = all maintenant, j'obtiens l'erreur suivante : SSL state (accept): before/accept initialization 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certificate unknown 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left) pas beaucoup mieux :-( Jean-Philippe P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
