Hey Michael, what version of stunnel are you using? I'm using stunnel4 and I can't get it to work.
I keep getting this error Section stunnel: SSL server needs a certificate I'm just trying to use stunnel from the commandline with that config stunnel /etc/stunnel/gmail-imap.conf Clients allowed=500 stunnel 4.53 on arm-unknown-linux-gnueabihf platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 Reading configuration from descriptor 3 Compression not enabled PRNG seeded successfully Initializing inetd mode configuration Section stunnel: SSL server needs a certificate str_stats: 2 block(s), 10 data byte(s), 84 control byte(s) I've been googling to try to find examples of stunnel in client mode, but I'm only finding stuff with server mode I've also tried this configuration without avail /etc/stunnel/tlsvpn.conf pid = /tmp/stunnel-tlsvpn.pid client = yes verify = 0 fips = no [tlsvpn] accept = localhost:1194 sni = pnet.example.com connect = pnet.example.com:443 ; TODO ; CAfile = /etc/certs/whatever.root.pem AJ ONeal (317) 426-6525 On Mon, Aug 17, 2015 at 11:31 PM, Michael Torrie <[email protected]> wrote: > On 08/17/2015 07:27 PM, AJ ONeal (Home) wrote: > > My goal is to be able to access an arbitrary https website on > > http://localhost:3000 > > > > From the examples I'm finding online it seems simple enough: > > > > socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443 > > > > But then when I test I get > > > > curl http://localhost:3000 > > curl: (56) Recv failure: Connection reset by peer > > > > And back in the console for socat I see > > > > 2015/08/18 01:20:18 socat[15346.1995730944] E SSL_connect(): > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify > > failed > > > > > > > > > > I've tried adding more options like > > socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443 > ,commonname= > > coolaj86.com,cafile=./coolaj86.com.root.pem > > > > (here's the chain https://gist.github.com/coolaj86/327cee3eee6fc119b389) > > > > But still no dice. Any ideas why it fails certificate validation? > > I'm not sure, but to get you going you can tell socat to not verify > certificates: > > socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443,verify=0 > > Another way to do this is with xinetd and the stunnel program. > > For example, here's an xinetd file for doing a plaintext localhost imap > that connects to gmail's secure imap: > service imap > { > disable = no > socket_type = stream > wait = no > user = root > server = /usr/bin/stunnel > server_args = /etc/stunnel/gmail-imap.conf > log_on_success += USERID > log_on_failure += USERID > } > > > And the /etc/stunnel/gmail-imap.conf: > client = yes > connect = imap.gmail.com:993 > verify=0 > fips=no > > Apparently I had trouble with stunnel verifying certificates also... > > > > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
