Some good news, I remove client = yes as you suggested: 2015.10.09 12:39:29 LOG5[main]: Configuration successful 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[60]: No peer certificate received 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated 2015.10.09 12:39:34 LOG6[61]: No peer certificate received 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
openssl_client log: http://pastebin.com/7bg3sf7J The problem is now that the site loads forever, nothing happens. (this certificate (:1988) is other than the original (:41952). This is not problem? curl test: $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk * Trying 192.168.1.17... * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: localhost > GET /DYMO/DLS/Printing/Check HTTP/1.1 > Host: 192.168.1.17:1988 > User-Agent: curl/7.43.0 > Accept: */* > waiting forever. 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <[email protected]>: > In the first mail I wrote ports bad, of course in the log I am using the > good ones. > > [myservice] > cert = stunnel.pem > client = yes > accept = 0.0.0.0:1988 > connect = localhost:41952 > > > 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <[email protected]>: > >> Sorry, curl was only for testing. >> >> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect >> 192.168.1.17:1988 >> CONNECTED(00000003) >> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: >> >> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file >> stunnel.conf >> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected >> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] >> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] >> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem >> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem >> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication >> to prevent MITM attacks >> 2015.10.09 12:23:21 LOG5[main]: Configuration successful >> 2015.10.09 12:23:21 LOG5[main]: Logging to >> C:\Users\adrianmihalko\AppData\Local\stunnel.log >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection >> from 192.168.1.25:49454 >> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 >> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 >> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server >> from ::1:50564 >> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated >> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA >> (128-bit encryption) >> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) >> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, >> 505 byte(s) sent to socket >> >> If I am connecting to the :41952: >> >> openssl s_client -connect 192.168.1.17:41952 >> ... >> >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1724 bytes and written 712 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES128-SHA >> Server public key is 4096 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES128-SHA >> ... >> >> >> 2015-10-09 10:55 GMT+02:00 test rig <[email protected]>: >> >>> >>> Ouch #2 missing... >>> >>> Hi Adrian, looks good to me so far - mostly. Try to replace the >>> client=yes with a client=no on the server >>> >>> You are connection to :9999 with curl(?) >>> Try verify it via "openssl s_client -connect yourserverip:1988" command >>> >>> Best Regards >>> Michael >>> >>> --- Ursprüngliche Nachricht --- >>> *Von:* "test rig" <[email protected]> >>> *Datum:* 09.10.2015 09:48:02 >>> *An:* "[email protected]." <[email protected]> >>> *Betreff:* Re: [stunnel-users] (no subject) >>> >>> Hi Adrian, looks good to me so far - mostly. Try to replace the >>> client=yes with a client=no on the server >>> >>> --- Ursprüngliche Nachricht --- >>> *Von:* Adrián Mihálko >>> *Datum:* 09.10.2015 08:15:19 >>> *An:* [email protected] >>> *Betreff:* [stunnel-users] (no subject) >>> >>> Dear stunnel users, >>> >>> I have a little service which listen only on https://localhost:4952 and >>> checks source hostname. I want to connect on "listen:1988" and redirect >>> requests with stunnel to "localhost:4952" >>> >>> https://192.168.1.10:1988 -> redirect https://localhost:4952 >>> >>> >>> I am trying to configure stunnel like this >>> >>> [myservice] >>> cert = stunnel.pem >>> client = yes >>> accept = 0.0.0.0:1988 >>> connect = localhost:4952 >>> >>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check >>> -v >>> * Trying 192.168.1.25... >>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) >>> * WARNING: using IP address, SNI is being disabled by the OS. >>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847 >>> * Closing connection 0 >>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25: >>> -9847 >>> >>> stunnel.log: >>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection >>> from 192.168.1.24:60748 >>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 >>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 >>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 >>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote >>> server from 127.0.0.1:50503 >>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost >>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated >>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA >>> (128-bit encryption) >>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) >>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to >>> SSL, 505 byte(s) sent to socket >>> >>> I am tried verify = 1 to 4, either works. :( >>> >>> Best Regards, >>> Adrian >>> >>> >>> >>> ______________________________________________________ >>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>> internet. >>> >>> >>> >>> ______________________________________________________ >>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>> internet. >>> >>> _______________________________________________ >>> stunnel-users mailing list >>> [email protected] >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >>> >> >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
