Some clarifications 1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel. 2. You can do a direct test with curl against you service (local) or openssl s_client.
Regards Jose > El 9 oct 2015, a las 5:44, Adrián Mihálko <[email protected]> escribió: > > Some good news, I remove client = yes as you suggested: > > 2015.10.09 12:39:29 LOG5[main]: Configuration successful > 2015.10.09 12:39:29 LOG5[main]: Logging to > C:\Users\adrianmihalko\AppData\Local\stunnel.log > 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read) > 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 > byte(s) sent to socket > 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from > 192.168.1.25:49671 > 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated > 2015.10.09 12:39:34 LOG6[60]: No peer certificate received > 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite > ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) > 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0 > 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952 > 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952 > 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached > 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server > from ::1:50598 > 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read) > 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 > byte(s) sent to socket > 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from > 192.168.1.25:49672 > 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated > 2015.10.09 12:39:34 LOG6[61]: No peer certificate received > 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite > ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) > 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1 > 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 > 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 > 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached > 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server > from 127.0.0.1:50599 > > openssl_client log: > > http://pastebin.com/7bg3sf7J > > The problem is now that the site loads forever, nothing happens. > > (this certificate (:1988) is other than the original (:41952). This is not > problem? > > curl test: > > $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk > * Trying 192.168.1.17... > * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0) > * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > * Server certificate: localhost > > GET /DYMO/DLS/Printing/Check HTTP/1.1 > > Host: 192.168.1.17:1988 > > User-Agent: curl/7.43.0 > > Accept: */* > > > waiting forever. > > 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <[email protected]>: >> In the first mail I wrote ports bad, of course in the log I am using the >> good ones. >> >> [myservice] >> cert = stunnel.pem >> client = yes >> accept = 0.0.0.0:1988 >> connect = localhost:41952 >> >> >> 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <[email protected]>: >>> Sorry, curl was only for testing. >>> >>> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect >>> 192.168.1.17:1988 >>> CONNECTED(00000003) >>> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >>> protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: >>> >>> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf >>> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected >>> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled >>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] >>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] >>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] >>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] >>> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem >>> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem >>> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to >>> prevent MITM attacks >>> 2015.10.09 12:23:21 LOG5[main]: Configuration successful >>> 2015.10.09 12:23:21 LOG5[main]: Logging to >>> C:\Users\adrianmihalko\AppData\Local\stunnel.log >>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from >>> 192.168.1.25:49454 >>> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 >>> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 >>> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 >>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server >>> from ::1:50564 >>> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost >>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled >>> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated >>> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA >>> (128-bit encryption) >>> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) >>> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, >>> 505 byte(s) sent to socket >>> >>> If I am connecting to the :41952: >>> >>> openssl s_client -connect 192.168.1.17:41952 >>> ... >>> >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 1724 bytes and written 712 bytes >>> --- >>> New, TLSv1/SSLv3, Cipher is AES128-SHA >>> Server public key is 4096 bit >>> Secure Renegotiation IS supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : AES128-SHA >>> ... >>> >>> >>> 2015-10-09 10:55 GMT+02:00 test rig <[email protected]>: >>>> >>>> Ouch #2 missing... >>>> >>>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes >>>> with a client=no on the server >>>> >>>> You are connection to :9999 with curl(?) >>>> Try verify it via "openssl s_client -connect yourserverip:1988" command >>>> >>>> Best Regards >>>> Michael >>>> >>>> --- Ursprüngliche Nachricht --- >>>> Von: "test rig" <[email protected]> >>>> Datum: 09.10.2015 09:48:02 >>>> An: "[email protected]." <[email protected]> >>>> Betreff: Re: [stunnel-users] (no subject) >>>> >>>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes >>>> with a client=no on the server >>>> --- Ursprüngliche Nachricht --- >>>> Von: Adrián Mihálko >>>> Datum: 09.10.2015 08:15:19 >>>> An: [email protected] >>>> Betreff: [stunnel-users] (no subject) >>>> >>>> Dear stunnel users, >>>> >>>> I have a little service which listen only on https://localhost:4952 and >>>> checks source hostname. I want to connect on "listen:1988" and redirect >>>> requests with stunnel to "localhost:4952" >>>> >>>> https://192.168.1.10:1988 -> redirect https://localhost:4952 >>>> >>>> >>>> I am trying to configure stunnel like this >>>> >>>> [myservice] >>>> cert = stunnel.pem >>>> client = yes >>>> accept = 0.0.0.0:1988 >>>> connect = localhost:4952 >>>> >>>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v >>>> * Trying 192.168.1.25... >>>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) >>>> * WARNING: using IP address, SNI is being disabled by the OS. >>>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847 >>>> * Closing connection 0 >>>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847 >>>> >>>> stunnel.log: >>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from >>>> 192.168.1.24:60748 >>>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 >>>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 >>>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 >>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server >>>> from 127.0.0.1:50503 >>>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost >>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled >>>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated >>>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA >>>> (128-bit encryption) >>>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) >>>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, >>>> 505 byte(s) sent to socket >>>> >>>> I am tried verify = 1 to 4, either works. :( >>>> >>>> Best Regards, >>>> Adrian >>>> >>>> >>>> ______________________________________________________ >>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>>> internet. >>>> >>>> >>>> ______________________________________________________ >>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure >>>> internet. >>>> >>>> _______________________________________________ >>>> stunnel-users mailing list >>>> [email protected] >>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
