Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility

[jothish.chokkalingam]

Jose,

For the issue as mentioned in below down mail I am following below two 
approaches,

1.       Move the TLSv1.2 enabled traffic to an intermediate port and then to 
target port which has TLS1 enabled, in that ssl handshake from intermediate to 
target port getting below error. While triaging with openssl command, it is 
observed that the DH parameters are not proper. So we are trying to add the dh 
parameters

C:\Users\robin.johnson\Documents\SSL\SSL>C:\openssl-0.9.8k_X64\bin\openssl 
dhparam -inform PEM -in ./training_client.pem -check -text

unable to load DH parameters

1800:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:.\crypto\pem\pem_lib.c:650:Expecting: DH PARAMETERS

stunnel.log-->2016.11.23 23:08:32 LOG3[131]: SSL_connect: 14082174: 
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
        2.   Using https service in stunnel traffic is received by TLS V1.1 
divert to non ssl enabled port.

Thanks and Regards,
Jothish
TIBCO TSD
Ph. : +91 44 39263958
Mobile : +91 9884040171
Support : +91 9962007110
OC : jothish.chokkalingam
Group mail:- telstra.psm.tsd.ti...@accenture.com

From: Josealf.rm [mailto:jose...@rocketmail.com]
Sent: Thursday, November 24, 2016 4:36 PM
To: Chokkalingam, Jothish <jothish.chokkalin...@accenture.com>
Cc: cbro...@cbcs-usa.com; stunnel-users@stunnel.org
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility


Can you please elaborate? If you want us to help, you need to provide enough 
information.
Regards
Jose


El 24/11/2016, a las 5:03 a.m., 
<jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com>> 
<jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com>> 
escribió:
Jose,
☺ you are right.i was trying but I thought it will work as a client and it 
worked as a workaround. But will check for the dh key small error while 
forwarding the traffic with SSL from intermediate port to another port.

Thanks and Regards,
Jothish
TIBCO TSD
Ph. : +91 44 39263958
Mobile : +91 9884040171
Support : +91 9962007110
OC : jothish.chokkalingam
Group mail:- 
telstra.psm.tsd.ti...@accenture.com<mailto:telstra.psm.tsd.ti...@accenture.com>

From: Josealf.rm [mailto:jose...@rocketmail.com]
Sent: Thursday, November 24, 2016 2:48 PM
To: Chokkalingam, Jothish 
<jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com>>
Cc: cbro...@cbcs-usa.com<mailto:cbro...@cbcs-usa.com>; 
stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility

Jothish,

Stunnel in server mode is what you need, with 99.9% confidence.

When you write:

[https]
Accept=443
Connect=local host:80
Client=no

Stunnnel will expect TLS connections on port 443 and will forward then to your 
normal web server running on loopback port 80.

Is that clear?

Regards,
Jose

El 24/11/2016, a las 2:29 a.m., 
<jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com>> 
<jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com>> 
escribió:

Is there a way to forward a Secure connection from one port to non secure port 
using stunnel. I am googling but unable to find. If you have can you let me know

Thanks and Regards,
Jothish
TIBCO TSD
Ph. : +91 44 39263958
Mobile : +91 9884040171
Support : +91 9962007110
OC : jothish.chokkalingam
Group mail:- 
telstra.psm.tsd.ti...@accenture.com<mailto:telstra.psm.tsd.ti...@accenture.com>

From: stunnel-users [mailto:stunnel-users-boun...@stunnel.org] On Behalf Of 
Carter Browne
Sent: Wednesday, November 23, 2016 9:30 PM
To: stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility


There are other tools for performing port forwarding with less overhead (I 
believe tappipe is one), although I make use stunnel to do this extensively.

In order forward a secure connection from one port to another is a two step 
process with stunnel:

A sample configuration segment would be:

[SFDC reverse in]

client = no

accept = 8008
connect = localhost:48008


[SFDC reverse out]
client = yes
accept = localhost:48008
connect = localhost:8009
On 11/23/2016 10:18 AM, Rodney Lott wrote:
Hi, there.

I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada 
anymore ;-) ):
- I would try including the key as well as the cert in your stunnel config
- I would enable debug on the openssl s_client call to see if it will indicate 
why it is reseting. Same with your SFDC client to get more info.
- Question: is the "WARNING: can't open config file" message below indicative 
of a permissions or path problem?
- Question: Is the stunnel cert and key compatible with the TIBCO server's 
certificate? They need to be using certs generated from the same key source, 
don't they?
- You might want to fix the SSL version in the stunnel config file (i.e. 
sslVersion = TLSv1.2)

Good luck with your debugging.

Rodney
On 2016-11-22 07:43 PM, 
jothish.chokkalin...@accenture.com<mailto:jothish.chokkalin...@accenture.com> 
wrote:
HI all,

There is a problem we have currently connecting tibco client to SFDC sever via 
TLS v1.2 and that’s solved by using stunnel in client mode. And the 
communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am 
unable to solve using stunnel. Below is the configuration in stunnel in server 
end to divert the traffic from 8008 to 8009, can you help here with the logs is 
the stunnel configuration is correct or there any missed/need to alter.

[SFDC reverse proxy test]
debug=7
;client = yes
accept = 8008-->port used by sfdc client to connect to TIBCO server
connect = localhost:8009 -->Tibco server that’s running
cert = stunnel.pem
2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] started
2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on local socket
2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] accepted 
connection from 101.167.198.14:54477
2016.11.23 08:31:56 LOG6[118]: Peer certificate not required
2016.11.23 08:31:56 LOG7[118]: SSL state (accept): before/accept initialization
2016.11.23 08:31:56 LOG3[118]: SSL_accept: Peer suddenly disconnected
2016.11.23 08:31:56 LOG5[118]: Connection reset: 0 byte(s) sent to SSL, 0 
byte(s) sent to socket
2016.11.23 08:31:56 LOG7[118]: Local descriptor (FD=696) closed
2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse proxy test] finished (0 
left)

PFB the openssl snap shot looks odd
C:\Program Files (x86)\stunnel\bin>openssl s_client -connect localhost:8008 
-prexit -showcerts
WARNING: can't open config file: /devel/win32/openssl/openssl.cnf
CONNECTED(0000016C)

Thanks and Regards,
Jothish
TIBCO TSD
Ph. : +91 44 39263958
Mobile : +91 9884040171
Support : +91 9962007110
OC : jothish.chokkalingam
Group mail:- 
telstra.psm.tsd.ti...@accenture.com<mailto:telstra.psm.tsd.ti...@accenture.com>


________________________________

This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>






_______________________________________________

stunnel-users mailing list

stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>

https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=>







_______________________________________________

stunnel-users mailing list

stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>

https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=4huWq-QNmeb8U731CD550mFem3fJi1V_h32_3NnDWgc&s=VpkrTsuWKtX284qEcR4zgE-0ZQcbC5mQrBA5w0wCSME&e=>

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stunnel.org_cgi-2Dbin_mailman_listinfo_stunnel-2Dusers&d=DgMFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=MqNUOU_xr_CQWlW-GqRdBeY3oxru560GTYsOPa0RQctKABtP4l_SCfWLL8Ex9w7w&m=KpBOyF3X4pqPRFpbMzToAN2UwmN88FLptOWAJPygwvQ&s=8kvXlMhEoeJRHu_UCqWbs7nMCzviuGbvo4jzH9pJDuc&e=>

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users