Re: [stunnel-users] Help in setting stunnel in server mode to over come TLSV2 compatibility

Thu, 24 Nov 2016 20:40:04 -0800 

Jothish,
1. You are using a very outdated version of OpenSSL (openssl 0.9.8 is EOL). I 
suggest you use a newer, supported version.

2. On a DOS Window, try this:openssl dhparam -rand 
randfile1;randfile2;randfile3 1024
where randfile1,randfile2.... are existing files or directories to use as 
entrophy sources. If you're on Linux you can use  dd if=/dev/urandom count=2 | 
openssl dhparam -rand - 1024
This will print something like this:WARNING: can't open config file: 
c:\openssl-vc/ssl/openssl.cnf
Loading 'screen' into random state - done
0 semi-random bytes loaded
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+.. bla, bla....++*
unable to write 'random state'
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJJ+QAYkKQd0pG1lxZKDYVZaURkTINQho8CWCUYOMp2ZEwZeMrEv+kjd
PVb4Ilnah1TmZQOxu1v8HtSWmKpclhlTDKjmDbhznUFkQhmRGjxXDCfrhnvNI4hV
kOB/3lGcWo50ttf+ZqNaXd0lKf9YfnjkRUSUtrHiMRL9CdecxQXbAgEC
-----END DH PARAMETERS-----

Now, cut from ---BEGIN... all the way to PARAMETERS--- and add it to your cert 
PEM file.
3. Try again, your check command: openssl dhparam -inform PEM -in 
./training_client.pem -check -textShould print something like:    DH 
Parameters: (1024 bit)
        prime:
            00:92:7e:40:06:24:29:07:74:a4:6d:65:c5:92:83:
            ...
            31:12:fd:09:d7:9c:c5:05:db
        generator: 2 (0x2)
DH parameters appear to be ok.
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJJ+QAYkKQd0pG1lxZKDYVZaURkTINQho8CWCUYOMp2ZEwZeMrEv+kjd
....-----END DH PARAMETERS-----
4. Now, try connecting from SFDC to tibco and let us know.

SaludosJose

      From: "jothish.chokkalin...@accenture.com" 
<jothish.chokkalin...@accenture.com>
 To: jose...@rocketmail.com 
Cc: cbro...@cbcs-usa.com; stunnel-users@stunnel.org
 Sent: Thursday, November 24, 2016 6:45 AM
 Subject: RE: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility
   
#yiv9373448809 #yiv9373448809 -- _filtered #yiv9373448809 
{font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv9373448809 
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9373448809 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv9373448809 
{font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;}#yiv9373448809 
#yiv9373448809 p.yiv9373448809MsoNormal, #yiv9373448809 
li.yiv9373448809MsoNormal, #yiv9373448809 div.yiv9373448809MsoNormal 
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}#yiv9373448809 
a:link, #yiv9373448809 span.yiv9373448809MsoHyperlink 
{color:#0563C1;text-decoration:underline;}#yiv9373448809 a:visited, 
#yiv9373448809 span.yiv9373448809MsoHyperlinkFollowed 
{color:#954F72;text-decoration:underline;}#yiv9373448809 p 
{margin-right:0in;margin-left:0in;font-size:11.0pt;color:black;}#yiv9373448809 
pre 
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}#yiv9373448809 
p.yiv9373448809MsoListParagraph, #yiv9373448809 
li.yiv9373448809MsoListParagraph, #yiv9373448809 
div.yiv9373448809MsoListParagraph 
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:11.0pt;color:black;}#yiv9373448809
 span.yiv9373448809HTMLPreformattedChar 
{font-family:Consolas;color:black;}#yiv9373448809 
span.yiv9373448809EmailStyle20 {color:windowtext;}#yiv9373448809 
span.yiv9373448809EmailStyle21 {color:#1F497D;}#yiv9373448809 
span.yiv9373448809EmailStyle22 {color:#1F497D;}#yiv9373448809 
span.yiv9373448809EmailStyle23 {color:#1F497D;}#yiv9373448809 
.yiv9373448809MsoChpDefault {font-size:10.0pt;} _filtered #yiv9373448809 
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv9373448809 div.yiv9373448809WordSection1 
{}#yiv9373448809 _filtered #yiv9373448809 {} _filtered #yiv9373448809 {} 
_filtered #yiv9373448809 {} _filtered #yiv9373448809 {} _filtered 
#yiv9373448809 {} _filtered #yiv9373448809 {} _filtered #yiv9373448809 {} 
_filtered #yiv9373448809 {} _filtered #yiv9373448809 {} _filtered 
#yiv9373448809 {}#yiv9373448809 ol {margin-bottom:0in;}#yiv9373448809 ul 
{margin-bottom:0in;}#yiv9373448809 Jose,    For the issue as mentioned in below 
down mail I am following below two approaches, 1.      Move the TLSv1.2 enabled 
traffic to an intermediate port and then to target port which has TLS1 enabled, 
in that ssl handshake from intermediate to target port getting below error. 
While triaging with openssl command, it is observed that the DH parameters are 
not proper. So we are trying to add the dh parameters 
C:\Users\robin.johnson\Documents\SSL\SSL>C:\openssl-0.9.8k_X64\bin\openssl 
dhparam -inform PEM -in ./training_client.pem -check -text unable to load DH 
parameters 1800:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:.\crypto\pem\pem_lib.c:650:Expecting: DH PARAMETERS stunnel.logà2016.11.23 
23:08:32 LOG3[131]: SSL_connect: 14082174: error:14082174:SSL 
routines:ssl3_check_cert_and_algorithm:dh key too small         2.   Using 
https service in stunnel traffic is received by TLS V1.1 divert to non ssl 
enabled port.                                                Thanks and 
Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 
Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- 
telstra.psm.tsd.ti...@accenture.com    From: Josealf.rm 
[mailto:jose...@rocketmail.com]
Sent: Thursday, November 24, 2016 4:36 PM
To: Chokkalingam, Jothish <jothish.chokkalin...@accenture.com>
Cc: cbro...@cbcs-usa.com; stunnel-users@stunnel.org
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility    
Can you please elaborate? If you want us to help, you need to provide enough 
information.   Regards Jose    
El 24/11/2016, a las 5:03 a.m., <jothish.chokkalin...@accenture.com> 
<jothish.chokkalin...@accenture.com> escribió: 
Jose, J you are right.i was trying but I thought it will work as a client and 
it worked as a workaround. But will check for the dh key small error while 
forwarding the traffic with SSL from intermediate port to another port.   
Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 
9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- 
telstra.psm.tsd.ti...@accenture.com   From: Josealf.rm 
[mailto:jose...@rocketmail.com]
Sent: Thursday, November 24, 2016 2:48 PM
To: Chokkalingam, Jothish <jothish.chokkalin...@accenture.com>
Cc: cbro...@cbcs-usa.com; stunnel-users@stunnel.org
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility   Jothish,

Stunnel in server mode is what you need, with 99.9% confidence.   When you 
write:   [https] Accept=443 Connect=local host:80 Client=no   Stunnnel will 
expect TLS connections on port 443 and will forward then to your normal web 
server running on loopback port 80.   Is that clear?   Regards, Jose 
El 24/11/2016, a las 2:29 a.m., <jothish.chokkalin...@accenture.com> 
<jothish.chokkalin...@accenture.com> escribió: 
  Is there a way to forward a Secure connection from one port to non secure 
port using stunnel. I am googling but unable to find. If you have can you let 
me know   Thanks and Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : 
+91 9884040171 Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- 
telstra.psm.tsd.ti...@accenture.com   From: stunnel-users 
[mailto:stunnel-users-boun...@stunnel.org]On Behalf Of Carter Browne
Sent: Wednesday, November 23, 2016 9:30 PM
To: stunnel-users@stunnel.org
Subject: Re: [stunnel-users] Help in setting stunnel in server mode to over 
come TLSV2 compatibility   There are other tools for performing port forwarding 
with less overhead (I believe tappipe is one), although I make use stunnel to 
do this extensively. In order forward a secure connection from one port to 
another is a two step process with stunnel: A sample configuration segment 
would be: [SFDC reverse in] client = no accept = 8008 connect = localhost:48008


[SFDC reverse out]
client = yes
accept = localhost:48008
connect = localhost:8009 On 11/23/2016 10:18 AM, Rodney Lott wrote: 
Hi, there.

I'm no stunnel expert, but here's my $0.05 (we have no pennies in Canada 
anymore ;-) ):
- I would try including the key as well as the cert in your stunnel config
- I would enable debug on the openssl s_client call to see if it will indicate 
why it is reseting. Same with your SFDC client to get more info.
- Question: is the "WARNING: can't open config file" message below indicative 
of a permissions or path problem?
- Question: Is the stunnel cert and key compatible with the TIBCO server's 
certificate? They need to be using certs generated from the same key source, 
don't they?
- You might want to fix the SSL version in the stunnel config file (i.e. 
sslVersion = TLSv1.2)

Good luck with your debugging. 

Rodney On 2016-11-22 07:43 PM, jothish.chokkalin...@accenture.com wrote: 
HI all,   There is a problem we have currently connecting tibco client to SFDC 
sever via TLS v1.2 and that’s solved by using stunnel in client mode. And the 
communication from SFDC client to tibco server applications w.r.t TLS V1.2 I am 
unable to solve using stunnel. Below is the configuration in stunnel in server 
end to divert the traffic from 8008 to 8009, can you help here with the logs is 
the stunnel configuration is correct or there any missed/need to alter.   [SFDC 
reverse proxy test] debug=7 ;client = yes accept = 8008àport used by sfdc 
client to connect to TIBCO server connect = localhost:8009 àTibco server that’s 
running cert = stunnel.pem 2016.11.23 08:31:56 LOG7[118]: Service [SFDC reverse 
proxy test] started 2016.11.23 08:31:56 LOG7[118]: Option TCP_NODELAY set on 
local socket 2016.11.23 08:31:56 LOG5[118]: Service [SFDC reverse proxy test] 
accepted connection from 101.167.198.14:54477 2016.11.23 08:31:56 LOG6[118]: 
Peer certificate not required 2016.11.23 08:31:56 LOG7[118]: SSL state 
(accept): before/accept initialization 2016.11.23 08:31:56 LOG3[118]: 
SSL_accept: Peer suddenly disconnected 2016.11.23 08:31:56 LOG5[118]: 
Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.23 
08:31:56 LOG7[118]: Local descriptor (FD=696) closed 2016.11.23 08:31:56 
LOG7[118]: Service [SFDC reverse proxy test] finished (0 left)   PFB the 
openssl snap shot looks odd  C:\Program Files (x86)\stunnel\bin>openssl 
s_client -connect localhost:8008 -prexit -showcerts WARNING: can't open config 
file: /devel/win32/openssl/openssl.cnf CONNECTED(0000016C)   Thanks and 
Regards, Jothish TIBCO TSD Ph. : +91 44 39263958 Mobile : +91 9884040171 
Support : +91 9962007110 OC : jothish.chokkalingam Group mail:- 
telstra.psm.tsd.ti...@accenture.com     
This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy. 
______________________________________________________________________________________

www.accenture.com





 _______________________________________________ stunnel-users mailing list 
stunnel-users@stunnel.org 
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users 






 _______________________________________________ stunnel-users mailing list 
stunnel-users@stunnel.org 
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users 
  

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users 



   
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to