What do your debug logs say? What happens when you send a test message through? Are you sure you have the remote IP address/port correct? Is there IP filtering or a firewall in place between the two?
Liz Turi Sr. Consultant Massachusetts eHealth Collaborative 860 Winter Street, Waltham, MA 02451 (m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589 www.maehc.org<http://www.maehc.org> [fb_icon]<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[li_icon]<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[tw_icon]<https://twitter.com/MAeHC_org> From: Dheeraj Gautam [mailto:[email protected]] Sent: Thursday, August 3, 2017 5:27 AM To: Liz Turi <[email protected]>; [email protected]; [email protected] Cc: Gurpreet Ahuja <[email protected]>; Sumit Sharma <[email protected]>; Ishu Singh <[email protected]> Subject: RE: [stunnel-users] Stunnel Connectivity Issue Hi Liz, We have stuck badly to establish stunnel connection with one of our partner, We have configured Client mode configuration on our server to connect server to run the application. Below is the config which We have done on my server: ; ***************************************** Example TLS Client mode services ; Certificate cert = Talomoncert.pem key = Talomonkey.pem CAfile = TalomonCACerts.pem ;FIPS fips=no ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = TLSv1.2 ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode client = yes ; Service-level configuration [FIX] accept = 127.0.0.1:9260<http://127.0.0.1:9260> connect = 69.191.230.34:8228<http://69.191.230.34:8228> ;protocol=connect ;protocolHost= 69.191.230.34:8228<http://69.191.230.34:8228> TIMEOUTconnect = 5 Our partner saying that they are not getting any TLS connection on their server due to which connection is not establishing. Could you please help us to get this sort out as we have no more idea how we can troubleshoot this. Thanks in advance. Regards, Dheeraj Gautam From: Liz Turi [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, June 13, 2017 11:40 PM To: Dheeraj Gautam <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: [stunnel-users] Stunnel Connectivity Issue Hi, Dheeraj, Your logs say that you’re connecting successfully to the port that your application is listening on. Have you tried testing from the application, or calls to the application? This line (along with the next couple of lines) suggest that telnet is connecting through to the remote host listening on 8228. 2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228<http://69.191.198.34:8228> It closes the connection via telnet because telnet isn’t going to run your application for you. We need more information about how you’re connecting to your application? (or intending to) Liz Turi Sr. Consultant Massachusetts eHealth Collaborative 860 Winter Street, Waltham, MA 02451 (m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589 www.maehc.org<http://www.maehc.org> [fb_icon]<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[li_icon]<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[tw_icon]<https://twitter.com/MAeHC_org> From: stunnel-users [mailto:[email protected]] On Behalf Of Dheeraj Gautam Sent: Tuesday, June 13, 2017 1:21 PM To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [stunnel-users] Stunnel Connectivity Issue Hi Browne, I am not understand like what config I have to do in stunnel config file. As per application it will trigger 8228 port of remote server, but at the momen stunnel is working only when I am trying to telnet localhost on 9233 port. Nothing is happening when running the application, don’t know what I am missing as I am the new for stunnel. Please help to fix this out. Regards, Dheeraj Gautam From: stunnel-users [mailto:[email protected]] On Behalf Of Carter Browne Sent: Tuesday, June 13, 2017 10:41 PM To: [email protected]<mailto:[email protected]> Subject: Re: [stunnel-users] Stunnel Connectivity Issue Dheeraj, stunnel will keep the connection open for as long as your applications keeps it open. When you exit telnet, it closes the connection. I use stunnel mostly for RDP, VNC and telnet and as long the application is active, the port is open. You need to have your application open the local port you want to route via stunnel (in your example 127.0.0.1:9233<http://127.0.0.1:9233>). As long as your application keeps the connection open (ignoring such issues as communications failures), stunnel will maintain the application. Telnet is a great tool for determining connectivity, but your application is going to have to handle the connection going forward. Carter Browne On 6/13/2017 12:01 PM, Dheeraj Gautam wrote: Hi Liz, Thanks for your reply. Actually we need to run a service which will work only once stunnel connection establish and the service will work till the time connection connected. But at the moment I don’t have idea like how the stunnel will remain connected. Could you please suggest me to fix this so that stunnel connection remain connected and I can run the application. Waiting for your valuable response. Regards, Dheeraj Gautam From: Liz Turi [mailto:[email protected]] Sent: Tuesday, June 13, 2017 9:19 PM To: Dheeraj Gautam <[email protected]><mailto:[email protected]>; Małgorzata Olszówka <[email protected]><mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: RE: [stunnel-users] Stunnel Connectivity Issue Hi, Dheeraj, Are you testing the connection with Telnet? Or are you testing with the application. What I noticed in testing the connection is that once the command is completed, the connection is closed. However, when I test from my application, its only closed once all transactions in that session are completed, and will show how much data was passed on (following from my logs at the end of a non-telnet test session. 2017.06.13 10:16:08 LOG6[1]: Negotiated TLSv1.2 ciphersuite AES256-GCM-SHA384 (256-bit encryption) 2017.06.13 10:16:18 LOG6[1]: Read socket closed (readsocket) 2017.06.13 10:16:18 LOG6[1]: SSL_shutdown successfully sent close_notify alert 2017.06.13 10:16:18 LOG6[1]: TLS closed (SSL_read) 2017.06.13 10:16:18 LOG5[1]: Connection closed: 2791 byte(s) sent to TLS, 1641 byte(s) sent to socket Liz Turi Sr. Consultant Massachusetts eHealth Collaborative 860 Winter Street, Waltham, MA 02451 (m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589 www.maehc.org<http://www.maehc.org> [fb_icon]<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[li_icon]<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[tw_icon]<https://twitter.com/MAeHC_org> From: stunnel-users [mailto:[email protected]] On Behalf Of Dheeraj Gautam Sent: Tuesday, June 13, 2017 11:41 AM To: Małgorzata Olszówka <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [stunnel-users] Stunnel Connectivity Issue HI Guys, below is the config which i have configured with TLSv1.2, but still connection establishing only for while when i telnet telnet 127.0.0.1 9233. and just after connection closed. [TCP] client=yes cert = BBG_cert.pem key = BBG_key.pem verifyChain = yes CAfile = BBG_CACerts.pem connect = 69.191.198.34:8228<http://69.191.198.34:8228> accept = 127.0.0.1:9233<http://127.0.0.1:9233> sslVersion = TLSv1.2 below the logs: 2017.06.13 11:57:49 LOG5[main]: Reading configuration from file stunnel.conf 2017.06.13 11:57:49 LOG5[main]: UTF-8 byte order mark detected 2017.06.13 11:57:49 LOG5[main]: FIPS mode disabled 2017.06.13 11:57:49 LOG3[main]: Service [TCP]: Each service must define two endpoints 2017.06.13 11:57:49 LOG3[main]: Failed to reload the configuration file 2017.06.13 16:37:16 LOG5[main]: Reading configuration from file stunnel.conf 2017.06.13 16:37:16 LOG5[main]: UTF-8 byte order mark detected 2017.06.13 16:37:16 LOG5[main]: FIPS mode disabled 2017.06.13 16:37:16 LOG4[main]: Service [TCP] uses "verifyChain" without subject checks 2017.06.13 16:37:16 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates 2017.06.13 16:37:16 LOG5[main]: Configuration successful 2017.06.13 16:38:38 LOG5[11]: Service [TCP] accepted connection from 127.0.0.1:62736<http://127.0.0.1:62736> 2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228<http://69.191.198.34:8228> 2017.06.13 16:38:38 LOG5[11]: Service [TCP] connected remote server from 172.16.1.23:62737<http://172.16.1.23:62737> 2017.06.13 16:38:39 LOG5[11]: Certificate accepted at depth=0: C=US, ST=NEW YORK, L=NEW YORK, O=Bloomberg LP, OU=FIXBETA, CN=fixbeta.bloomberg.com<http://fixbeta.bloomberg.com>, [email protected]<mailto:[email protected]> 2017.06.13 16:39:10 LOG5[11]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket i want connection remained connected every time so that i can run the application. application can be work only if the connection remain connected. please help me to sort this out. Regards, Dheeraj Gautam On 25 May 2017 at 12:29, Małgorzata Olszówka <[email protected]<mailto:[email protected]>> wrote: Could you please let us know what parameters we are missing here due to which connection is not establishing with remote server. Although, stunnel logs indicating that configuration successful, but in logs no where is mentioned about the connection is it connected or not, Hello Dheeraj, You should set the verifyChain option in order to verify the certificate stored in the file specified with CAfile: verifyChain = yes Then you can test your connection: telnet 127.0.0.1 9233 the stunnel logs will show information about the connection attempt. Regards, Małgorzata _______________________________________________ stunnel-users mailing list [email protected]<mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users www.arborfs.com<http://www.arborfs.com> This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. CONFIDENTIALITY NOTICE The information contained in this email transmission is legally privileged and confidential information intended only for the use of the addressee named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this email transmission is strictly prohibited. If you have received this email transmission in error, please notify us immediately. Thank you. www.arborfs.com<http://www.arborfs.com> This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. _______________________________________________ stunnel-users mailing list [email protected]<mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users www.arborfs.com<http://www.arborfs.com> This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. CONFIDENTIALITY NOTICE The information contained in this email transmission is legally privileged and confidential information intended only for the use of the addressee named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this email transmission is strictly prohibited. If you have received this email transmission in error, please notify us immediately. Thank you. www.arborfs.com<http://www.arborfs.com> This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. CONFIDENTIALITY NOTICE The information contained in this email transmission is legally privileged and confidential information intended only for the use of the addressee named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this email transmission is strictly prohibited. If you have received this email transmission in error, please notify us immediately. Thank you.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
