On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote: > On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote: > > Hello > > > > Thanks @Peter > > > > > > Yes , my application not support TLS and I need the application connect > > using TLS , for this i using stunnel (i hope) > > > > When I make curl -v http://127.0.0.1:19021 : > > > > curl -v http://127.0.0.1:19201 > > * Rebuilt URL to: http://127.0.0.1:19201/ > > * Trying 127.0.0.1... > > * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0) > > > GET / HTTP/1.1 > > > Host: 127.0.0.1:19201 > > > User-Agent: curl/7.47.0 > > > Accept: */* > > > > > * HTTP 1.0, assume close after body > > < HTTP/1.0 400 Bad Request > > < Server: AkamaiGHost > > < Mime-Version: 1.0 > > < Content-Type: text/html > > < Content-Length: 208 > > < Expires: Mon, 05 Mar 2018 12:25:53 GMT > > < Date: Mon, 05 Mar 2018 12:25:53 GMT > > < Connection: close > > > > The web ctm.omgeo.net only works in mode HTTPS , . > > TL;DR: can you actually try your application with this stunnel config?
See below; I believe I've found the reason for the "Bad request" response, and you need to do something more to get it to work. > Yes, that's why you have stunnel - it will accept a pure HTTP connection > from your application (or, in this case, from cURL), and then it will > open a TLS (HTTPS) connection to ctm.omgeo.net. > > Actually, the "HTTP/1.0 400 Bad Request" response that you get shows > that stunnel already works: the request to ctm.omgeo.net is sent via > HTTPS, not plain HTTP. If you try to send a plain HTTP request to > ctm.omgeo.net port 443, cURL will report a very different error: > > [roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/ > * Trying 88.221.30.124... > * TCP_NODELAY set > * Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0) > > GET / HTTP/1.1 > > Host: ctm.omgeo.net:443 > > User-Agent: curl/7.58.0 > > Accept: */* > > > * Recv failure: Connection reset by peer > * stopped the pause stream! > * Closing connection 0 > curl: (56) Recv failure: Connection reset by peer > [roam@straylight ~]$ > > This happens because ctm.omgeo.net expects a TLS Client Hello message on > an incoming connection, and cURL sends it a plaintext HTTP request, so > ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away". > > So I guess that the "400 Bad Request" response you get from > ctm.omgeo.net means that 1. you have successfully sent a request to it > and it considered it to be an HTTP request, and 2. it expected > the application to send it a specific request, not just a "GET /", so > it said "GET / is not a valid request for me, but thanks for speaking > HTTPS". So it's time to test your actual application now; configure it > to talk to 127.0.0.1:19201 and see what happens. > > If anything goes wrong, show us the stunnel log. OK, so there's another thing. If you tell cURL or your application to send an HTTP request to 127.0.0.1:19201, then it will send a request with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will not know which backend server to route it to. So both cURL and your application must be convinced to send a request that has a "Host: ctm.omgeo.net" header. The simplest way to do this is somewhat error-prone, not quite future-proof, but it may work for the present. Add "ctm.omgeo.net" to the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system, %WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443. This last part - hardcoding the IP address of the server - is the part that is error-prone and not future-proof, since omgeo.net (or Akamai) may decide to change that address at any time and things will stop working. There is a hackish solution - write a little tool that performs a real DNS lookup and, if the IP address has changed, regenerates the stunnel config and restarts stunnel, then run this tool every minute or so... Still, it worked for me: [roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts 127.0.0.1 localhost ctm.omgeo.net [roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201 * Rebuilt URL to: http://ctm.omgeo.net:19201/ * Trying 127.0.0.1... * TCP_NODELAY set * Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0) > GET / HTTP/1.1 > Host: ctm.omgeo.net:19201 > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 302 Moved Temporarily < Location: /cleartrust/ct_logon.jsp < Content-Length: 0 < Date: Tue, 06 Mar 2018 09:41:48 GMT < Connection: keep-alive < Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/ < * Connection #0 to host ctm.omgeo.net left intact [roam@straylight /etc/stunnel]$ ...so that's a start. G'luck, Peter -- Peter Pentchev [email protected] [email protected] [email protected] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
