@Peter ... I'm sure you are the Best! :)

Now it's works . I needed put ctm.omgeo.net in host file y ready :)

Now i put http://ctm.omgeo.net:19201 and I can connect with https://ctm.omgeo.net  (curl  , firefox , application works!)

Many thanks :)


On 06/03/18 11:10, Peter Pentchev wrote:
On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
Hello

Thanks @Peter


Yes , my application not support TLS and I need the application connect
using TLS , for this i using stunnel (i hope)

When I make curl -v http://127.0.0.1:19021  :

curl -v http://127.0.0.1:19201
* Rebuilt URL to: http://127.0.0.1:19201/
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1
Host: 127.0.0.1:19201
User-Agent: curl/7.47.0
Accept: */*

* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad Request
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 208
< Expires: Mon, 05 Mar 2018 12:25:53 GMT
< Date: Mon, 05 Mar 2018 12:25:53 GMT
< Connection: close

The web ctm.omgeo.net only works in mode HTTPS , .
TL;DR: can you actually try your application with this stunnel config?
See below; I believe I've found the reason for the "Bad request"
response, and you need to do something more to get it to work.

Yes, that's why you have stunnel - it will accept a pure HTTP connection
from your application (or, in this case, from cURL), and then it will
open a TLS (HTTPS) connection to ctm.omgeo.net.

Actually, the "HTTP/1.0 400 Bad Request" response that you get shows
that stunnel already works: the request to ctm.omgeo.net is sent via
HTTPS, not plain HTTP.  If you try to send a plain HTTP request to
ctm.omgeo.net port 443, cURL will report a very different error:

[roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/
*   Trying 88.221.30.124...
* TCP_NODELAY set
* Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
GET / HTTP/1.1
Host: ctm.omgeo.net:443
User-Agent: curl/7.58.0
Accept: */*

* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
[roam@straylight ~]$

This happens because ctm.omgeo.net expects a TLS Client Hello message on
an incoming connection, and cURL sends it a plaintext HTTP request, so
ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".

So I guess that the "400 Bad Request" response you get from
ctm.omgeo.net means that 1. you have successfully sent a request to it
and it considered it to be an HTTP request, and 2. it expected
the application to send it a specific request, not just a "GET /", so
it said "GET / is not a valid request for me, but thanks for speaking
HTTPS".  So it's time to test your actual application now; configure it
to talk to 127.0.0.1:19201 and see what happens.

If anything goes wrong, show us the stunnel log.
OK, so there's another thing.  If you tell cURL or your application to
send an HTTP request to 127.0.0.1:19201, then it will send a request
with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will
not know which backend server to route it to.  So both cURL and your
application must be convinced to send a request that has
a "Host: ctm.omgeo.net" header.

The simplest way to do this is somewhat error-prone, not quite
future-proof, but it may work for the present.  Add "ctm.omgeo.net" to
the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system,
%WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and
configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443.
This last part - hardcoding the IP address of the server - is the part
that is error-prone and not future-proof, since omgeo.net (or Akamai) may
decide to change that address at any time and things will stop working.
There is a hackish solution - write a little tool that performs a real DNS
lookup and, if the IP address has changed, regenerates the stunnel config
and restarts stunnel, then run this tool every minute or so...  Still,
it worked for me:

[roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts
127.0.0.1       localhost       ctm.omgeo.net
[roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201
* Rebuilt URL to: http://ctm.omgeo.net:19201/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0)
GET / HTTP/1.1
Host: ctm.omgeo.net:19201
User-Agent: curl/7.58.0
Accept: */*

< HTTP/1.1 302 Moved Temporarily
< Location: /cleartrust/ct_logon.jsp
< Content-Length: 0
< Date: Tue, 06 Mar 2018 09:41:48 GMT
< Connection: keep-alive
< Set-Cookie: 
Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; 
domain=.omgeo.net; path=/
<
* Connection #0 to host ctm.omgeo.net left intact
[roam@straylight /etc/stunnel]$

...so that's a start.

G'luck,
Peter


_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to