@Peter ... I'm sure you are the Best! :)

Now it's works . I needed put ctm.omgeo.net in host file y ready :)

Now i put http://ctm.omgeo.net:19201 and I can connect with https://ctm.omgeo.net  (curl  , firefox , application works!)

Many thanks :)

On 06/03/18 11:10, Peter Pentchev wrote:
On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:

Thanks @Peter

Yes , my application not support TLS and I need the application connect
using TLS , for this i using stunnel (i hope)

When I make curl -v  :

curl -v
* Rebuilt URL to:
*   Trying
* Connected to ( port 19201 (#0)
GET / HTTP/1.1
User-Agent: curl/7.47.0
Accept: */*

* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad Request
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 208
< Expires: Mon, 05 Mar 2018 12:25:53 GMT
< Date: Mon, 05 Mar 2018 12:25:53 GMT
< Connection: close

The web ctm.omgeo.net only works in mode HTTPS , .
TL;DR: can you actually try your application with this stunnel config?
See below; I believe I've found the reason for the "Bad request"
response, and you need to do something more to get it to work.

Yes, that's why you have stunnel - it will accept a pure HTTP connection
from your application (or, in this case, from cURL), and then it will
open a TLS (HTTPS) connection to ctm.omgeo.net.

Actually, the "HTTP/1.0 400 Bad Request" response that you get shows
that stunnel already works: the request to ctm.omgeo.net is sent via
HTTPS, not plain HTTP.  If you try to send a plain HTTP request to
ctm.omgeo.net port 443, cURL will report a very different error:

[roam@straylight ~]$ curl -v http://ctm.omgeo.net:443/
*   Trying
* Connected to ctm.omgeo.net ( port 443 (#0)
GET / HTTP/1.1
Host: ctm.omgeo.net:443
User-Agent: curl/7.58.0
Accept: */*

* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
[roam@straylight ~]$

This happens because ctm.omgeo.net expects a TLS Client Hello message on
an incoming connection, and cURL sends it a plaintext HTTP request, so
ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".

So I guess that the "400 Bad Request" response you get from
ctm.omgeo.net means that 1. you have successfully sent a request to it
and it considered it to be an HTTP request, and 2. it expected
the application to send it a specific request, not just a "GET /", so
it said "GET / is not a valid request for me, but thanks for speaking
HTTPS".  So it's time to test your actual application now; configure it
to talk to and see what happens.

If anything goes wrong, show us the stunnel log.
OK, so there's another thing.  If you tell cURL or your application to
send an HTTP request to, then it will send a request
with a "Host:" header, and omgeo.net's Akamai front-end will
not know which backend server to route it to.  So both cURL and your
application must be convinced to send a request that has
a "Host: ctm.omgeo.net" header.

The simplest way to do this is somewhat error-prone, not quite
future-proof, but it may work for the present.  Add "ctm.omgeo.net" to
the line in your hosts file (/etc/hosts on a Unix-like system,
%WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and
configure stunnel to connect to, not ctm.omgeo.net:443.
This last part - hardcoding the IP address of the server - is the part
that is error-prone and not future-proof, since omgeo.net (or Akamai) may
decide to change that address at any time and things will stop working.
There is a hackish solution - write a little tool that performs a real DNS
lookup and, if the IP address has changed, regenerates the stunnel config
and restarts stunnel, then run this tool every minute or so...  Still,
it worked for me:

[roam@straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts       localhost       ctm.omgeo.net
[roam@straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201
* Rebuilt URL to: http://ctm.omgeo.net:19201/
*   Trying
* Connected to ctm.omgeo.net ( port 19201 (#0)
GET / HTTP/1.1
Host: ctm.omgeo.net:19201
User-Agent: curl/7.58.0
Accept: */*

< HTTP/1.1 302 Moved Temporarily
< Location: /cleartrust/ct_logon.jsp
< Content-Length: 0
< Date: Tue, 06 Mar 2018 09:41:48 GMT
< Connection: keep-alive
< Set-Cookie: 
Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; 
domain=.omgeo.net; path=/
* Connection #0 to host ctm.omgeo.net left intact
[roam@straylight /etc/stunnel]$

...so that's a start.


stunnel-users mailing list

Reply via email to