Hi Peter, Thanks for the help, but I still need help with the certificates.
Stunnel is installed on windows and the firewall is disabled. In the application settings, the address will be "stunserv: 5432", the application is not located on the same host as stunnel. At the moment, for easier testing, I use a browser. I have the opportunity to go to tdl.externalhost.com:9443, do I truly understand that when stunnel is configured correctly, I should see the same result when going to stunserv: 54321? I have a server root certificate that is currently installed at trusted root certification authorities (the chain looks like this: CA.cer -> externalhost.cer) The CApath directory contains the root certificate for the tdl.externalhost.com server and revocation lists. What certificates should I use? How to correctly specify the certificates in the config. Do I need to create any certificates? Current config: sslVersion = all options = NO_SSLv2 options = NO_SSLv3 fips = no [https] client = yes connect = tdl.externalhost.com:9443 accept = stunserv:54321 TIMEOUTclose = 0 TIMEOUTconnect = 200 TIMEOUTidle = 86400 sni = tdl.externalhost.com checkHost = tdl.externalhost.com verifyChain = yes CApath = "C:\Program Files (x86)\stunnel\config\ssl" Connections log: 2018.12.27 11:34:19 LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform 2018.12.27 11:34:19 LOG5[main]: Compiled/running with OpenSSL 1.1.1a 20 Nov 2018 2018.12.27 11:34:19 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2018.12.27 11:34:19 LOG5[main]: Reading configuration from file stunnel.conf 2018.12.27 11:34:19 LOG5[main]: UTF-8 byte order mark detected 2018.12.27 11:34:19 LOG5[main]: Configuration successful 2018.12.27 11:34:31 LOG5[0]: Service [https] accepted connection from fe80::1cc0:e238:fbbc:7767%12:53218 2018.12.27 11:34:52 LOG3[0]: s_connect: connect tdl.externalhost.com:9443: Connection timed out (WSAETIMEDOUT) (10060) 2018.12.27 11:34:52 LOG3[0]: No more addresses to connect 2018.12.27 11:34:52 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ср, 26 дек. 2018 г. в 23:00, Eric Eberhard <[email protected]>: > There once was an open source libcsoap to do SOAP. It appeared abandoned > 5-10 years ago but was available on line. > > I downloaded that ages ago and made a fully functional libcsoap -- this > includes "nanohttp" which will POST via HTTP, HTTPS, 1.0, 1.1, etc. > > I only use this on AIX -- and my inability to do the craziness that the > open source community does so well to make it work on all platforms and a > lack of a real place to put it -- it never really got out. > > You are welcome to the code. It is in C. You can build nanohttp apart > from libcsoap. If it has a few gotchas because of your O/S they should be > easy to fix (I did make a couple AIX changes). > > The code is small and easy to link into C (or anything else that links to > a .a or .so) -- and it can be set up as a server (never tried it). > > It DOES require openssl be installed (for the HTTPS I think). > > If you want it, email me and I'll put it on my FTP site. > > Eric > > -----Original Message----- > From: stunnel-users [mailto:[email protected]] On Behalf > Of Peter Pentchev > Sent: Wednesday, December 26, 2018 8:40 AM > To: Константин Кручинин <[email protected]> > Cc: [email protected] > Subject: Re: [stunnel-users] HTTP to HTTPS > > On Wed, Dec 26, 2018 at 04:54:34PM +0300, Константин Кручинин wrote: > > Good day! > > Is it possible to realize the means of Stunnel, the following > functionality? > > There is an application that is not able to SSL, I need to send data > > to the server over HTTPS. > > As I noted in a recent message, stunnel may be used as a client for an > HTTPS service; the configuration is pretty much what you have shown below, > but there are several more details to configure. See > https://www.stunnel.org/pipermail/stunnel-users/2018-December/006233.html > > First off, do you have control over the source code of your application - > the one that sends the HTTP query that actually needs to reach an HTTPS > server? If you do, is it possible to modify the source so that it > establishes a TCP connection to a specified IP address and port and > *then* sends an HTTP request over that connection, with the actual > server's hostname in the HTTP request? Some HTTP client libraries do give > you this opportunity, although it is rare. If you can do that, then it may > not be necessary to do the hosts file trickery and chase the server's IP > address - specify the server by name in stunnel's configuration and let the > client connect to the address stunnel listens to and send an HTTP request > containing the real server's name. > > If you cannot do that, or if it would be too much hassle, then there is > always the solution that I outlined in my message - specify a numeric IP > address in stunnel's configuration and put the server's name in your > system's hosts file (/etc/hosts on Unix, %WINDIR%\system32\drivers\etc\hosts > on Windows) entry for the IP address that stunnel listens on. > > One more thing that I forgot to mention in my previous message: with HTTPS > it might be good to specify the "sni" option so that stunnel asks the > server for the correct virtual host to connect to. > > > How can this be implemented without installing an instance of Stunnel > > on the server side? > > If there is an HTTPS server on the server side, you should be able to do > this with stunnel as a client, with pretty much the configuration that you > have shown. > > > Do I need to specify the certificate when implementing the above, if > > so, what kind of certificates are needed? > > Stunnel will want - and for good reasons, it will really be a good idea - > to verify the certificate of the server that it is connecting to, so that > it (stunnel) does not mislead your application by saying "here, this is a > connection to the server you requested" and handing it a connection to a > man-in-the-middle server controlled by an attacker. So you will need to > obtain the certificate of the HTTPS server and either point stunnel to it > directly or point stunnel to a directory containing the certificate of the > entity that issued the server's certificate (e.g. Let's Encrypt or your > organization's internal CA or something). > > > At the moment I have the following config. > > > > sslVersion = all > > options = NO_SSLv2 > > options = NO_SSLv3 > > fips = no > > > > [https] > > client = yes > > connect = externalhost:9443 > > accept = localhost:54321 > > TIMEOUTclose = 0 > > TIMEOUTconnect = 200 > > TIMEOUTidle = 86400 > > If there is already an HTTPS server listening on externalhost:9443, then > this is very close to what you will need. The modifications may need to > include specifying an IP address instead of a hostname in the "connect" > directive (see the discussion about the hosts file above), then adding an > "sni = serverhostname" line so that stunnel asks for the correct virtual > host to connect to, then adding a "checkHost = serverhostname" > line (or a similar line; in some cases the server that responds may have a > slightly different common name, but this should be rare), and then adding > some "verify" and "CAfile" or "CApath" lines to point stunnel to the > certificate of the server or the certificate of the CA that issued the > server's certificate. > > If all of this is making your head spin, let me know and I may try to > explain it step by step in more detail :) We've all been there, just > thrown into the deep by some "you have to learn how to do this *now*" > task that comes out of nowhere... > > Hope at least some of this helps! :) > > G'luck, > Peter > > -- > Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} [email protected] > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 > > > -- С уважением и наилучшими пожеланиями, *Конс**тантин Кручинин*
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
