I also wanted to be clear on what we are trying to accomplish Client sends us data over TLS1.2----->We accept the traffic at STunnel (Port 27015) and Decrypt the Traffic------> We send traffic to another internal server unencrypted.
We have tried to limit to only the following cipher: ECDHE-RSA-AES256-SHA384 However when we try and reload the config it will not load. Thanks again for your help. _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940 IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245 The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited. -----Original Message----- From: Gary Jackson Sent: Saturday, October 15, 2022 3:09 PM To: '[email protected]' <[email protected]>; [email protected] Subject: RE: [stunnel-users] [SPAM] SSL Termination Issue Thank you very much for your help. Doesn't the TLS negotiation below at the line "TLS accepted: New Session Negotiated"? 2022.10.15 15:04:28 LOG7[main]: New thread created 2022.10.15 15:04:28 LOG7[149]: Service [https] started 2022.10.15 15:04:28 LOG7[149]: Setting local socket options (FD=728) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on local socket 2022.10.15 15:04:28 LOG5[149]: Service [https] accepted connection from x.x.x.x:64014 2022.10.15 15:04:28 LOG6[149]: Peer certificate not required 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): before SSL initialization 2022.10.15 15:04:28 LOG7[149]: Decrypt session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: SNI: no virtual services defined 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server hello 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write certificate 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write server done 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read client key exchange 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS read finished 2022.10.15 15:04:28 LOG7[149]: Generate session ticket callback 2022.10.15 15:04:28 LOG7[149]: Initializing application specific data for session authenticated 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write session ticket 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write change cipher spec 2022.10.15 15:04:28 LOG7[149]: TLS state (accept): SSLv3/TLS write finished 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) requested 2022.10.15 15:04:28 LOG7[149]: 10 server accept(s) succeeded 2022.10.15 15:04:28 LOG7[149]: 0 server renegotiation(s) requested 2022.10.15 15:04:28 LOG7[149]: 0 session reuse(s) 2022.10.15 15:04:28 LOG7[149]: 6 internal session cache item(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache fill-up(s) 2022.10.15 15:04:28 LOG7[149]: 0 internal session cache miss(es) 2022.10.15 15:04:28 LOG7[149]: 0 external session cache hit(s) 2022.10.15 15:04:28 LOG7[149]: 0 expired session(s) retrieved 2022.10.15 15:04:28 LOG6[149]: TLS accepted: new session negotiated 2022.10.15 15:04:28 LOG6[149]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2022.10.15 15:04:28 LOG3[149]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2022.10.15 15:04:28 LOG7[149]: Compression: null, expansion: null 2022.10.15 15:04:28 LOG7[149]: Deallocating application specific data for session connect address 2022.10.15 15:04:28 LOG6[149]: s_connect: connecting x.x.x.x:9000 2022.10.15 15:04:28 LOG7[149]: s_connect: s_poll_wait x.x.x.x:9000: waiting 10 seconds 2022.10.15 15:04:28 LOG7[149]: FD=648 ifds=rwx ofds=--- 2022.10.15 15:04:28 LOG5[149]: s_connect: connected x.x.x.x:9000 2022.10.15 15:04:28 LOG6[149]: persistence: x.x.x.x:9000 cached 2022.10.15 15:04:28 LOG5[149]: Service [https] connected remote server from x.x.x.x:62317 2022.10.15 15:04:28 LOG7[149]: Setting remote socket options (FD=648) 2022.10.15 15:04:28 LOG7[149]: Option TCP_NODELAY set on remote socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) initialized 2022.10.15 15:04:28 LOG6[149]: SSL_read: Socket is closed 2022.10.15 15:04:28 LOG6[149]: TLS socket closed (SSL_read) 2022.10.15 15:04:28 LOG7[149]: Sent socket write shutdown 2022.10.15 15:04:28 LOG5[149]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2022.10.15 15:04:28 LOG7[149]: Remote descriptor (FD=648) closed 2022.10.15 15:04:28 LOG7[149]: Local descriptor (FD=728) closed 2022.10.15 15:04:28 LOG7[149]: Service [https] finished (1 left) _________________________________ Gary Jackson | Senior Systems Engineer Direct: 502.777.1940 IT GUY NETWORKS LLC | Certified Systems Consultants 14607 Lake Bluff Place Louisville, KY 40245 The information contained in this email, and in any accompanying documents, constitutes confidential information, which belongs to IT Guy Networks. This information is intended for the use of the individual(s) or entity named above. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on this information, is strictly prohibited. -----Original Message----- From: [email protected] <[email protected]> Sent: Saturday, October 15, 2022 2:08 PM To: [email protected] Subject: [stunnel-users] [SPAM] SSL Termination Issue 2nd and third lines of the log suggest that the client end could not negotiate a compatible encryption method, and your stunnel config appears to only have GCM ciphers enabled. Do you have a very old client that can only do CBC mode encryption? -- Mike Spooner _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
