[stunnel-users] stunnel, haproxy and ssl cert
Maxim
sevmax at gmail.com
Tue Aug 4 10:50:27 CEST 2009
Hello dear community.
I faced some troubles for iphone:
I moved separate server from hardware to AWS Cloud with SSL certificate from
Register.com. It moved well, and phone application continue work with new
server without any problems.
Then I installed LoadBalancer (HAProxy and Stunnel) for it and moved
certificate with key from configs of Apache to config of stunnel. In PC
browser it continue works well, and shows me blue field near the URL as
trusted. But on iPhone browser it shows just "Untrusted server certificate".
Is there any difference for ssl certificate for stunnel and Apache?
I understand that there is very specific question, but would you have any
ideas about it?
*Config of stunnel:*
cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = stunnel.log
[https]
accept = 443
connect = 80
xforwardedfor=yes
TIMEOUTclose = 0
*Patch for stunnel*
http://haproxy.1wt.eu/download/patches/stunnel-4.22-xforwarded-for.diff
need to make work "xforwardedfor=yes"
*# stunnel -version*
stunnel 4.22 on i686-pc-linux-gnu with OpenSSL 0.9.8b 04 May 2006
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug = 5
pid = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key = /usr/local/etc/stunnel/stunnel.pem
session = 300 seconds
stack = 65536 bytes
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
*
# uname -a*
Linux domU-12-31-38-00-35-07 2.6.18-xenU-ec2-v1.0 #2 SMP Tue Feb 19 10:51:53
EST 2008 i686 athlon i386 GNU/Linux
*
# openssl version*
OpenSSL 0.9.8b 04 May 2006
*And logs from stunnel when iphone tryed to conenct*
2009.08.04 08:20:16 LOG7[31023:3081598672]: https accepted FD=15 from
24.5.77.143:58019
2009.08.04 08:20:16 LOG7[31023:3081550736]: https started
2009.08.04 08:20:16 LOG7[31023:3081550736]: FD 15 in non-blocking mode
2009.08.04 08:20:16 LOG7[31023:3081550736]: TCP_NODELAY option set on local
socket
2009.08.04 08:20:16 LOG7[31023:3081550736]: Waiting for a libwrap process
2009.08.04 08:20:16 LOG7[31023:3081550736]: Acquired libwrap process #0
2009.08.04 08:20:16 LOG7[31023:3081550736]: Releasing libwrap process #0
2009.08.04 08:20:16 LOG7[31023:3081550736]: Released libwrap process #0
2009.08.04 08:20:16 LOG7[31023:3081550736]: https permitted by libwrap from
24.5.77.143:58019
2009.08.04 08:20:16 LOG5[31023:3081550736]: https accepted connection from
24.5.77.143:58019
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept):
before/accept initialization
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept): SSLv3 read
client hello A
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept): SSLv3 write
server hello A
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept): SSLv3 write
certificate A
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept): SSLv3 write
server done A
2009.08.04 08:20:16 LOG7[31023:3081550736]: SSL state (accept): SSLv3 flush
data
2009.08.04 08:20:16 LOG3[31023:3081550736]: SSL_accept: Peer suddenly
disconnected
2009.08.04 08:20:16 LOG5[31023:3081550736]: Connection reset: 0 bytes sent
to SSL, 0 bytes sent to socket
2009.08.04 08:20:16 LOG7[31023:3081550736]: https finished (0 left)
Thank you in advance,
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090804/dde07ffc/attachment.html>
More information about the stunnel-users
mailing list