[stunnel-users] stunnel in DMZ : accept=22 / connect=other.server.net:22 - gets stuck! - need help!

Bernhard.Baeumle at mt.com Bernhard.Baeumle at mt.com
Thu Mar 17 15:48:27 CET 2011


Hi

I use stunnel on a DMZ server for tunnelling/forwarding/proxying...
(whatever term is correct).

The situation is as follows:
Hardware      : External PC             <==> DMZ server         <==>
company-internal server 
Operational   : https://xxx.yy.zz (443) <==> (443) stunnel (80) <==>
(80) SVN Server listening on port 80
NEW/NEED HELP : plink (22)              <==> (22)  stunnel (22) <==>
(22) sshd listening on port 22

stunnel.conf (on the DMZ server) looks like this:

cert = my_tunnel.pem
key = my_tunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = a:SO_REUSEADDR=0
debug = 7
output = C:\Program Files (x86)\stunnel\stunnel.log
;client = yes
[forward_443_to_80]
accept  = 443
connect = my.company-server.net:80
[forward_22]
accept  = 22
connect = my.company-server.net:22


NOTE: Forwarding 443 to my.company-server.net:80  => WORKS FINE!

NOW I try SSH with my PC connected to the company's network (without
hopping at the DMZ):
"plink -A -v -l username -i cert_file -P 22 dmz-server-name.net"  =>
THIS WORKS FINE!

NOW I try SSH with my PC from external network (which needs hopping at
the DMZ):
"plink -A -v -l username -i cert_file -P 22 dmz-server-name.net"

Firewalls and ports seem to be open. The stunnel.log looks like this:
<<starting stunnel service>>
2011.03.17 15:27:09 LOG5[4772:3852]: Reading configuration from file
stunnel.conf
2011.03.17 15:27:09 LOG7[4772:3852]: Snagged 64 random bytes from
C:/.rnd
2011.03.17 15:27:09 LOG7[4772:3852]: Wrote 1024 new random bytes to
C:/.rnd
2011.03.17 15:27:09 LOG7[4772:3852]: PRNG seeded successfully
2011.03.17 15:27:09 LOG6[4772:3852]: Could not load DH parameters from
my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: ECDH initialized
2011.03.17 15:27:09 LOG7[4772:3852]: Certificate: my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: Certificate loaded
2011.03.17 15:27:09 LOG7[4772:3852]: Key file: my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: Private key loaded
2011.03.17 15:27:09 LOG7[4772:3852]: SSL context initialized for service
forward_443_to_80
2011.03.17 15:27:09 LOG6[4772:3852]: Could not load DH parameters from
my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: ECDH initialized
2011.03.17 15:27:09 LOG7[4772:3852]: Certificate: my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: Certificate loaded
2011.03.17 15:27:09 LOG7[4772:3852]: Key file: my_tunnel.pem
2011.03.17 15:27:09 LOG7[4772:3852]: Private key loaded
2011.03.17 15:27:09 LOG7[4772:3852]: SSL context initialized for service
forward_22
2011.03.17 15:27:09 LOG5[4772:3852]: Configuration successful
2011.03.17 15:27:09 LOG5[4772:3852]: No limit detected for the number of
clients
2011.03.17 15:27:09 LOG7[4772:3852]: accept socket: FD=168 allocated
(non-blocking mode)
2011.03.17 15:27:09 LOG7[4772:3852]: Option SO_REUSEADDR set on accept
socket
2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_443_to_80 bound to
0.0.0.0:443
2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_443_to_80 opened
FD=168
2011.03.17 15:27:09 LOG7[4772:3852]: accept socket: FD=280 allocated
(non-blocking mode)
2011.03.17 15:27:09 LOG7[4772:3852]: Option SO_REUSEADDR set on accept
socket
2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_22 bound to
0.0.0.0:22
2011.03.17 15:27:09 LOG7[4772:3852]: Service forward_22 opened FD=280
2011.03.17 15:27:09 LOG5[4772:3852]: stunnel 4.35 on x86-pc-mingw32-gnu
with OpenSSL 1.0.0c 2 Dec 2010
2011.03.17 15:27:09 LOG5[4772:3852]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
<<calling plink...>>
2011.03.17 15:27:26 LOG7[4772:4208]: local socket: FD=320 allocated
(non-blocking mode)
2011.03.17 15:27:26 LOG7[4772:4208]: Service forward_22 accepted FD=320
from 123.4.5.6:2950
2011.03.17 15:27:26 LOG7[4772:4208]: Creating a new thread
2011.03.17 15:27:26 LOG7[4772:4208]: New thread created
2011.03.17 15:27:26 LOG7[4772:4756]: Service forward_22 started
2011.03.17 15:27:26 LOG7[4772:4756]: Option TCP_NODELAY set on local
socket
2011.03.17 15:27:26 LOG5[4772:4756]: Service forward_22 accepted
connection from 123.4.5.6:2950
2011.03.17 15:27:26 LOG7[4772:4756]: SSL state (accept): before/accept
initialization
<<and here it gets stuck!!!!!!!>>

plink says:
Looking up host "dmz-server-name.net"
Connecting to 123.12.1.1 port 22
<<and here it gets stuck!!!!!!!>>

PLEASE HELP!!!



More information about the stunnel-users mailing list