[stunnel-users] No SSL handshake between stunnel in client mode and SSL server
Jose Alf.
josealf at rocketmail.com
Wed Feb 1 22:16:36 CET 2012
Denis,
As I understand stunnel is logging the fact that the client closed the connection (socket) while it was waiting for data (reading) from the client.
Looks like your client connects for a very short time, sends just 1 byte, the disconnects.
Mike can correct me if I am wrong.
Regards,
Jose
________________________________
From: Denis Berezhnoy <denis.berezhnoy at gmail.com>
To: Jose Alf. <josealf at rocketmail.com>
Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
Sent: Tuesday, January 31, 2012 1:11 PM
Subject: Re: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server
Hi Jose,
Thank you for your help! Finally I made it working.
But there is one thing that is not quite clear for me. In logs I can see "Socket closed on read". Here it is:
2012.01.31 12:57:12 LOG7[6748:6808]: Socket closed on read
2012.01.31 12:57:12 LOG7[6748:6808]: Sending close_notify alert"
Can you please explain what it means? Why socket is closed?
Here is log:
2012.01.31 12:56:58 LOG7[6748:4740]: No limit detected for the number of clients
2012.01.31 12:56:58 LOG5[6748:4740]: stunnel 4.52 on x86-pc-mingw32-gnu platform
2012.01.31 12:56:58 LOG5[6748:4740]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
2012.01.31 12:56:58 LOG5[6748:4740]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
2012.01.31 12:56:58 LOG5[6748:4740]: Reading configuration from file stunnel.conf
2012.01.31 12:56:58 LOG5[6748:4740]: FIPS mode is disabled
2012.01.31 12:56:58 LOG7[6748:4740]: Compression not enabled
2012.01.31 12:56:58 LOG7[6748:4740]: Snagged 64 random bytes from C:/.rnd
2012.01.31 12:56:58 LOG7[6748:4740]: Wrote 1024 new random bytes to C:/.rnd
2012.01.31 12:56:58 LOG7[6748:4740]: PRNG seeded successfully
2012.01.31 12:56:58 LOG6[6748:4740]: Initializing SSL context for service Router
2012.01.31 12:56:58 LOG7[6748:4740]: SSL options set: 0x05000004
2012.01.31 12:56:58 LOG6[6748:4740]: SSL context initialized
2012.01.31 12:56:58 LOG5[6748:4740]: Configuration successful
2012.01.31 12:56:58 LOG7[6748:4740]: Service Router bound FD=292 to 192.168.1.121:55555
2012.01.31 12:57:12 LOG7[6748:4740]: Service Router accepted FD=332 from 192.168.1.161:59076
2012.01.31 12:57:12 LOG7[6748:4740]: Creating a new thread
2012.01.31 12:57:12 LOG7[6748:4740]: New thread created
2012.01.31 12:57:12 LOG7[6748:6808]: Service Router started
2012.01.31 12:57:12 LOG5[6748:6808]: Service Router accepted connection from 192.168.1.161:59076
2012.01.31 12:57:12 LOG6[6748:6808]: connect_blocking: connecting 192.168.160.169:55443
2012.01.31 12:57:12 LOG7[6748:6808]: connect_blocking: s_poll_wait 192.168.160.169:55443: waiting 10 seconds
2012.01.31 12:57:12 LOG5[6748:6808]: connect_blocking: connected 192.168.160.169:55443
2012.01.31 12:57:12 LOG5[6748:6808]: Service Router connected remote server from 192.168.1.121:52050
2012.01.31 12:57:12 LOG7[6748:6808]: Remote FD=412 initialized
2012.01.31 12:57:12 LOG7[6748:6808]: Peer certificate was cached (1017 bytes)
2012.01.31 12:57:12 LOG6[6748:6808]: SSL connected: new session negotiated
2012.01.31 12:57:12 LOG6[6748:6808]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
2012.01.31 12:57:12 LOG6[6748:6808]: Compression: null, expansion: null
2012.01.31 12:57:12 LOG7[6748:6808]: Socket closed on read
2012.01.31 12:57:12 LOG7[6748:6808]: Sending close_notify alert
2012.01.31 12:57:12 LOG6[6748:6808]: SSL_shutdown successfully sent close_notify alert
2012.01.31 12:57:22 LOG3[6748:6808]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
2012.01.31 12:57:22 LOG5[6748:6808]: Connection closed: 200 bytes sent to SSL, 1 bytes sent to socket
2012.01.31 12:57:22 LOG7[6748:6808]: Service Router finished (0 left)
Best regards,
Denis
2012/1/25 Jose Alf. <josealf at rocketmail.com>
Denis,
>
>
>Please review this:
>
>
>http://stunnel.mirt.net/pipermail/stunnel-users/2011-May/003080.html
>
>
>In particular, check that you have your signing CA certificates (hashed) in your CaPath.
>
>
>Do the tests with openssl connect and post sanitized results if you are in trouble.
>
>
>
>Regards,
>Jose
>
>
>
>________________________________
> From: Denis Berezhnoy <denis.berezhnoy at gmail.com>
>To: Jose Alf. <josealf at rocketmail.com>
>Cc: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org>
>Sent: Wednesday, January 25, 2012 9:55 AM
>Subject: Re: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server
>
>
>
>Hi Jose,
>
>Thank you for your reply. I double checked and actually there is SSL handshake. Sorry, it was my mistake I did not analyze WireShark capture carefully.
>
>But handshake failed and here is stunnel log:
>
>2012.01.25 09:39:58 LOG5[1944:6264]: stunnel 4.52 on x86-pc-mingw32-gnu platform
>2012.01.25 09:39:58 LOG5[1944:6264]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
>2012.01.25 09:39:58 LOG5[1944:6264]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
>2012.01.25 09:39:58 LOG5[1944:6264]: Reading configuration from file stunnel.conf
>2012.01.25 09:39:58 LOG5[1944:6264]: FIPS mode is enabled
>2012.01.25 09:39:58 LOG5[1944:6264]: Configuration successful
>2012.01.25 09:40:13 LOG5[1944:4724]: Service Router accepted connection from 192.168.1.161:59519
>2012.01.25 09:40:13 LOG5[1944:4724]: connect_blocking: connected 192.168.160.168:55443
>2012.01.25 09:40:13 LOG5[1944:4724]: Service Router connected remote server from 192.168.1.121:52250
>2012.01.25 09:40:13 LOG3[1944:4724]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>2012.01.25 09:40:13 LOG5[1944:4724]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
>
>Server is setup for SSL3.0.
>
>Best regards,
>Denis
>
>
>2012/1/24 Jose Alf. <josealf at rocketmail.com>
>
>Denis,
>>
>>
>>Looks like your configuration is incomplete. Check the sample stunnel.conf file in the stunnel distribution. Read the man page. Post your log file.
>>
>>
>>
>>Try adding lines like these before [Router]
>>
>>
>>sslVersion = SSLv3
>>
>>cert=stunnel.pem
>>key=stunnel.pem
>>
>># Authentication stuff, try 0 for test
>>verify = 0
>>
>>CApath = /your/CAcerts/path
>>
>>debug = 7
>>output = stunnel.log
>>
>>
>>
>>
>>
>>
>>________________________________
>> From: Denis Berezhnoy <denis.berezhnoy at gmail.com>
>>To: stunnel-users at stunnel.org
>>Sent: Tuesday, January 24, 2012 6:10 PM
>>Subject: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server
>>
>>
>>
>>Hi guys,
>>I have a quick question. I am trying to use stunnel in client mode to encrypt traffic going to my server.
>>Basically, I have a server which listens for SSL connection. And I have a client which can not do SSL but it needs to communicate with server over SSL.
>>I setup stunnel in client mode to accept unecrypted traffic from client and redirect it to server over SSL. I checked TCP traffic with WireShark between stunnel and my server and I can see that there is no SSL handshake, stunnel makes TCP connection with server and sends some TCP packets but I expect to see SSL handshake.
>>My stunnel conf file is here:
>>[Router]
>>client=yes
>>accept = 192.168.1.121:55555
>>connect = 192.168.160.168:55443
>>Can you please comment on this?
>>Best regards,
>>Denis
>>_______________________________________________
>>stunnel-users mailing list
>>stunnel-users at stunnel.org
>>http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120201/09062639/attachment.html>
More information about the stunnel-users
mailing list