[stunnel-users] STunnel v5.11 Multi SNI

• Previous message (by thread): [stunnel-users] Log rotation for Windows
• Next message (by thread): [stunnel-users] STunnel v5.11 Multi SNI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Guys,

I've got a small issue where I'm trying to use multiple SNI rules in an
STunnel frontend:

STunnel Version is:
stunnel -version
stunnel 5.11 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

Global options:
debug                  = daemon.notice
RNDbytes               = 64
RNDfile                = /dev/urandom
RNDoverwrite           = yes

Service-level options:
ciphers                = FIPS (with "fips = yes")
ciphers                = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips =
no")
curve                  = prime256v1
options                = NO_SSLv2
options                = NO_SSLv3
sessionCacheSize       = 1000
sessionCacheTimeout    = 300 seconds
stack                  = 65536 bytes
TIMEOUTbusy            = 300 seconds
TIMEOUTclose           = 60 seconds
TIMEOUTconnect         = 10 seconds
TIMEOUTidle            = 43200 seconds
verify                 = none


stunnel.conf is:
[https]
accept  = 443
connect = 80
[www_test]
        sni = https:test.com
        sni = https:www.test.com
        connect = 192.168.64.220:80

[testing]
        sni = https:testing.com
        sni = https:www.testing.com
        connect = 192.168.64.253:80


I've created local DNS rules for each of these Hosts but the problem is
that only the last entered sni rule gets matched so for example www.test.com
works but test.com does not. Its the same for testing.com and
www.testing.com


This is what the log file show too:

2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from
192.168.63.50:53123
2015.03.03 20:01:19 LOG7[12808]: Service [https] started
2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from
192.168.63.50:53123
2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept
initialization
2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com
2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername:
testing.com
2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name
2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL
routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0
byte(s) sent to socket
2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed
2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left)
2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket)
2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert
2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify
2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent
close_notify alert
2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read)
2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown
2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to
SSL, 642 byte(s) sent to socket
2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed
2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed
2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left)
2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from
192.168.63.50:53128
2015.03.03 20:01:49 LOG7[12809]: Service [https] started
2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from
192.168.63.50:53128
2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept
initialization
2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com
2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername:
testing.com
2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name
2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL
routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0
byte(s) sent to socket
2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed
2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)

I have seen a couple of patch files floating around but they are for older
versions and I can't get them to compile into the v5.11 version.

Any thoughts?


-- 
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Tel (UK) - +44 (0) 3303801064 (24x7)
Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150317/6fb42bf1/attachment.html>

• Previous message (by thread): [stunnel-users] Log rotation for Windows
• Next message (by thread): [stunnel-users] STunnel v5.11 Multi SNI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]