[stunnel-users] Using Chrome directly as an STunnel Client to connect to an STunnel Server

Dipen Doshi dbdoshi at outlook.com
Mon Oct 2 06:04:17 CEST 2017 

Hello, I am new to STunnel and I am running into a problem. Here is my setup.

I use an ASUS router with Merlin firmware. I have STunnel installed via Entware on this router.

Running "stunnel -version" gives me:

stunnel 5.41 on mipsel-openwrt-linux-gnu platform
Compiled/running with OpenSSL 1.0.2k  26 Jan 2017
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

Global options:
RNDbytes               = 64
RNDoverwrite           = yes

Service-level options:
ciphers                = FIPS (with "fips = yes")
ciphers                = HIGH:!DH:!aNULL:!SSLv2 (with "fips = no")
curve                  = prime256v1
debug                  = daemon.notice
logId                  = sequential
options                = NO_SSLv2
options                = NO_SSLv3
sessionCacheSize       = 1000
sessionCacheTimeout    = 300 seconds
stack                  = 65536 bytes
TIMEOUTbusy            = 300 seconds
TIMEOUTclose           = 60 seconds
TIMEOUTconnect         = 10 seconds
TIMEOUTidle            = 43200 seconds
verify                 = none

-------------------------------------------------------------------------------------------

I use my own server certificate signed by my own CA. This cert has the proper SANs with correct DNS/IP entries.
I use this server certificate both for my router's HTTPS web gui and for the "cert" and "key" files listed in the config file below.
Also, the "CAfile" in the config is pointing to my Root CA's certificate.
My Root CA is also imported in my Windows box's certificate store.

I can directly access my router's web gui from LAN side via these ports: 80 (HTTP), 2000 (HTTPS).
Router's LAN subnet is 10.49.49.0/24 and the router's WAN IP is 10.76.5.3 (it is double NAT for testing, this router is for testing)
Also, STunnel is running as a server accepting connections on port 443 (all interfaces) on the router.

-------------------------------------------------------------------------------------------

I want to use Chrome directly as an STunnel client on my Windows box.
So, I don't run STunnel on my Windows box in the client mode.


SITUATION 1: WORKS FINE!!

-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443"
            This should forward to the router's port 80 (HTTP protocol used).


My STunnel config file on the router has:

setuid = nobody
setgid = nobody
foreground
foreground = yes
syslog = yes
debug = 7

[Test-Service]
accept  = 443
connect = 10.49.49.1:80
requireCert = yes
verifyChain = yes
CAfile = /mnt/Merlin/entware/etc/stunnel/ca.crt
cert = /mnt/Merlin/entware/etc/stunnel/server.crt
key = /mnt/Merlin/entware/etc/stunnel/server.key



SITUATION 2: DOES NOT WORK!!

-- PURPOSE: Use Chrome to connect to "https://WAN_IP:443"
            This should forward to the router's port 2000 (HTTPS protocol used).

There is only one change from the Situation 1 config file. The line for "connect" changed to "connect = 10.49.49.1:2000)

This does not work.
Note that I can directly access my router's web gui over https with "https://LAN_IP:2000" via Chrome, with no warnings.


------------------------------------------------------------------------------
My thoughts:

So, my current path is Chrome (Acting as STunnel Client) --> STunnel Server (on the router) --> Router's Web GUI.
The "Chrome --> STunnel" Server connection is fine. Chrome prompts for private key and STunnel server correctly shows this incoming Chrome connection.

The problem is the "STunnel Server --> Router" relay that uses HTTPS protocol.

1. STunnel does not like HTTPS to HTTPS relay. HTTP to HTTPS works, but not HTTPS to HTTPS.
2. STunnel server on my router is a client to my router's web gui. Is STunnel verifying the certificate of my router's HTTPS certificate?
3. If the above answer is yes, my guess is that STunnel sees a self signed certificate for this router and kills the connection?
4. How do I tell STunnel server to ignore certificate warnings for a remote connection, like when connecting to this router?
5. Or how do I explicitly tell STunnel to trust my Root CA while making this connection to my router? I couldn't find any options in STunnel for this.



Regards,

Dipen Doshi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20171002/fa2d001a/attachment.html>

More information about the stunnel-users mailing list