[stunnel-users] Connect using TLS with public Web Server

Peter Pentchev roam at ringlet.net
Tue Mar 6 10:20:20 CET 2018


On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
> Hello
> 
> Thanks @Peter
> 
> 
> Yes , my application not support TLS and I need the application connect
> using TLS , for this i using stunnel (i hope)
> 
> When I make curl -v http://127.0.0.1:19021  :
> 
> curl -v http://127.0.0.1:19201
> * Rebuilt URL to: http://127.0.0.1:19201/
> *   Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
> > GET / HTTP/1.1
> > Host: 127.0.0.1:19201
> > User-Agent: curl/7.47.0
> > Accept: */*
> >
> * HTTP 1.0, assume close after body
> < HTTP/1.0 400 Bad Request
> < Server: AkamaiGHost
> < Mime-Version: 1.0
> < Content-Type: text/html
> < Content-Length: 208
> < Expires: Mon, 05 Mar 2018 12:25:53 GMT
> < Date: Mon, 05 Mar 2018 12:25:53 GMT
> < Connection: close
> 
> The web ctm.omgeo.net only works in mode HTTPS , .

TL;DR: can you actually try your application with this stunnel config?

Yes, that's why you have stunnel - it will accept a pure HTTP connection
from your application (or, in this case, from cURL), and then it will
open a TLS (HTTPS) connection to ctm.omgeo.net.

Actually, the "HTTP/1.0 400 Bad Request" response that you get shows
that stunnel already works: the request to ctm.omgeo.net is sent via
HTTPS, not plain HTTP.  If you try to send a plain HTTP request to
ctm.omgeo.net port 443, cURL will report a very different error:

[roam at straylight ~]$ curl -v http://ctm.omgeo.net:443/
*   Trying 88.221.30.124...
* TCP_NODELAY set
* Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
> GET / HTTP/1.1
> Host: ctm.omgeo.net:443
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
[roam at straylight ~]$

This happens because ctm.omgeo.net expects a TLS Client Hello message on
an incoming connection, and cURL sends it a plaintext HTTP request, so
ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".

So I guess that the "400 Bad Request" response you get from
ctm.omgeo.net means that 1. you have successfully sent a request to it
and it considered it to be an HTTP request, and 2. it expected
the application to send it a specific request, not just a "GET /", so
it said "GET / is not a valid request for me, but thanks for speaking
HTTPS".  So it's time to test your actual application now; configure it
to talk to 127.0.0.1:19201 and see what happens.

If anything goes wrong, show us the stunnel log.

Hope that helps!

G'luck,
Peter

-- 
Peter Pentchev  roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180306/4a1be2e9/attachment.sig>


More information about the stunnel-users mailing list