[stunnel-users] Connect using TLS with public Web Server

• Previous message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Next message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 06, 2018 at 11:20:20AM +0200, Peter Pentchev wrote:
> On Mon, Mar 05, 2018 at 01:28:15PM +0100, Carlos Castro wrote:
> > Hello
> > 
> > Thanks @Peter
> > 
> > 
> > Yes , my application not support TLS and I need the application connect
> > using TLS , for this i using stunnel (i hope)
> > 
> > When I make curl -v http://127.0.0.1:19021  :
> > 
> > curl -v http://127.0.0.1:19201
> > * Rebuilt URL to: http://127.0.0.1:19201/
> > *   Trying 127.0.0.1...
> > * Connected to 127.0.0.1 (127.0.0.1) port 19201 (#0)
> > > GET / HTTP/1.1
> > > Host: 127.0.0.1:19201
> > > User-Agent: curl/7.47.0
> > > Accept: */*
> > >
> > * HTTP 1.0, assume close after body
> > < HTTP/1.0 400 Bad Request
> > < Server: AkamaiGHost
> > < Mime-Version: 1.0
> > < Content-Type: text/html
> > < Content-Length: 208
> > < Expires: Mon, 05 Mar 2018 12:25:53 GMT
> > < Date: Mon, 05 Mar 2018 12:25:53 GMT
> > < Connection: close
> > 
> > The web ctm.omgeo.net only works in mode HTTPS , .
> 
> TL;DR: can you actually try your application with this stunnel config?

See below; I believe I've found the reason for the "Bad request"
response, and you need to do something more to get it to work.

> Yes, that's why you have stunnel - it will accept a pure HTTP connection
> from your application (or, in this case, from cURL), and then it will
> open a TLS (HTTPS) connection to ctm.omgeo.net.
> 
> Actually, the "HTTP/1.0 400 Bad Request" response that you get shows
> that stunnel already works: the request to ctm.omgeo.net is sent via
> HTTPS, not plain HTTP.  If you try to send a plain HTTP request to
> ctm.omgeo.net port 443, cURL will report a very different error:
> 
> [roam at straylight ~]$ curl -v http://ctm.omgeo.net:443/
> *   Trying 88.221.30.124...
> * TCP_NODELAY set
> * Connected to ctm.omgeo.net (88.221.30.124) port 443 (#0)
> > GET / HTTP/1.1
> > Host: ctm.omgeo.net:443
> > User-Agent: curl/7.58.0
> > Accept: */*
> > 
> * Recv failure: Connection reset by peer
> * stopped the pause stream!
> * Closing connection 0
> curl: (56) Recv failure: Connection reset by peer
> [roam at straylight ~]$
> 
> This happens because ctm.omgeo.net expects a TLS Client Hello message on
> an incoming connection, and cURL sends it a plaintext HTTP request, so
> ctm.omgeo.net says "this is not TLS, you must speak TLS to me, go away".
> 
> So I guess that the "400 Bad Request" response you get from
> ctm.omgeo.net means that 1. you have successfully sent a request to it
> and it considered it to be an HTTP request, and 2. it expected
> the application to send it a specific request, not just a "GET /", so
> it said "GET / is not a valid request for me, but thanks for speaking
> HTTPS".  So it's time to test your actual application now; configure it
> to talk to 127.0.0.1:19201 and see what happens.
> 
> If anything goes wrong, show us the stunnel log.

OK, so there's another thing.  If you tell cURL or your application to
send an HTTP request to 127.0.0.1:19201, then it will send a request
with a "Host: 127.0.0.1" header, and omgeo.net's Akamai front-end will
not know which backend server to route it to.  So both cURL and your
application must be convinced to send a request that has
a "Host: ctm.omgeo.net" header.

The simplest way to do this is somewhat error-prone, not quite
future-proof, but it may work for the present.  Add "ctm.omgeo.net" to
the 127.0.0.1 line in your hosts file (/etc/hosts on a Unix-like system,
%WINDOWSDIR%\system32\etc\hosts on a Windows system, I believe), and
configure stunnel to connect to 88.221.30.124:443, not ctm.omgeo.net:443. 
This last part - hardcoding the IP address of the server - is the part
that is error-prone and not future-proof, since omgeo.net (or Akamai) may
decide to change that address at any time and things will stop working.
There is a hackish solution - write a little tool that performs a real DNS
lookup and, if the IP address has changed, regenerates the stunnel config
and restarts stunnel, then run this tool every minute or so...  Still,
it worked for me:

[roam at straylight /etc/stunnel]$ fgrep -e ctm.omgeo.net /etc/hosts
127.0.0.1	localhost	ctm.omgeo.net
[roam at straylight /etc/stunnel]$ curl -v http://ctm.omgeo.net:19201         
* Rebuilt URL to: http://ctm.omgeo.net:19201/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to ctm.omgeo.net (127.0.0.1) port 19201 (#0)
> GET / HTTP/1.1
> Host: ctm.omgeo.net:19201
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Location: /cleartrust/ct_logon.jsp
< Content-Length: 0
< Date: Tue, 06 Mar 2018 09:41:48 GMT
< Connection: keep-alive
< Set-Cookie: Actrust-session-v001d=aHR0cHM6Ly9jdG0ub21nZW8ubmV0OjQ0My9pbmRleC5odG1s; secure; domain=.omgeo.net; path=/
< 
* Connection #0 to host ctm.omgeo.net left intact
[roam at straylight /etc/stunnel]$

...so that's a start.

G'luck,
Peter

-- 
Peter Pentchev  roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180306/4643a9cb/attachment.sig>

• Previous message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Next message (by thread): [stunnel-users] Connect using TLS with public Web Server
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]