[stunnel-users] basic usage question

Mark Foley mfoley at novatec-inc.com
Wed Mar 14 16:01:24 CET 2018


Does anyone have any ideas on what might be my problem? I re-ran with
"sslVersion = TLSv1" and got basically the same log results except instead of 

2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol   

when I ran with no "sslVersion" set, I got:

2018.03.13 13:36:02 LOG3[0]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

when I ran with "sslVersion = TLSv1".

So, I'm thinking that there is an issue with the sslVersion I'm using.

Also, the initial log messages have:

2018.03.13 13:35:32 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform
2018.03.13 13:35:32 LOG5[ui]: Compiled with OpenSSL 1.0.2h  3 May 2016
2018.03.13 13:35:32 LOG5[ui]: Running  with OpenSSL 1.0.2n  7 Dec 2017
2018.03.13 13:35:32 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel

I don't know if this is telling me to "Update OpenSSL" or what. The 'running'
OpenSSL version is already more recent than the stunnel compiled version. Both
packages are the most recent release on Slackware.

Thanks for any help on this.

--Mark

-----Original Message-----
From: Mark Foley <mfoley at novatec-inc.com>
Date: Tue, 13 Mar 2018 13:35:05 -0400
Organization: Novatec Software Engineering, LLC
To: stunnel-users at stunnel.org

Thanks to help from Nitin, I've made a tiny bit of progress with stunnel. I've
created the certificates per Nitin's instructions at 
https://tunnelix.com/securing-mysql-traffic-with-stunnel-in-a-jail-environment-on-centos/
Certificates have permissions 0600.

I want to use a VNC client on Linux to connect to a VNC Server also on Linux. In
between these two computers I have a Linux router which routes all request to
port 1914 to port 3389 on the VNC Server.

stunnel on the server is run at the command line by root: 'stunnel
/root/stunnel.conf'.  Here is my VNC Server computer's stunnel.conf:

foreground = yes
pid = /var/run/stunnel.pid
debug = 7
; output = /root/stunnel.log
output = /dev/stdout

[x11vnc]
accept = 3389
key = /root/privatekey.pem
cert = /root/certificate.pem
connect = 127.0.0.1:5900

stunnel on the client is run by a normal user, stunnel
$HOME/.stunnel/stunnel.conf. Below is my client stunnel.conf:

foreground = yes
verify = 2
pid = /home/mfoley/.stunnel/stunnel.pid
CAfile = /home/mfoley/.stunnel/certificate.pem
client = yes
[x11vnc]
accept = 5900
connect = mail.ohprs.org:1914

When I run stunnel on the client I get:

2018.03.13 13:21:17 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform
2018.03.13 13:21:17 LOG5[ui]: Compiled with OpenSSL 1.0.2h  3 May 2016
2018.03.13 13:21:17 LOG5[ui]: Running  with OpenSSL 1.0.2n  7 Dec 2017
2018.03.13 13:21:17 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2018.03.13 13:21:17 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2018.03.13 13:21:17 LOG5[ui]: Reading configuration from file /home/mfoley/.stunnel/stunnel.conf
2018.03.13 13:21:17 LOG5[ui]: UTF-8 byte order mark not detected
2018.03.13 13:21:17 LOG5[ui]: FIPS mode disabled
2018.03.13 13:21:17 LOG4[ui]: Service [x11vnc] uses "verify = 2" without subject checks
2018.03.13 13:21:17 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
2018.03.13 13:21:17 LOG5[ui]: Configuration successful

On the client, I then run tigerVNCViewer connecting to 127.0.0.1::5900.  I get
the following messages on the client:

2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] accepted connection from 127.0.0.1:35034
2018.03.13 13:22:03 LOG5[0]: s_connect: connected 98.102.63.107:1914                                                      
2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] connected remote server from 192.168.0.17:40512                             
2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol   
2018.03.13 13:22:03 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket  

Just guessing, but is it failing with the SSLVersion?

Help appreciated. Thanks, Mark

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users




More information about the stunnel-users mailing list