<div>Hello,</div>
<div> </div>
<div>I'm hoping that someone can give me a hint of where to look at this issue because I'm totally stuck and have been for a few days. When I attempt to use sTunnel in client mode with client certificates, the SSL seems to negotiate the certs and ciphers and then nothing else happens; the services hang. I'm hoping that someone has some insights about something that I haven't looked at, yet.</div>
<div> </div>
<div>My setup:</div>
<div> </div>
<div>Server:</div>
<div>Windows Server, IIS 7 running SOAP services set for SSL Required, Client Certificate required (transport level client certificate, not SOAP message level).</div>
<div> </div>
<div>client:</div>
<div>Windows machine, simple web application acting as a test client for the SOAP service.</div>
<div> </div>
<div>In between:</div>
<div>sTunnel v4.32</div>
<div> </div>
<div>Testing Scenario #1 --</div>
<div>Client configured to use client certificates directly against the IIS 7 service instance. This works as expected.</div>
<div> </div>
<div>Testing Scenario #2 --</div>
<div>Server configured to not require client certificates, but require SSL. sTunnel configured to listen on local port 8090 and forward to the IIS 7 server. This works as expected.</div>
<div> </div>
<div>Testing Scenario #3 --</div>
<div>Server configured to require client certificates. sTunnel configured to use client certificate as issued by a local CA in addition to the setup as before. This does not work, but hangs.</div>
<div> </div>
<div>sTunnel.conf:</div>
<div> </div>
<div>; Sample stunnel configuration file by Michal Trojnara 2002-2006<br>; Some options used here may not be adequate for your particular configuration</div>
<div>; Certificate/key is needed in server mode and optional in client mode<br>; The default certificate is provided only for testing and should not<br>; be used in a production environment<br>cert = C:\certs\client-cert-for-internal-environments.pem<br>
;key = c:\certs\test_cert.pem</div>
<div>; Some performance tunings<br>socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1</div>
<div>; Workaround for Eudora bug<br>;options = DONT_INSERT_EMPTY_FRAGMENTS</div>
<div>; Authentication stuff<br>;verify = 2<br>; Don't forget to c_rehash CApath<br>;CApath = certs<br>; It's often easier to use CAfile<br>;CAfile = certs.pem<br>; Don't forget to c_rehash CRLpath<br>;CRLpath = crls<br>
; Alternatively you can use CRLfile<br>;CRLfile = crls.pem</div>
<div>; Some debugging stuff useful for troubleshooting<br>debug = 7<br>output = c:\temp\stunnel.log</div>
<div>; Use it for client mode<br>client = yes</div>
<div>; Service-level configuration</div>
<div>;[pop3s]<br>;accept = 995<br>;connect = 110</div>
<div>;[imaps]<br>;accept = 993<br>;connect = 143</div>
<div>;[ssmtp]<br>;accept = 465<br>;connect = 25</div>
<div>[http]<br>accept = 8090<br>;connect = <a href="http://10.12.32.164:443">10.12.32.164:443</a><br>connect = <a href="http://10.12.32.68:1443">10.12.32.68:1443</a><br>TIMEOUTclose = 0</div>
<div>; vim:ft=dosini<br></div>
<div> </div>
<div>sTunnel log:</div>
<div> </div>
<div>2010.03.24 11:54:31 LOG5[5616:5992]: Reading configuration from file stunnel.conf<br>2010.03.24 11:54:31 LOG7[5616:5992]: RAND_status claims sufficient entropy for the PRNG<br>2010.03.24 11:54:31 LOG7[5616:5992]: PRNG seeded successfully<br>
2010.03.24 11:54:31 LOG7[5616:5992]: Certificate: C:\certs\client-cert-for-internal-environments.pem<br>2010.03.24 11:54:31 LOG7[5616:5992]: Certificate loaded<br>2010.03.24 11:54:31 LOG7[5616:5992]: Key file: C:\certs\client-cert-for-internal-environments.pem<br>
2010.03.24 11:54:38 LOG7[5616:5992]: Private key loaded<br>2010.03.24 11:54:38 LOG7[5616:5992]: SSL context initialized for service http<br>2010.03.24 11:54:38 LOG5[5616:5992]: Configuration successful<br>2010.03.24 11:54:38 LOG5[5616:5992]: No limit detected for the number of clients<br>
2010.03.24 11:54:38 LOG7[5616:5992]: FD=176 in non-blocking mode<br>2010.03.24 11:54:38 LOG7[5616:5992]: Option SO_REUSEADDR set on accept socket<br>2010.03.24 11:54:38 LOG7[5616:5992]: Service http bound to <a href="http://0.0.0.0:8090">0.0.0.0:8090</a><br>
2010.03.24 11:54:38 LOG7[5616:5992]: Service http opened FD=176<br>2010.03.24 11:54:38 LOG3[5616:5992]: c:\temp\stunnel.log: Input/output error (5)<br>2010.03.24 11:54:38 LOG3[5616:5992]: Unable to open output file: c:\temp\stunnel.log<br>
2010.03.24 11:54:38 LOG5[5616:5992]: stunnel 4.32 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009<br>2010.03.24 11:54:38 LOG5[5616:5992]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6<br>2010.03.24 11:54:54 LOG7[5616:6192]: Service http accepted FD=436 from <a href="http://127.0.0.1:56102">127.0.0.1:56102</a><br>
2010.03.24 11:54:54 LOG7[5616:6192]: Creating a new thread<br>2010.03.24 11:54:54 LOG7[5616:6192]: New thread created<br>2010.03.24 11:54:54 LOG7[5616:6696]: Service http started<br>2010.03.24 11:54:54 LOG7[5616:6696]: FD=436 in non-blocking mode<br>
2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on local socket<br>2010.03.24 11:54:54 LOG5[5616:6696]: Service http accepted connection from <a href="http://127.0.0.1:56102">127.0.0.1:56102</a><br>2010.03.24 11:54:54 LOG7[5616:6696]: FD=456 in non-blocking mode<br>
2010.03.24 11:54:54 LOG6[5616:6696]: connect_blocking: connecting <a href="http://10.12.32.68:1443">10.12.32.68:1443</a><br>2010.03.24 11:54:54 LOG7[5616:6696]: connect_blocking: s_poll_wait <a href="http://10.12.32.68:1443">10.12.32.68:1443</a>: waiting 10 seconds<br>
2010.03.24 11:54:54 LOG5[5616:6696]: connect_blocking: connected <a href="http://10.12.32.68:1443">10.12.32.68:1443</a><br>2010.03.24 11:54:54 LOG5[5616:6696]: Service http connected remote server from <a href="http://10.12.47.109:56103">10.12.47.109:56103</a><br>
2010.03.24 11:54:54 LOG7[5616:6696]: Remote FD=456 initialized<br>2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on remote socket<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): before/connect initialization<br>
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client hello A<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server hello A<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server certificate A<br>
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server done A<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client key exchange A<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write change cipher spec A<br>
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write finished A<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 flush data<br>2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read finished A<br>
2010.03.24 11:54:54 LOG7[5616:6696]: 1 items in the session cache<br>2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects (SSL_connect())<br>2010.03.24 11:54:54 LOG7[5616:6696]: 1 client connects that finished<br>
2010.03.24 11:54:54 LOG7[5616:6696]: 0 client renegotiations requested<br>2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects (SSL_accept())<br>2010.03.24 11:54:54 LOG7[5616:6696]: 0 server connects that finished<br>
2010.03.24 11:54:54 LOG7[5616:6696]: 0 server renegotiations requested<br>2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache hits<br>2010.03.24 11:54:54 LOG7[5616:6696]: 0 external session cache hits<br>2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache misses<br>
2010.03.24 11:54:54 LOG7[5616:6696]: 0 session cache timeouts<br>2010.03.24 11:54:54 LOG6[5616:6696]: SSL connected: new session negotiated<br>2010.03.24 11:54:54 LOG6[5616:6696]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1</div>
<div> </div>
<div>This is where things time out; nothing happens beyond this point.</div>
<div> </div>