<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:12pt"><div><span>Denis,</span></div><div><br><span></span></div><div><span>Please review this:</span></div><div><span><br></span></div><div><span> http://stunnel.mirt.net/pipermail/stunnel-users/2011-May/003080.html</span></div><div><br><span></span></div><div><span>In particular, check that you have your signing CA certificates (hashed) in your CaPath.</span></div><div><br><span></span></div><div><span>Do the tests with openssl connect and post sanitized results if you are in trouble.<br></span></div><div><br><span></span></div><div><span>Regards,</span></div><div><span>Jose</span></div><div><br></div> <div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1">
<b><span style="font-weight: bold;">From:</span></b> Denis Berezhnoy <denis.berezhnoy@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Jose Alf. <josealf@rocketmail.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "stunnel-users@stunnel.org" <stunnel-users@stunnel.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, January 25, 2012 9:55 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [stunnel-users] No SSL handshake between stunnel in client mode and SSL server<br> </font> </div> <br>
<div id="yiv841185191"><div>Hi Jose,</div><div> </div><div>Thank you for your reply. I double checked and actually there is SSL handshake. Sorry, it was my mistake I did not analyze WireShark capture carefully.</div><div> </div><div>But handshake failed and here is stunnel log:</div>
<div> </div><div>2012.01.25 09:39:58 LOG5[1944:6264]: stunnel 4.52 on x86-pc-mingw32-gnu platform<br>2012.01.25 09:39:58 LOG5[1944:6264]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012<br>2012.01.25 09:39:58 LOG5[1944:6264]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6<br>
2012.01.25 09:39:58 LOG5[1944:6264]: Reading configuration from file stunnel.conf<br>2012.01.25 09:39:58 LOG5[1944:6264]: FIPS mode is enabled<br>2012.01.25 09:39:58 LOG5[1944:6264]: Configuration successful<br>2012.01.25 09:40:13 LOG5[1944:4724]: Service Router accepted connection from <a rel="nofollow" target="_blank" href="http://192.168.1.161:59519">192.168.1.161:59519</a><br>
2012.01.25 09:40:13 LOG5[1944:4724]: connect_blocking: connected <a rel="nofollow" target="_blank" href="http://192.168.160.168:55443">192.168.160.168:55443</a><br>2012.01.25 09:40:13 LOG5[1944:4724]: Service Router connected remote server from <a rel="nofollow" target="_blank" href="http://192.168.1.121:52250">192.168.1.121:52250</a><br>
2012.01.25 09:40:13 LOG3[1944:4724]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number<br>2012.01.25 09:40:13 LOG5[1944:4724]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<br>
</div><div><div>Server is setup for SSL3.0. </div><div> </div></div><div>Best regards,</div><div>Denis<br><br></div><div class="yiv841185191gmail_quote">2012/1/24 Jose Alf. <span dir="ltr"><<a rel="nofollow" ymailto="mailto:josealf@rocketmail.com" target="_blank" href="mailto:josealf@rocketmail.com">josealf@rocketmail.com</a>></span><br>
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left: 1px solid rgb(204, 204, 204);" class="yiv841185191gmail_quote"><div><div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;">
<div><span>Denis,</span></div><div><span><br></span></div><div><span>Looks like your configuration is incomplete. Check the sample stunnel.conf file in the stunnel distribution. Read the man page. Post your log file.<br>
</span></div><div><br><span></span></div><div><span>Try adding lines like these before [Router]</span></div><div><br><span></span></div><div><span>sslVersion = SSLv3<br><br>cert=stunnel.pem<br>key=stunnel.pem<br><br># Authentication stuff, try 0 for test<br>
verify = 0<br><br>CApath = /your/CAcerts/path<br><br>debug = 7<br>output = stunnel.log<br><br><br></span></div><div><br></div> <div style="font-family: bookman old style,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial"> <hr size="1">
<b><span style="font-weight: bold;">From:</span></b> Denis Berezhnoy <<a rel="nofollow" ymailto="mailto:denis.berezhnoy@gmail.com" target="_blank" href="mailto:denis.berezhnoy@gmail.com">denis.berezhnoy@gmail.com</a>><br> <b><span style="font-weight: bold;">To:</span></b> <a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a> <br>
<b><span style="font-weight: bold;">Sent:</span></b> Tuesday, January 24, 2012 6:10 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> [stunnel-users] No SSL handshake between stunnel in client mode and SSL server<br>
</font> </div><div><div class="yiv841185191h5"> <br>
<div><div>Hi guys, </div><div>I have a quick question. I am trying to use stunnel in client mode to encrypt traffic going to my server.</div><div>Basically, I have a server which listens for SSL connection. And I have a client which can not do SSL but it needs to communicate with server over SSL. </div>
<div>I setup stunnel in client mode to accept unecrypted traffic from client and redirect it to server over SSL. I checked TCP traffic with WireShark between stunnel and my server and I can see that there is no SSL handshake, stunnel makes TCP connection with server and sends some TCP packets but I expect to see SSL handshake.</div>
<div>My stunnel conf file is here:</div><div>[Router]<br>client=yes<br>accept = <a rel="nofollow" target="_blank" href="http://192.168.1.121:55555">192.168.1.121:55555</a><br>connect = <a rel="nofollow" target="_blank" href="http://192.168.160.168:55443">192.168.160.168:55443</a></div>
<div>Can you please comment on this?</div>
<div>Best regards,</div><div>Denis</div>
</div><br></div></div>_______________________________________________<br>stunnel-users mailing list<br><a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>http://stunnel.mirt.net/mailman/listinfo/stunnel-users<br>
<br><br> </div> </div> </div></div></blockquote></div><br>
</div><br><br> </div> </div> </div></body></html>