<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Robert,</span></div><div><span><br></span></div><div><span>I would take a look at FIPS mode. You might want to disable that on stunnel for testing and see if that makes any difference.</span></div><div><br></div><div>This particular part of your error log gives some clues on the issue.</div><div>SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure <br></div><div><br></div><div>The restrictions that FIPS imposes on the ciphers used, might create a lack of common ciphers between the two hosts to</div><div>successfully carry the handshake. </div><div><br></div><div>Hope this helps</div><div><br></div><div>----------------- </div><div>Leandro Avila<br></div> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; "> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> "Skinner, Robert" <rgs9@buffalo.edu><br> <b><span style="font-weight: bold;">To:</span></b> "stunnel-users@stunnel.org" <stunnel-users@stunnel.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, January 27, 2012 5:18 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> [stunnel-users] STunnel on Windows (2008R2 Server)<br> </font> </div> <br>
<meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv1023154608"><style><!--
#yiv1023154608
_filtered #yiv1023154608 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv1023154608 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
#yiv1023154608
#yiv1023154608 p.yiv1023154608MsoNormal, #yiv1023154608 li.yiv1023154608MsoNormal, #yiv1023154608 div.yiv1023154608MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"sans-serif";}
#yiv1023154608 a:link, #yiv1023154608 span.yiv1023154608MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv1023154608 a:visited, #yiv1023154608 span.yiv1023154608MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv1023154608 span.yiv1023154608EmailStyle17
{font-family:"sans-serif";color:windowtext;}
#yiv1023154608 .yiv1023154608MsoChpDefault
{font-family:"sans-serif";}
_filtered #yiv1023154608 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv1023154608 div.yiv1023154608WordSection1
{}
--></style><div><div class="yiv1023154608WordSection1"><div class="yiv1023154608MsoNormal">I am attempting to use stunnel to encrypt traffic between our backup client (Window2008R2) and our NetApp filer, but I’m not having any luck</div><div class="yiv1023154608MsoNormal">We would like to use the stunnel to redirect the port 80 calls to the filer (<a target="_blank" href="http://ubfs2.buffalo.edu">ubfs2.buffalo.edu</a>) to port 443.</div><div class="yiv1023154608MsoNormal">Be design, the backup client (IBM Tivoli/TSM V6.2.4) makes a call to the Netapp over http.admin interface to tell it to create a snapshot.</div><div class="yiv1023154608MsoNormal">The filer listens on https.admin (not http.admin), and we don’t want to turn on http.admin for security reasons.</div><div class="yiv1023154608MsoNormal">I’ve included the stunnel.config file, hosts file, and the output below.</div><div class="yiv1023154608MsoNormal">If anyone could give us a hand
here it would be much appreciated.</div><div class="yiv1023154608MsoNormal">We tested this config on a Mac laptop and it works just fine, so I would assume that it has something to do with Windows2008R2</div><div class="yiv1023154608MsoNormal"> </div><div style="border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in;"><div class="yiv1023154608MsoNormal" style="border:none;padding:0in;">Stunnel.config</div></div><div class="yiv1023154608MsoNormal"> </div><div class="yiv1023154608MsoNormal">debug = 7</div><div class="yiv1023154608MsoNormal">client = yes</div><div class="yiv1023154608MsoNormal"> </div><div class="yiv1023154608MsoNormal">[snapdiff]</div><div class="yiv1023154608MsoNormal">accept = localhost:80</div><div class="yiv1023154608MsoNormal">connect = 128.205.5.55:443</div><div class="yiv1023154608MsoNormal">sslVersion = all</div><div class="yiv1023154608MsoNormal"> </div><div
style="border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in;"><div class="yiv1023154608MsoNormal" style="border:none;padding:0in;">hosts</div></div><div class="yiv1023154608MsoNormal"> </div><div class="yiv1023154608MsoNormal">127.0.0.1 localhost ubfs2.buffalo.edu</div><div class="yiv1023154608MsoNormal"> </div><div style="border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in;"><div class="yiv1023154608MsoNormal" style="border:none;padding:0in;">output</div></div><div class="yiv1023154608MsoNormal"> </div><div class="yiv1023154608MsoNormal">7[1596:4336]: No limit detected for the number of clients</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG5[1596:4336]: stunnel 4.52 on x86-pc-mingw32-gnu platform</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG5[1596:4336]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan
2012</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG5[1596:4336]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG5[1596:4336]: Reading configuration from file stunnel.conf</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG5[1596:4336]: FIPS mode is enabled</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG7[1596:4336]: Compression not enabled</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG7[1596:4336]: Snagged 64 random bytes from C:/.rnd</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG7[1596:4336]: Wrote 1024 new random bytes to C:/.rnd</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:30 LOG7[1596:4336]: PRNG seeded successfully</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:31 LOG6[1596:4336]: Initializing SSL context for service snapdiff</div><div
class="yiv1023154608MsoNormal">2012.01.27 15:16:31 LOG7[1596:4336]: SSL options set: 0x00000004</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:31 LOG6[1596:4336]: SSL context initialized</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:31 LOG5[1596:4336]: Configuration successful</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:31 LOG7[1596:4336]: Service snapdiff bound FD=396 to 127.0.0.1:80</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]: Service snapdiff accepted FD=452 from 127.0.0.1:51366</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]: Creating a new thread</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]: New thread created</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]: Service snapdiff accepted FD=460 from 127.0.0.1:51367</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]:
Creating a new thread</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4336]: New thread created</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:5080]: Service snapdiff started</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG5[1596:5080]: Service snapdiff accepted connection from 127.0.0.1:51366</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG6[1596:5080]: connect_blocking: connecting 128.205.5.55:443</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:5080]: connect_blocking: s_poll_wait 128.205.5.55:443: waiting 10 seconds</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4720]: Service snapdiff started</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG5[1596:4720]: Service snapdiff accepted connection from 127.0.0.1:51367</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG6[1596:4720]: connect_blocking:
connecting 128.205.5.55:443</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4720]: connect_blocking: s_poll_wait 128.205.5.55:443: waiting 10 seconds</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG5[1596:4720]: connect_blocking: connected 128.205.5.55:443</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG5[1596:4720]: Service snapdiff connected remote server from 128.205.4.234:51369</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4720]: Remote FD=508 initialized</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG3[1596:4720]: SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG5[1596:4720]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:40 LOG7[1596:4720]: Service snapdiff
finished (1 left)</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG5[1596:5080]: connect_blocking: connected 128.205.5.55:443</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG5[1596:5080]: Service snapdiff connected remote server from 128.205.4.234:51368</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG7[1596:5080]: Remote FD=480 initialized</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG3[1596:5080]: SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG5[1596:5080]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</div><div class="yiv1023154608MsoNormal">2012.01.27 15:16:43 LOG7[1596:5080]: Service snapdiff finished (0 left)</div></div></div></div><meta http-equiv="x-dns-prefetch-control"
content="on"><br>_______________________________________________<br>stunnel-users mailing list<br><a ymailto="mailto:stunnel-users@stunnel.org" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br><a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br><br><br> </div> </div> </div></body></html>