 
            Dear stunnel users, I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952" https://192.168.1.10:1988 -> redirect https://localhost:4952 I am trying to configure stunnel like this [myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952 remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v * Trying 192.168.1.25... * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) * WARNING: using IP address, SNI is being disabled by the OS. * Unknown SSL protocol error in connection to 192.168.1.25:-9847 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847 stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket I am tried verify = 1 to 4, either works. :( Best Regards, Adrian
 
             
             
            Sorry, curl was only for testing. Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 CONNECTED(00000003) 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618: 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap] 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp] 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice] 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks 2015.10.09 12:23:21 LOG5[main]: Configuration successful 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read) 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket If I am connecting to the :41952: openssl s_client -connect 192.168.1.17:41952 ... --- No client certificate CA names sent --- SSL handshake has read 1724 bytes and written 712 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ... 2015-10-09 10:55 GMT+02:00 test rig <[email protected]>:
Ouch #2 missing...
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
You are connection to :9999 with curl(?) Try verify it via "openssl s_client -connect yourserverip:1988" command
Best Regards Michael
--- Ursprüngliche Nachricht --- *Von:* "test rig" <[email protected]> *Datum:* 09.10.2015 09:48:02 *An:* "[email protected]." <[email protected]> *Betreff:* Re: [stunnel-users] (no subject)
Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
--- Ursprüngliche Nachricht --- *Von:* Adrián Mihálko *Datum:* 09.10.2015 08:15:19 *An:* [email protected] *Betreff:* [stunnel-users] (no subject)
Dear stunnel users,
I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
https://192.168.1.10:1988 -> redirect https://localhost:4952
I am trying to configure stunnel like this
[myservice] cert = stunnel.pem client = yes accept = 0.0.0.0:1988 connect = localhost:4952
remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v * Trying 192.168.1.25... * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0) * WARNING: using IP address, SNI is being disabled by the OS. * Unknown SSL protocol error in connection to 192.168.1.25:-9847 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
stunnel.log: 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption) 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read) 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
I am tried verify = 1 to 4, either works. :(
Best Regards, Adrian
______________________________________________________ powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
______________________________________________________ powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
participants (2)
- 
                 Adrián Mihálko Adrián Mihálko
- 
                 test rig test rig