[stunnel-users] 404 File Not Found when accessing webservice using STunnel (works fine without STunnel)

Sundell Staffan Staffan.Sundell at afa.se
Mon Oct 10 17:42:27 CEST 2005


"stunnel 4.08 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.7e 25
Oct 2004"
 
Hi, this is my first try with both SSL & STunnel, so please excuse me
for any missunderstandings a.s.o.
 
I have problems running a STunnel in client-mode agains a SSL
webservice.
Our application does not support clientside-certificates, so i want to
use STunnel to handle the SSL connection.
 
For now, our webservice-provider has disabled the need for
client-certificates (to help us narrow our problem down)
But it still dont work.
 
As a first step, i access whe webservice default-page through
IE-Explorer.
https://<ip>:3001/<path> and i am presented with the default-webpage.
 
As i second step, i start stunnel with following .conf
 
verify = 2
CApath = <path where i have saved all certificates as .pem:s with
<hash>.0 filenames, from the direct-access example with explorer above>
debug = 7
client = yes
 
[https]
accept = 127.0.0.1:3000
connect = <ip>:3001
TIMEOUTclose = 0
 
and try to access http://127.0.0.1:3000/<path> 
 
but i get: HTTP 404 File Not found.
 
I have tried the same approach against a microsoft webservice at:
https://test.uddi.microsoft.com/extension.asmx
Without any problems.
 
1. I see no errors in the log, as i understand it (se below) can any one
else with a more skilled eye see any problem ?
 
2. Our webservice-provider has an invalid hostname in its certificate
(no public hostname, just IP during testing, but server certificate
state www.fora.se)
might that cause a problem ? (i have tried localy with invalid hostname
in certificate without any problem though)
 
3. Is it possible to enable/disable verification of hostname in STunnel
?
(as i understand it, the "verify" option in the STunnel.conf concerns
the whole certificate-validation-process, and not just the hostname
validation ?)
 
4. Could the problem be a config-issue on the webservice-provider end ?
Im not sure, as it works with IE-Explorer, but not through STunnel ?
 
5. Any clue on where to look would be greatly apriciated, i have been
working with this for a week, and i have been able to use STunnel both
as server & client, with & without client-certs against everything i
have tested localy and public (tried between diffrent home-made
applications, on a local webserver, against verisign website a.s.o.) and
everything works fine, except where i need it to work (against our
webservice-provider).
 
Regards
/Staffan Sundell
 
STunnel log against our webservice-provider (when it doesnt work):
2005.10.10 16:50:23 LOG5[2760:2800]: stunnel 4.08 on x86-pc-mingw32-gnu
WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004
2005.10.10 16:50:23 LOG7[2760:2332]: RAND_status claims sufficient
entropy for the PRNG
2005.10.10 16:50:23 LOG6[2760:2332]: PRNG seeded successfully
2005.10.10 16:50:23 LOG7[2760:2332]: Verify directory set to w:\ws\certs
2005.10.10 16:50:23 LOG5[2760:2332]: No limit detected for the number of
clients
2005.10.10 16:50:23 LOG7[2760:2332]: FD 1916 in non-blocking mode
2005.10.10 16:50:23 LOG7[2760:2332]: SO_REUSEADDR option set on accept
socket
2005.10.10 16:50:23 LOG7[2760:2332]: https bound to 127.0.0.1:3000
2005.10.10 16:50:28 LOG7[2760:2332]: https accepted FD=1904 from
127.0.0.1:2975
2005.10.10 16:50:28 LOG7[2760:2332]: FD 1904 in non-blocking mode
2005.10.10 16:50:28 LOG7[2760:2332]: Creating a new thread
2005.10.10 16:50:28 LOG7[2760:2332]: New thread created
2005.10.10 16:50:28 LOG7[2760:3748]: https started
2005.10.10 16:50:28 LOG5[2760:3748]: https connected from 127.0.0.1:2975
2005.10.10 16:50:28 LOG7[2760:3748]: FD 1876 in non-blocking mode
2005.10.10 16:50:28 LOG7[2760:3748]: https connecting
<webserviceprovider ip>:3001
2005.10.10 16:50:28 LOG7[2760:3748]: connect_wait: waiting 10 seconds
2005.10.10 16:50:28 LOG7[2760:3748]: connect_wait: connected
2005.10.10 16:50:28 LOG7[2760:3748]: Remote FD=1876 initialized
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): before/connect
initialization
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
client hello A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read
server hello A
2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=2,
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=1, /O=VeriSign
Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA -
Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign
2005.10.10 16:50:28 LOG5[2760:3748]: VERIFY OK: depth=0,
/C=SE/L=STOCKHOLM/O=Fora AB/OU=Member, VeriSign Trust Network/OU=Terms
of use at www.verisign.se/rpa <http://www.verisign.se/rpa>
(c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
Network/CN=www.fora.se
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read
server certificate A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read
server done A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
client key exchange A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
change cipher spec A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 write
finished A
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 flush
data
2005.10.10 16:50:28 LOG7[2760:3748]: SSL state (connect): SSLv3 read
finished A
2005.10.10 16:50:28 LOG7[2760:3748]:    1 items in the session cache
2005.10.10 16:50:28 LOG7[2760:3748]:    1 client connects
(SSL_connect())
2005.10.10 16:50:28 LOG7[2760:3748]:    1 client connects that finished
2005.10.10 16:50:28 LOG7[2760:3748]:    0 client renegotiatations
requested
2005.10.10 16:50:28 LOG7[2760:3748]:    0 server connects (SSL_accept())
2005.10.10 16:50:28 LOG7[2760:3748]:    0 server connects that finished
2005.10.10 16:50:28 LOG7[2760:3748]:    0 server renegotiatiations
requested
2005.10.10 16:50:28 LOG7[2760:3748]:    0 session cache hits
2005.10.10 16:50:28 LOG7[2760:3748]:    0 session cache misses
2005.10.10 16:50:28 LOG7[2760:3748]:    0 session cache timeouts
2005.10.10 16:50:28 LOG6[2760:3748]: SSL connected: new session
negotiated
2005.10.10 16:50:28 LOG6[2760:3748]: Negotiated ciphers: AES256-SHA
SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
2005.10.10 16:50:45 LOG7[2760:3748]: SSL socket closed on SSL_read
2005.10.10 16:50:45 LOG7[2760:3748]: Socket write shutdown
2005.10.10 16:50:45 LOG5[2760:3748]: Connection closed: 407 bytes sent
to SSL, 507 bytes sent to socket
2005.10.10 16:50:45 LOG7[2760:3748]: https finished (0 left)
 
STunnel log against microsoft (where it works)
2005.10.10 16:50:22 LOG5[2940:2556]: stunnel 4.08 on x86-pc-mingw32-gnu
WIN32+IPv6 with OpenSSL 0.9.7e 25 Oct 2004
2005.10.10 16:50:22 LOG7[2940:1112]: RAND_status claims sufficient
entropy for the PRNG
2005.10.10 16:50:22 LOG6[2940:1112]: PRNG seeded successfully
2005.10.10 16:50:22 LOG7[2940:1112]: Verify directory set to c:\ws\certs
2005.10.10 16:50:22 LOG5[2940:1112]: No limit detected for the number of
clients
2005.10.10 16:50:22 LOG7[2940:1112]: FD 136 in non-blocking mode
2005.10.10 16:50:22 LOG7[2940:1112]: SO_REUSEADDR option set on accept
socket
2005.10.10 16:50:22 LOG7[2940:1112]: https bound to 127.0.0.1:80
2005.10.10 16:50:32 LOG7[2940:1112]: https accepted FD=148 from
127.0.0.1:2977
2005.10.10 16:50:32 LOG7[2940:1112]: FD 148 in non-blocking mode
2005.10.10 16:50:32 LOG7[2940:1112]: Creating a new thread
2005.10.10 16:50:32 LOG7[2940:1112]: New thread created
2005.10.10 16:50:32 LOG7[2940:3904]: https started
2005.10.10 16:50:32 LOG5[2940:3904]: https connected from 127.0.0.1:2977
2005.10.10 16:50:32 LOG7[2940:3904]: FD 176 in non-blocking mode
2005.10.10 16:50:32 LOG7[2940:3904]: https connecting 207.46.197.39:443
2005.10.10 16:50:32 LOG7[2940:3904]: connect_wait: waiting 10 seconds
2005.10.10 16:50:33 LOG7[2940:3904]: connect_wait: connected
2005.10.10 16:50:33 LOG7[2940:3904]: Remote FD=176 initialized
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): before/connect
initialization
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
client hello A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read
server hello A
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=3, /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=2, /CN=Microsoft
Internet Authority
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=1,
/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
2005.10.10 16:50:33 LOG5[2940:3904]: VERIFY OK: depth=0,
/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=UDDI Test production
site/CN=test.uddi.microsoft.com
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read
server certificate A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read
server done A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
client key exchange A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
change cipher spec A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 write
finished A
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 flush
data
2005.10.10 16:50:33 LOG7[2940:3904]: SSL state (connect): SSLv3 read
finished A
2005.10.10 16:50:33 LOG7[2940:3904]:    1 items in the session cache
2005.10.10 16:50:33 LOG7[2940:3904]:    1 client connects
(SSL_connect())
2005.10.10 16:50:33 LOG7[2940:3904]:    1 client connects that finished
2005.10.10 16:50:33 LOG7[2940:3904]:    0 client renegotiatations
requested
2005.10.10 16:50:33 LOG7[2940:3904]:    0 server connects (SSL_accept())
2005.10.10 16:50:33 LOG7[2940:3904]:    0 server connects that finished
2005.10.10 16:50:33 LOG7[2940:3904]:    0 server renegotiatiations
requested
2005.10.10 16:50:33 LOG7[2940:3904]:    0 session cache hits
2005.10.10 16:50:33 LOG7[2940:3904]:    0 session cache misses
2005.10.10 16:50:33 LOG7[2940:3904]:    0 session cache timeouts
2005.10.10 16:50:33 LOG6[2940:3904]: SSL connected: new session
negotiated
2005.10.10 16:50:33 LOG6[2940:3904]: Negotiated ciphers: RC4-MD5
SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
2005.10.10 16:51:38 LOG3[2940:3904]: readsocket: Connection reset by
peer (WSAECONNRESET) (10054)
2005.10.10 16:51:38 LOG5[2940:3904]: Connection reset: 203 bytes sent to
SSL, 3214 bytes sent to socket
2005.10.10 16:51:38 LOG7[2940:3904]: https finished (0 left)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20051010/9decbb7b/attachment.html>


More information about the stunnel-users mailing list