[stunnel-users] stunnel 4.26 MS SQL connetion - works on Vista, not on XP
zervakos
gzervakos at gladstonellc.com
Mon Mar 23 13:50:25 CET 2009
Greetings,
I was wondering if anyone's come across anything like this. I want to
encrypt connections for MS SQL Server 2008 Express from a Windows XP client
to a Windows 2003 Server. Following these instructions:
http://www.securityfocus.com/infocus/1677
I was able to configure encrypted connections by pointing SQL Server
Management Studio to 127.0.0.1 on _either_ XP or Vista and then that gets
tunneled over to the Windows 2003 Server running SQL Server 2008 Express. I
can browse the database tables, etc.
Now the problem. I have users that make use of a thin client that connects
directly to the SQL Server. It has one config file that I've pointed to
127.0.0.1. When I run this thin client on Vista, it works great, however,
when running it on XP, stunnel tries to connect, but then gives up after
several attempts.
Here's what I see in the server log before connecting:
2009.03.23 12:26:59 LOG7[284564:274684]: RAND_status claims sufficient
entropy for the PRNG
2009.03.23 12:26:59 LOG7[284564:274684]: PRNG seeded successfully
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from
CAcert.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup
file
2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation
lookup directory
2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service
vnc
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from
CAcert.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup
file
2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation
lookup directory
2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service
mssql
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from
CAcert.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup
file
2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation
lookup directory
2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service
rdp
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Certificate loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Key file: server.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Private key loaded
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded verify certificates from
CAcert.pem
2009.03.23 12:26:59 LOG7[284564:274684]: Loaded CAcert.pem revocation lookup
file
2009.03.23 12:26:59 LOG7[284564:274684]: Verify directory set to
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: Added certificates revocation
lookup directory
2009.03.23 12:26:59 LOG5[284564:274684]: Peer certificate location
certificates
2009.03.23 12:26:59 LOG7[284564:274684]: SSL context initialized for service
http
2009.03.23 12:26:59 LOG5[284564:274684]: stunnel 4.26 on x86-pc-mingw32-gnu
with OpenSSL 0.9.8i 15 Sep 2008
2009.03.23 12:26:59 LOG5[284564:274684]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2009.03.23 12:26:59 LOG5[284564:289192]: No limit detected for the number of
clients
2009.03.23 12:27:00 LOG7[284564:289192]: FD 268 in non-blocking mode
2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept
socket
2009.03.23 12:27:00 LOG7[284564:289192]: mssql bound to
WINDOWS_SQL_SERVER:14333
2009.03.23 12:27:00 LOG7[284564:289192]: FD 292 in non-blocking mode
2009.03.23 12:27:00 LOG7[284564:289192]: SO_REUSEADDR option set on accept
socket
And here's what I see after trying to connect from XP (this appears 16 more
times in stunnel.log until stunnel gives up):
2009.03.23 12:29:48 LOG7[284564:289192]: mssql accepted FD=308 from
Windows_XP_Client:1252
2009.03.23 12:29:48 LOG7[284564:289192]: Creating a new thread
2009.03.23 12:29:48 LOG7[284564:289192]: New thread created
2009.03.23 12:29:48 LOG7[284564:348604]: mssql started
2009.03.23 12:29:48 LOG7[284564:348604]: FD 308 in non-blocking mode
2009.03.23 12:29:48 LOG5[284564:348604]: mssql accepted connection from
Windows_XP_Client:1252
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): before/accept
initialization
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read
client hello A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write
server hello A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write
certificate A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write
certificate request A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush
data
2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed
2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=1,
/C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure
Labs/CN=CA/emailAddress=user at abc.com
2009.03.23 12:29:48 LOG5[284564:348604]: CRL: verification passed
2009.03.23 12:29:48 LOG5[284564:348604]: VERIFY OK: depth=0,
/C=PL/ST=Warsaw/L=Warsaw/O=Secure/OU=Secure Labs/CN=VNC
Client/emailAddress=user at abc.com
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read
client certificate A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read
client key exchange A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read
certificate verify A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 read
finished A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write
change cipher spec A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 write
finished A
2009.03.23 12:29:48 LOG7[284564:348604]: SSL state (accept): SSLv3 flush
data
2009.03.23 12:29:48 LOG7[284564:348604]: 1 items in the session cache
2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects
(SSL_connect())
2009.03.23 12:29:48 LOG7[284564:348604]: 0 client connects that finished
2009.03.23 12:29:48 LOG7[284564:348604]: 0 client renegotiations
requested
2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects (SSL_accept())
2009.03.23 12:29:48 LOG7[284564:348604]: 1 server connects that finished
2009.03.23 12:29:48 LOG7[284564:348604]: 0 server renegotiations
requested
2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache hits
2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache misses
2009.03.23 12:29:48 LOG7[284564:348604]: 0 session cache timeouts
2009.03.23 12:29:48 LOG6[284564:348604]: SSL accepted: new session
negotiated
2009.03.23 12:29:48 LOG6[284564:348604]: Negotiated ciphers: AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2009.03.23 12:29:48 LOG7[284564:348604]: FD 332 in non-blocking mode
2009.03.23 12:29:48 LOG7[284564:348604]: mssql connecting 127.0.0.1:1433
2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: waiting 10 seconds
2009.03.23 12:29:48 LOG7[284564:348604]: connect_wait: connected
2009.03.23 12:29:48 LOG5[284564:348604]: mssql connected remote server from
127.0.0.1:2001
2009.03.23 12:29:48 LOG7[284564:348604]: Remote FD=332 initialized
2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (read): warning: close
notify
2009.03.23 12:29:48 LOG7[284564:348604]: SSL closed on SSL_read
2009.03.23 12:29:48 LOG7[284564:348604]: Socket write shutdown
2009.03.23 12:29:48 LOG7[284564:348604]: SSL write shutdown
2009.03.23 12:29:48 LOG7[284564:348604]: SSL alert (write): warning: close
notify
2009.03.23 12:29:48 LOG6[284564:348604]: SSL_shutdown successfully sent
close_notify
2009.03.23 12:29:48 LOG5[284564:348604]: Connection closed: 37 bytes sent to
SSL, 52 bytes sent to socket
2009.03.23 12:29:48 LOG7[284564:348604]: mssql finished (0 left)
The server's stunnel.conf:
CAfile = CAcert.pem
CApath = certificates
cert = server.pem
client = no
verify = 3
debug = 7
output = stunnel.log
[mssql]
accept = WINDOWS_SQL_SERVER:14333
connect = 127.0.0.1:1433
The client's stunnel.conf:
CAfile = CAcert.pem
CApath = certificates
cert = client.pem
client = yes
verify = 3
debug = 7
output = stunnel.log
[mssql]
accept = 127.0.0.1:1433
connect = WINDOWS_SQL_SERVER:14333
Things I've tried:
- changed the compatibility settings of the thin client to work under ealier
versions of Windows, this didn't help
- regenerated certificates, no good
- tried connecting without certificates, still no good
I still haven't tried earlier versions of stunnel, but I figured I'd just
check and see if may anyone's run across something like this before. From
what I can tell, the combination of XP, the thin client and stunnel does not
work. The thin client does work on XP when I do not use stunnel, but I need
to have the connection encrypted.
Any help greatly appreciated,
thanks
--
View this message in context: http://www.nabble.com/stunnel-4.26-MS-SQL-connetion---works-on-Vista%2C-not-on-XP-tp22658821p22658821.html
Sent from the Stunnel - Users mailing list archive at Nabble.com.
More information about the stunnel-users
mailing list