[stunnel-users] STunnel on Windows (2008R2 Server)

Leandro Avila leandro.avila at ymail.com
Sat Jan 28 06:19:52 CET 2012


Robert,

I would take a look at FIPS mode. You might want to disable that on stunnel for testing and see if that makes any difference.

This particular part of your error log gives some clues on the issue.
SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure 


The restrictions that FIPS imposes on the ciphers used, might create a lack of common ciphers between the two hosts to
successfully carry the handshake. 

Hope this helps

----------------- 
Leandro Avila


________________________________
 From: "Skinner, Robert" <rgs9 at buffalo.edu>
To: "stunnel-users at stunnel.org" <stunnel-users at stunnel.org> 
Sent: Friday, January 27, 2012 5:18 PM
Subject: [stunnel-users] STunnel on Windows (2008R2 Server)
 

I am attempting to use stunnel to encrypt traffic between our backup client (Window2008R2) and our NetApp filer, but I’m not having any luck
We would like to use the stunnel to redirect the port 80 calls to the filer (ubfs2.buffalo.edu) to port 443.
Be design, the backup client (IBM Tivoli/TSM V6.2.4) makes a call to the Netapp over http.admin interface to tell it to create a snapshot.
The filer listens on https.admin (not http.admin), and we don’t want to turn on http.admin for security reasons.
I’ve included the stunnel.config file, hosts file,  and the output below.
If anyone could give us a hand here it would be much appreciated.
We tested this config on a Mac laptop and it works just fine, so I would assume that it has something to do with Windows2008R2
 
Stunnel.config
 
debug = 7
client = yes
 
[snapdiff]
accept = localhost:80
connect = 128.205.5.55:443
sslVersion = all
 
hosts
 
127.0.0.1       localhost ubfs2.buffalo.edu
 
output
 
7[1596:4336]: No limit detected for the number of clients
2012.01.27 15:16:30 LOG5[1596:4336]: stunnel 4.52 on x86-pc-mingw32-gnu platform
2012.01.27 15:16:30 LOG5[1596:4336]: Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
2012.01.27 15:16:30 LOG5[1596:4336]: Threading:WIN32 SSL:ENGINE,FIPS Auth:none Sockets:SELECT,IPv6
2012.01.27 15:16:30 LOG5[1596:4336]: Reading configuration from file stunnel.conf
2012.01.27 15:16:30 LOG5[1596:4336]: FIPS mode is enabled
2012.01.27 15:16:30 LOG7[1596:4336]: Compression not enabled
2012.01.27 15:16:30 LOG7[1596:4336]: Snagged 64 random bytes from C:/.rnd
2012.01.27 15:16:30 LOG7[1596:4336]: Wrote 1024 new random bytes to C:/.rnd
2012.01.27 15:16:30 LOG7[1596:4336]: PRNG seeded successfully
2012.01.27 15:16:31 LOG6[1596:4336]: Initializing SSL context for service snapdiff
2012.01.27 15:16:31 LOG7[1596:4336]: SSL options set: 0x00000004
2012.01.27 15:16:31 LOG6[1596:4336]: SSL context initialized
2012.01.27 15:16:31 LOG5[1596:4336]: Configuration successful
2012.01.27 15:16:31 LOG7[1596:4336]: Service snapdiff bound FD=396 to 127.0.0.1:80
2012.01.27 15:16:40 LOG7[1596:4336]: Service snapdiff accepted FD=452 from 127.0.0.1:51366
2012.01.27 15:16:40 LOG7[1596:4336]: Creating a new thread
2012.01.27 15:16:40 LOG7[1596:4336]: New thread created
2012.01.27 15:16:40 LOG7[1596:4336]: Service snapdiff accepted FD=460 from 127.0.0.1:51367
2012.01.27 15:16:40 LOG7[1596:4336]: Creating a new thread
2012.01.27 15:16:40 LOG7[1596:4336]: New thread created
2012.01.27 15:16:40 LOG7[1596:5080]: Service snapdiff started
2012.01.27 15:16:40 LOG5[1596:5080]: Service snapdiff accepted connection from 127.0.0.1:51366
2012.01.27 15:16:40 LOG6[1596:5080]: connect_blocking: connecting 128.205.5.55:443
2012.01.27 15:16:40 LOG7[1596:5080]: connect_blocking: s_poll_wait 128.205.5.55:443: waiting 10 seconds
2012.01.27 15:16:40 LOG7[1596:4720]: Service snapdiff started
2012.01.27 15:16:40 LOG5[1596:4720]: Service snapdiff accepted connection from 127.0.0.1:51367
2012.01.27 15:16:40 LOG6[1596:4720]: connect_blocking: connecting 128.205.5.55:443
2012.01.27 15:16:40 LOG7[1596:4720]: connect_blocking: s_poll_wait 128.205.5.55:443: waiting 10 seconds
2012.01.27 15:16:40 LOG5[1596:4720]: connect_blocking: connected 128.205.5.55:443
2012.01.27 15:16:40 LOG5[1596:4720]: Service snapdiff connected remote server from 128.205.4.234:51369
2012.01.27 15:16:40 LOG7[1596:4720]: Remote FD=508 initialized
2012.01.27 15:16:40 LOG3[1596:4720]: SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2012.01.27 15:16:40 LOG5[1596:4720]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.01.27 15:16:40 LOG7[1596:4720]: Service snapdiff finished (1 left)
2012.01.27 15:16:43 LOG5[1596:5080]: connect_blocking: connected 128.205.5.55:443
2012.01.27 15:16:43 LOG5[1596:5080]: Service snapdiff connected remote server from 128.205.4.234:51368
2012.01.27 15:16:43 LOG7[1596:5080]: Remote FD=480 initialized
2012.01.27 15:16:43 LOG3[1596:5080]: SSL_connect: 14077410: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2012.01.27 15:16:43 LOG5[1596:5080]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2012.01.27 15:16:43 LOG7[1596:5080]: Service snapdiff finished (0 left)
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120127/0a61f10c/attachment.html>


More information about the stunnel-users mailing list