[stunnel-users] Stunnel in Client / Server configuration
Michael Curran
mike_curran at hotmail.com
Sat Mar 3 16:07:29 CET 2012
Hello,
I have 2 servers in different locations across the country. I am using them as a paired tunnel that both act as server and client
Server A has this configuration (cert definitions left out on purpose, but exist and are valid)
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
TIMEOUTclose=0
; 128-bit or highter only
ciphers = HIGH:MEDIUM
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
; Some debugging stuff useful for troubleshooting
debug = local7.info
;warning
[Tunnel from Server B]
accept = 1.2.3.4:443
connect = 127.0.0.1:8082
[Tunnel to Server B]
accept = 5.6.7.8:3132
connect = 9.10.11.12:4000
client = yes
Server B (cert definitions left out on purpose, but exist and are valid)
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
TIMEOUTclose=0
; 128-bit or highter only
ciphers = HIGH:MEDIUM
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
; Some debugging stuff useful for troubleshooting
debug = local7.debug
;warning
[Tunnel to Server A]
accept = 10.1.2.3:9443
connect = 1.2.3.4:443
client = yes
[Tunnel from Server A]
accept = 9.10.11.12:4000
connect = 10.4.5.6:3132
Communication through Server A (client) to Server B (server) works as expected
Communication through Server B (client) back to Server A (server) recieves this error
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (this is all the further it gets, the client says hello and the server responds with this)
If I skip the local stunnel config and pass the traffic publicly through to Server A (running in client mode), from Server B, I get the expected http response I setup to test the tunnel.
Im just assuming that if I am passing from Stunnel from one system to stunnel on another, one of them should be client and the other should be server. This works well on our old configurations and as far as I can see from a stunnel and network route perspective all rules are identical.
Why would it work from Server B to Server A on the response if I go directly to Server A, but fail locally? The configuration looks correct, what else could I check?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120303/4ce89d5e/attachment.html>
More information about the stunnel-users
mailing list