[stunnel-users] STunnel v5.11 Multi SNI

Michal Trojnara Michal.Trojnara at mirt.net
Tue Mar 17 15:12:38 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Scott,

Your configuration should be either:

[https]
accept  = 443
connect = 80

[test_com]
sni = https:test.com
connect = 192.168.64.220:80

[www_test_com]
sni = https:www.test.com
connect = 192.168.64.220:80

[testing_com]
sni = https:testing.com
connect = 192.168.64.253:80

[www_testing_com]
sni = https:www.testing.com
connect = 192.168.64.253:80

or

[https]
accept  = 443
connect = 80

[test]
sni = https:*test.com
connect = 192.168.64.220:80

[testing]
sni = https:*testing.com
connect = 192.168.64.253:80

Mike

On 17.03.2015 14:46, Scott McKeown wrote:
> Hi Guys,
> 
> I've got a small issue where I'm trying to use multiple SNI rules
> in an STunnel frontend:
> 
> STunnel Version is: stunnel -version stunnel 5.11 on
> x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL
> 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6
> TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 
> Global options: debug                  = daemon.notice RNDbytes
> = 64 RNDfile                = /dev/urandom RNDoverwrite           =
> yes
> 
> Service-level options: ciphers                = FIPS (with "fips =
> yes") ciphers                = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2
> (with "fips = no") curve                  = prime256v1 options
> = NO_SSLv2 options                = NO_SSLv3 sessionCacheSize
> = 1000 sessionCacheTimeout    = 300 seconds stack
> = 65536 bytes TIMEOUTbusy            = 300 seconds TIMEOUTclose
> = 60 seconds TIMEOUTconnect         = 10 seconds TIMEOUTidle
> = 43200 seconds verify                 = none
> 
> 
> stunnel.conf is: [https] accept  = 443 connect = 80 [www_test] sni
> = https:test.com <http://test.com> sni = https:www.test.com
> <http://www.test.com> connect = 192.168.64.220:80
> <http://192.168.64.220:80>
> 
> [testing] sni = https:testing.com <http://testing.com> sni =
> https:www.testing.com <http://www.testing.com> connect =
> 192.168.64.253:80 <http://192.168.64.253:80>
> 
> 
> I've created local DNS rules for each of these Hosts but the
> problem is that only the last entered sni rule gets matched so for
> example www.test.com <http://www.test.com> works but test.com
> <http://test.com> does not. Its the same for testing.com
> <http://testing.com> and www.testing.com <http://www.testing.com>
> 
> 
> This is what the log file show too:
> 
> 2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21)
> from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03
> 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19
> LOG5[12808]: Service [https] accepted connection from
> 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03
> 20:01:19 LOG7[12808]: SSL state (accept): before/accept 
> initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested
> servername: testing.com <http://testing.com> 2015.03.03 20:01:19
> LOG3[12808]: SNI: no pattern matched servername: testing.com
> <http://testing.com> 2015.03.03 20:01:19 LOG7[12808]: SSL alert
> (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]:
> SSL_accept: 1408A0E2: error:1408A0E2:SSL
> routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03
> 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0
> byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local
> socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service
> [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read
> socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending
> close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert
> (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]:
> SSL_shutdown successfully sent close_notify alert 2015.03.03
> 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03
> 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03
> 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL,
> 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote
> socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket
> (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test]
> finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https]
> accepted (FD=13) from 192.168.63.50:53128
> <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]:
> Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service
> [https] accepted connection from 192.168.63.50:53128
> <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: SSL
> state (accept): before/accept initialization 2015.03.03 20:01:49
> LOG6[12809]: SNI: requested servername: testing.com 
> <http://testing.com> 2015.03.03 20:01:49 LOG3[12809]: SNI: no
> pattern matched servername: testing.com <http://testing.com> 
> 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal:
> unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept:
> 1408A0E2: error:1408A0E2:SSL
> routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03
> 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0
> byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local
> socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service
> [https] finished (6 left)
> 
> I have seen a couple of patch files floating around but they are
> for older versions and I can't get them to compile into the v5.11
> version.
> 
> Any thoughts?
> 
> 
> -- With Kind Regards.
> 
> Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK)
> - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll
> Free)(24x7)
> 
> 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVCDZWAAoJEC78f/DUFuAUVmMP/jbvB9JHnkzTKCjv50vdaPNE
fcB5lGN8xjYkS2RToqi8dt0HBOIRUYAMgnyD6ifdPvMIs8Wo4qkE61axVGmeI3bE
sXdVv7jBwVXlx1pDzrD7fplTyumkMw/qSdrXe3W9LkaeBcCXtWDgDeJx6VfoiJ/0
tHE4lfOHTGiDl7MuVAUateILxdeUIA7vvrywmtKowIA+pJN2bgBmWDgcy45YAZe1
irjzxPBQxQtcizvTgW3eNL1TL+yO1k5oOT33l6aPitLq2TaZVwrDzsK9XKdEmD9Z
7lsa/lFqDEqWTxZ6TetGSnNM+Z6tOTD+jFj0PJvOohLYG/v+NPB4tc5U6z+4jl2S
SBjuMymFAb5uT9UD32MB9puDL8HVqLi7zU88NPYPZVsVdQtUMKKAOtv6FMVNF8Uh
qIbsUqMQMTSJiAFSNLbplBnsabUW4CEzs3A0eIbKg+XdKhfbK2vc/RYyORmXQGqT
7ZfeohaE5LVxjEZei6e7Bc+Gm+yz4Avki4t0AR3iS/j6tyBUJFnzk56NmhELLwao
kQ+p4l1HWcoRKYLkybDmrxJHKH7O1iUyLW9qVsHNsPi/UsDB9yf+Avb69QOK66M+
ufQ0TF/zLW89SBIGMPtc0fhBM6vTpNPt27SK9138nNgCqX+0UgV2hXwrCDSecYNk
P4tT4ckWBkwIVM6eqrSQ
=EEX8
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list