[stunnel-users] (no subject)

Adrián Mihálko adriankoooo at gmail.com
Sat Oct 10 19:28:36 CEST 2015


Thank you for this idea.

The connection is now successful:

http://pastebin.com/idLxrzRA <http://pastebin.com/idLxrzRA>

But the application on :41952 is blocking the request.

Let me clarify:

The only URL what is working is:
https://localhost:41952/DYMO/DLS/Printing/Check <https://localhost:41952/DYMO/DLS/Printing/Check>
https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0 <https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0>
 
Non working URL's:

https://127.0.0.1:41952/DYMO/DLS/Printing/Check
https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0 <https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0>

https://192.168.2.123:41952/DYMO/DLS/Printing/Check <https://192.168.2.123:41952/DYMO/DLS/Printing/Check>
https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0 <https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0>

From remote machine (trough stunnel) I get same error:
https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0 <https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0>

Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working.
I think the web service on :41952 checks the request header? Is there any way to fake this?

Regards,
Adrian

> On 10. 10. 2015, at 19:06, Jose Alf. <josealf at rocketmail.com> wrote:
> 
> Adrian,
> 
> Sorry, I didn't read your original mail carefully. You want to write  https://192.168.1.10:1988 <https://192.168.1.10:1988/>   <https://192.168.1.10:1988/>
>  and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
> 
> You need to 2 stunnel stanzas to achive what you want. Something like:
> 
> 
> [myservice]
> cert = stunnel.pem
> client = no
> accept = 0.0.0.0:1988 <http://0.0.0.0:1988/>
> connect = localhost:1987
> 
> 
> [myserviceaux]
> cert = stunnel.pem
> client = yes
> accept = localhost:1987 <http://0.0.0.0:1988/>
> connect = localhost:4952
> 
> 
> If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
> 
> With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
> 
> 
> Please try and let us know how it goes.
> 
> On Saturday, October 10, 2015 9:58 AM, Josealf.rm <josealf at rocketmail.com> wrote:
> 
> 
> Some clarifications
> 
> 1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
> 2. You can do a direct test with curl against you service (local) or openssl s_client.
> 
> Regards
> Jose
> 
> El 9 oct 2015, a las 5:44, Adrián Mihálko <adriankoooo at gmail.com <mailto:adriankoooo at gmail.com>> escribió:
> 
>> Some good news, I remove client = yes as you suggested:
>> 
>> 2015.10.09 12:39:29 LOG5[main]: Configuration successful
>> 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
>> 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)
>> 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket
>> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671 <http://192.168.1.25:49671/>
>> 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated
>> 2015.10.09 12:39:34 LOG6[60]: No peer certificate received
>> 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
>> 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0
>> 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952
>> 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952
>> 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached
>> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598
>> 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)
>> 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
>> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672 <http://192.168.1.25:49672/>
>> 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated
>> 2015.10.09 12:39:34 LOG6[61]: No peer certificate received
>> 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
>> 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1
>> 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952 <http://127.0.0.1:41952/>
>> 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952 <http://127.0.0.1:41952/>
>> 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 <http://127.0.0.1:41952/> cached
>> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599 <http://127.0.0.1:50599/>
>> 
>> openssl_client log:
>> 
>> http://pastebin.com/7bg3sf7J <http://pastebin.com/7bg3sf7J>
>> 
>> The problem is now that the site loads forever, nothing happens. 
>> 
>> (this certificate (:1988) is other than the original (:41952). This is not problem?
>> 
>> curl test:
>> 
>> $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check <https://192.168.1.17:1988/DYMO/DLS/Printing/Check> -vk
>> *   Trying 192.168.1.17...
>> * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> * Server certificate: localhost
>> > GET /DYMO/DLS/Printing/Check HTTP/1.1
>> > Host: 192.168.1.17:1988 <http://192.168.1.17:1988/>
>> > User-Agent: curl/7.43.0
>> > Accept: */*
>> > 
>> waiting forever.
>> 
>> 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com <mailto:adriankoooo at gmail.com>>:
>> In the first mail I wrote ports bad, of course in the log I am using the good ones.
>> 
>> [myservice]
>> cert = stunnel.pem
>> client = yes
>> accept = 0.0.0.0:1988 <http://0.0.0.0:1988/>
>> connect = localhost:41952
>> 
>> 
>> 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com <mailto:adriankoooo at gmail.com>>:
>> Sorry, curl was only for testing.
>> 
>> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988 <http://192.168.1.17:1988/>
>> CONNECTED(00000003)
>> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
>> 
>> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf
>> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected
>> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]
>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]
>> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem
>> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem
>> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks
>> 2015.10.09 12:23:21 LOG5[main]: Configuration successful
>> 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454 <http://192.168.1.25:49454/>
>> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0
>> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952
>> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952
>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564
>> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost
>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated
>> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
>> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)
>> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
>> 
>> If I am connecting to the :41952:
>> 
>> openssl s_client -connect 192.168.1.17:41952 <http://192.168.1.17:41952/>...
>> 
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1724 bytes and written 712 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 4096 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>> ...
>> 
>> 
>> 2015-10-09 10:55 GMT+02:00 test rig <testrig at z1p.biz <mailto:testrig at z1p.biz>>:
>> 
>> Ouch #2 missing...
>> 
>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
>> 
>> You are connection to :9999 with curl(?)
>> Try verify it via "openssl s_client -connect yourserverip:1988" command
>> 
>> Best Regards
>> Michael
>> 
>> --- Ursprüngliche Nachricht ---
>> Von: "test rig" <testrig at z1p.biz <mailto:testrig at z1p.biz>>
>> Datum: 09.10.2015 09:48:02
>> An: "stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>." <stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>>
>> Betreff: Re: [stunnel-users] (no subject)
>> 
>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
>> --- Ursprüngliche Nachricht ---
>> Von: Adrián Mihálko 
>> Datum: 09.10.2015 08:15:19
>> An: stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>> Betreff: [stunnel-users] (no subject)
>> 
>> Dear stunnel users,
>> 
>> I have a little service which listen only on https://localhost:4952 <https://localhost:4952/> and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
>> 
>> https://192.168.1.10:1988 <https://192.168.1.10:1988/> -> redirect https://localhost:4952 <https://localhost:4952/>
>> 
>> 
>>  I am trying to configure stunnel like this
>> 
>> [myservice]
>> cert = stunnel.pem
>> client = yes
>> accept = 0.0.0.0:1988 <http://0.0.0.0:1988/>
>> connect = localhost:4952
>> 
>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check <https://192.168.1.25:9999/DYMO/DLS/Printing/Check> -v
>> *   Trying 192.168.1.25...
>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
>> * WARNING: using IP address, SNI is being disabled by the OS.
>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847
>> * Closing connection 0
>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
>> 
>> stunnel.log:
>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748 <http://192.168.1.24:60748/>
>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1
>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952 <http://127.0.0.1:41952/>
>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952 <http://127.0.0.1:41952/>
>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503 <http://127.0.0.1:50503/>
>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost
>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated
>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read)
>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
>> 
>> I am tried verify = 1 to 4, either works. :(
>> 
>> Best Regards,
>> Adrian
>> 
>> 
>> ______________________________________________________
>> powered by Perfect-Privacy.com <http://perfect-privacy.com/> / Secure-Mail.biz <http://secure-mail.biz/> - anonymous and secure internet.
>> 
>> 
>> ______________________________________________________
>> powered by Perfect-Privacy.com <http://perfect-privacy.com/> / Secure-Mail.biz <http://secure-mail.biz/> - anonymous and secure internet.
>> 
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20151010/f113245b/attachment.html>


More information about the stunnel-users mailing list