[stunnel-users] (no subject)
Adrián Mihálko
adriankoooo at gmail.com
Sat Oct 10 21:07:14 CEST 2015
Yeah, curl works fine (THANK YOU!):
curl https://192.168.2.123:41951/DYMO/DLS/Printing/Check -vk -H "Host: localhost"
<html><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><body style="text-align:center;color:DarkGreen;font-size:2em;"><b>Congratulations! DLS Web Service is up and running. <br/>You can now print from supported web sites.
The biggest problem now, that I connect to this service from a javascript framework. And from there is still not working.
In the meantime I found in stunnel's TODO:
• Add user-defined headers to CONNECT proxy requests in order to impersonate other software (e.g. web browsers).
Maybe this is what I need now?
Regards,
Adrian
> On 10. 10. 2015, at 21:02, Josealf.rm <josealf at rocketmail.com> wrote:
>
> You can set the host header in the request using curl. Try adding -H "HOST: localhost" to your command.
>
> Not sure about regular browsers...
>
> Regards
> Jose
>
>
> El 10 oct 2015, a las 12:28, Adrián Mihálko <adriankoooo at gmail.com> escribió:
>
>> Thank you for this idea.
>>
>> The connection is now successful:
>>
>> http://pastebin.com/idLxrzRA
>>
>> But the application on :41952 is blocking the request.
>>
>> Let me clarify:
>>
>> The only URL what is working is:
>> https://localhost:41952/DYMO/DLS/Printing/Check
>> https://www.dropbox.com/s/syw5clruyjildyf/Screenshot%202015-10-10%2019.18.23.png?dl=0
>>
>> Non working URL's:
>>
>> https://127.0.0.1:41952/DYMO/DLS/Printing/Check
>> https://www.dropbox.com/s/8fc2v1e3gr0ap2q/Screenshot%202015-10-10%2019.19.27.png?dl=0
>>
>> https://192.168.2.123:41952/DYMO/DLS/Printing/Check
>> https://www.dropbox.com/s/yfkwx1s5acfek38/Screenshot%202015-10-10%2019.20.46.png?dl=0
>>
>> From remote machine (trough stunnel) I get same error:
>> https://www.dropbox.com/s/cm6l358k948hxhu/Screenshot%202015-10-10%2019.21.23.png?dl=0
>>
>> Interesting that 127.0.0.1, 192.168.2.123 are also pointing to the localhost and it's not working.
>> I think the web service on :41952 checks the request header? Is there any way to fake this?
>>
>> Regards,
>> Adrian
>>
>>> On 10. 10. 2015, at 19:06, Jose Alf. <josealf at rocketmail.com> wrote:
>>>
>>> Adrian,
>>>
>>> Sorry, I didn't read your original mail carefully. You want to write https://192.168.1.10:1988
>>> and reach your SSL or TLS service that listens on port 4952 of loopback interface on host with IP 192.168.1.10.
>>>
>>> You need to 2 stunnel stanzas to achive what you want. Something like:
>>>
>>>
>>> [myservice]
>>> cert = stunnel.pem
>>> client = no
>>> accept = 0.0.0.0:1988
>>> connect = localhost:1987
>>>
>>>
>>> [myserviceaux]
>>> cert = stunnel.pem
>>> client = yes
>>> accept = localhost:1987
>>> connect = localhost:4952
>>>
>>>
>>> If you find this too convoluted, you could try with other reverse proxy software like apache or squid.
>>>
>>> With your original config, you should be able to connect using http instead of https, as stunnel is expecting clearr text traffic.
>>>
>>>
>>> Please try and let us know how it goes.
>>>
>>> On Saturday, October 10, 2015 9:58 AM, Josealf.rm <josealf at rocketmail.com> wrote:
>>>
>>>
>>> Some clarifications
>>>
>>> 1. Most likely stunnel and your service can't negotiate a protocol. Thus the connection fails. The service could be using SSL3 that is now obsolete. You may need to downgrade from TLS to SSL3 in stunnel.
>>> 2. You can do a direct test with curl against you service (local) or openssl s_client.
>>>
>>> Regards
>>> Jose
>>>
>>> El 9 oct 2015, a las 5:44, Adrián Mihálko <adriankoooo at gmail.com> escribió:
>>>
>>>> Some good news, I remove client = yes as you suggested:
>>>>
>>>> 2015.10.09 12:39:29 LOG5[main]: Configuration successful
>>>> 2015.10.09 12:39:29 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
>>>> 2015.10.09 12:39:34 LOG6[57]: SSL socket closed (SSL_read)
>>>> 2015.10.09 12:39:34 LOG5[57]: Connection closed: 0 byte(s) sent to SSL, 445 byte(s) sent to socket
>>>> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] accepted connection from 192.168.1.25:49671
>>>> 2015.10.09 12:39:34 LOG6[60]: SSL accepted: new session negotiated
>>>> 2015.10.09 12:39:34 LOG6[60]: No peer certificate received
>>>> 2015.10.09 12:39:34 LOG6[60]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
>>>> 2015.10.09 12:39:34 LOG6[60]: failover: round-robin, starting at entry #0
>>>> 2015.10.09 12:39:34 LOG6[60]: s_connect: connecting ::1:41952
>>>> 2015.10.09 12:39:34 LOG5[60]: s_connect: connected ::1:41952
>>>> 2015.10.09 12:39:34 LOG6[60]: persistence: ::1:41952 cached
>>>> 2015.10.09 12:39:34 LOG5[60]: Service [myservice] connected remote server from ::1:50598
>>>> 2015.10.09 12:39:34 LOG6[60]: SSL socket closed (SSL_read)
>>>> 2015.10.09 12:39:34 LOG5[60]: Connection closed: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
>>>> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] accepted connection from 192.168.1.25:49672
>>>> 2015.10.09 12:39:34 LOG6[61]: SSL accepted: new session negotiated
>>>> 2015.10.09 12:39:34 LOG6[61]: No peer certificate received
>>>> 2015.10.09 12:39:34 LOG6[61]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
>>>> 2015.10.09 12:39:34 LOG6[61]: failover: round-robin, starting at entry #1
>>>> 2015.10.09 12:39:34 LOG6[61]: s_connect: connecting 127.0.0.1:41952
>>>> 2015.10.09 12:39:34 LOG5[61]: s_connect: connected 127.0.0.1:41952
>>>> 2015.10.09 12:39:34 LOG6[61]: persistence: 127.0.0.1:41952 cached
>>>> 2015.10.09 12:39:34 LOG5[61]: Service [myservice] connected remote server from 127.0.0.1:50599
>>>>
>>>> openssl_client log:
>>>>
>>>> http://pastebin.com/7bg3sf7J
>>>>
>>>> The problem is now that the site loads forever, nothing happens.
>>>>
>>>> (this certificate (:1988) is other than the original (:41952). This is not problem?
>>>>
>>>> curl test:
>>>>
>>>> $ curl https://192.168.1.17:1988/DYMO/DLS/Printing/Check -vk
>>>> * Trying 192.168.1.17...
>>>> * Connected to 192.168.1.17 (192.168.1.17) port 1988 (#0)
>>>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>> * Server certificate: localhost
>>>> > GET /DYMO/DLS/Printing/Check HTTP/1.1
>>>> > Host: 192.168.1.17:1988
>>>> > User-Agent: curl/7.43.0
>>>> > Accept: */*
>>>> >
>>>> waiting forever.
>>>>
>>>> 2015-10-09 12:34 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com>:
>>>> In the first mail I wrote ports bad, of course in the log I am using the good ones.
>>>>
>>>> [myservice]
>>>> cert = stunnel.pem
>>>> client = yes
>>>> accept = 0.0.0.0:1988
>>>> connect = localhost:41952
>>>>
>>>>
>>>> 2015-10-09 12:32 GMT+02:00 Adrián Mihálko <adriankoooo at gmail.com>:
>>>> Sorry, curl was only for testing.
>>>>
>>>> Adrians-MacBook-Pro:~ adrianmihalko$ openssl s_client -connect 192.168.1.17:1988
>>>> CONNECTED(00000003)
>>>> 1130:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
>>>>
>>>> 2015.10.09 12:23:21 LOG5[main]: Reading configuration from file stunnel.conf
>>>> 2015.10.09 12:23:21 LOG5[main]: UTF-8 byte order mark detected
>>>> 2015.10.09 12:23:21 LOG5[main]: FIPS mode disabled
>>>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-pop3]
>>>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-imap]
>>>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [gmail-smtp]
>>>> 2015.10.09 12:23:21 LOG6[main]: Initializing service [myservice]
>>>> 2015.10.09 12:23:21 LOG6[main]: Loading certificate from file: stunnel.pem
>>>> 2015.10.09 12:23:21 LOG6[main]: Loading key from file: stunnel.pem
>>>> 2015.10.09 12:23:21 LOG4[main]: Service [myservice] needs authentication to prevent MITM attacks
>>>> 2015.10.09 12:23:21 LOG5[main]: Configuration successful
>>>> 2015.10.09 12:23:21 LOG5[main]: Logging to C:\Users\adrianmihalko\AppData\Local\stunnel.log
>>>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] accepted connection from 192.168.1.25:49454
>>>> 2015.10.09 12:23:42 LOG6[39]: failover: round-robin, starting at entry #0
>>>> 2015.10.09 12:23:42 LOG6[39]: s_connect: connecting ::1:41952
>>>> 2015.10.09 12:23:42 LOG5[39]: s_connect: connected ::1:41952
>>>> 2015.10.09 12:23:42 LOG5[39]: Service [myservice] connected remote server from ::1:50564
>>>> 2015.10.09 12:23:42 LOG6[39]: SNI: sending servername: localhost
>>>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>>>> 2015.10.09 12:23:42 LOG6[39]: Certificate verification disabled
>>>> 2015.10.09 12:23:42 LOG6[39]: SSL connected: new session negotiated
>>>> 2015.10.09 12:23:42 LOG6[39]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
>>>> 2015.10.09 12:23:42 LOG6[39]: SSL socket closed (SSL_read)
>>>> 2015.10.09 12:23:42 LOG5[39]: Connection closed: 130 byte(s) sent to SSL, 505 byte(s) sent to socket
>>>>
>>>> If I am connecting to the :41952:
>>>>
>>>> openssl s_client -connect 192.168.1.17:41952
>>>> ...
>>>>
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 1724 bytes and written 712 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>>>> Server public key is 4096 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1
>>>> Cipher : AES128-SHA
>>>> ...
>>>>
>>>>
>>>> 2015-10-09 10:55 GMT+02:00 test rig <testrig at z1p.biz>:
>>>>
>>>> Ouch #2 missing...
>>>>
>>>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
>>>>
>>>> You are connection to :9999 with curl(?)
>>>> Try verify it via "openssl s_client -connect yourserverip:1988" command
>>>>
>>>> Best Regards
>>>> Michael
>>>>
>>>> --- Ursprüngliche Nachricht ---
>>>> Von: "test rig" <testrig at z1p.biz>
>>>> Datum: 09.10.2015 09:48:02
>>>> An: "stunnel-users at stunnel.org." <stunnel-users at stunnel.org>
>>>> Betreff: Re: [stunnel-users] (no subject)
>>>>
>>>> Hi Adrian, looks good to me so far - mostly. Try to replace the client=yes with a client=no on the server
>>>> --- Ursprüngliche Nachricht ---
>>>> Von: Adrián Mihálko
>>>> Datum: 09.10.2015 08:15:19
>>>> An: stunnel-users at stunnel.org
>>>> Betreff: [stunnel-users] (no subject)
>>>>
>>>> Dear stunnel users,
>>>>
>>>> I have a little service which listen only on https://localhost:4952 and checks source hostname. I want to connect on "listen:1988" and redirect requests with stunnel to "localhost:4952"
>>>>
>>>> https://192.168.1.10:1988 -> redirect https://localhost:4952
>>>>
>>>>
>>>> I am trying to configure stunnel like this
>>>>
>>>> [myservice]
>>>> cert = stunnel.pem
>>>> client = yes
>>>> accept = 0.0.0.0:1988
>>>> connect = localhost:4952
>>>>
>>>> remote machine$ curl https://192.168.1.25:9999/DYMO/DLS/Printing/Check -v
>>>> * Trying 192.168.1.25...
>>>> * Connected to 192.168.1.25 (192.168.1.25) port 9999 (#0)
>>>> * WARNING: using IP address, SNI is being disabled by the OS.
>>>> * Unknown SSL protocol error in connection to 192.168.1.25:-9847
>>>> * Closing connection 0
>>>> curl: (35) Unknown SSL protocol error in connection to 192.168.1.25:-9847
>>>>
>>>> stunnel.log:
>>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] accepted connection from 192.168.1.24:60748
>>>> 2015.10.09 09:05:42 LOG6[38]: failover: round-robin, starting at entry #1
>>>> 2015.10.09 09:05:42 LOG6[38]: s_connect: connecting 127.0.0.1:41952
>>>> 2015.10.09 09:05:42 LOG5[38]: s_connect: connected 127.0.0.1:41952
>>>> 2015.10.09 09:05:42 LOG5[38]: Service [myservice] connected remote server from 127.0.0.1:50503
>>>> 2015.10.09 09:05:42 LOG6[38]: SNI: sending servername: localhost
>>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>>>> 2015.10.09 09:05:42 LOG6[38]: Certificate verification disabled
>>>> 2015.10.09 09:05:42 LOG6[38]: SSL connected: new session negotiated
>>>> 2015.10.09 09:05:42 LOG6[38]: Negotiated TLSv1 ciphersuite AES128-SHA (128-bit encryption)
>>>> 2015.10.09 09:05:42 LOG6[38]: SSL socket closed (SSL_read)
>>>> 2015.10.09 09:05:42 LOG5[38]: Connection closed: 230 byte(s) sent to SSL, 505 byte(s) sent to socket
>>>>
>>>> I am tried verify = 1 to 4, either works. :(
>>>>
>>>> Best Regards,
>>>> Adrian
>>>>
>>>>
>>>> ______________________________________________________
>>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
>>>>
>>>>
>>>> ______________________________________________________
>>>> powered by Perfect-Privacy.com / Secure-Mail.biz - anonymous and secure internet.
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
More information about the stunnel-users
mailing list