[stunnel-users] HTTPS proxy tunnel. ssl handshake failure

Kirill Franko frankokirill at yandex.ru
Fri Jul 22 04:14:27 CEST 2016


I tried this config:


sslVersion = all
options = NO_SSLv2
[myproxy]
client = yes
accept = 127.0.0.1:8080
connect = 192.168.10.111:443

And got this:


2016.07.22 02:10:01 LOG5[main]: Configuration successful
2016.07.22 02:10:01 LOG7[main]: Listening file descriptor created (FD=932)
2016.07.22 02:10:01 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2016.07.22 02:10:01 LOG7[main]: Service [secproxy] (FD=932) bound to 127.0.0.1:8080
2016.07.22 02:10:01 LOG7[main]: Signal pipe is empty
2016.07.22 02:10:50 LOG7[main]: Found 1 ready file descriptor(s)
2016.07.22 02:10:50 LOG7[main]: FD=516 ifds=r-x ofds=---
2016.07.22 02:10:50 LOG7[main]: Service [secproxy] accepted (FD=972) from 127.0.0.1:22000
2016.07.22 02:10:50 LOG7[main]: Creating a new thread
2016.07.22 02:10:50 LOG7[main]: New thread created
2016.07.22 02:10:50 LOG7[7]: Service [secproxy] started
2016.07.22 02:10:50 LOG7[7]: Option TCP_NODELAY set on local socket
2016.07.22 02:10:50 LOG5[7]: Service [secproxy] accepted connection from 127.0.0.1:22000
2016.07.22 02:10:50 LOG6[7]: s_connect: connecting 192.168.10.111:443
2016.07.22 02:10:50 LOG7[7]: s_connect: s_poll_wait 192.168.10.111:443: waiting 10 seconds
2016.07.22 02:10:51 LOG5[7]: s_connect: connected 192.168.10.111:443
2016.07.22 02:10:51 LOG5[7]: Service [secproxy] connected remote server from 10.10.14.16:22001
2016.07.22 02:10:51 LOG7[7]: Option TCP_NODELAY set on remote socket
2016.07.22 02:10:51 LOG7[7]: Remote descriptor (FD=936) initialized
2016.07.22 02:10:51 LOG6[7]: SNI: sending servername: 192.168.10.111
2016.07.22 02:10:51 LOG6[7]: Peer certificate not required
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): before/connect initialization
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv2/v3 write client hello A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server hello A
2016.07.22 02:10:51 LOG6[7]: Certificate verification disabled
2016.07.22 02:10:51 LOG6[7]: Certificate verification disabled
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server certificate A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server key exchange A
2016.07.22 02:10:51 LOG6[7]: Client certificate not requested
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server done A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write client key exchange A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write change cipher spec A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 write finished A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 flush data
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read server session ticket A
2016.07.22 02:10:51 LOG7[7]: SSL state (connect): SSLv3 read finished A
2016.07.22 02:10:51 LOG7[7]:      1 client connect(s) requested
2016.07.22 02:10:51 LOG7[7]:      1 client connect(s) succeeded
2016.07.22 02:10:51 LOG7[7]:      0 client renegotiation(s) requested
2016.07.22 02:10:51 LOG7[7]:      0 session reuse(s)
2016.07.22 02:10:51 LOG6[7]: SSL connected: new session negotiated
2016.07.22 02:10:51 LOG7[7]: Peer certificate was cached (1895 bytes)
2016.07.22 02:10:51 LOG6[7]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2016.07.22 02:10:51 LOG7[7]: Compression: null, expansion: null
2016.07.22 02:10:51 LOG6[7]: SSL socket closed (SSL_read)
2016.07.22 02:10:51 LOG7[7]: Sent socket write shutdown
2016.07.22 02:10:51 LOG5[7]: Connection closed: 517 byte(s) sent to SSL, 2428 byte(s) sent to socket
2016.07.22 02:10:51 LOG7[7]: Remote descriptor (FD=936) closed
2016.07.22 02:10:51 LOG7[7]: Local descriptor (FD=972) closed
2016.07.22 02:10:51 LOG7[7]: Service [secproxy] finished (0 left)
2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 58151 allocations
2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 55033 allocations
2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\a_object.c:346: 45704 allocations
2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\a_object.c:315: 45704 allocations
2016.07.22 02:10:51 LOG4[7]: Possible memory leak at .\crypto\asn1\asn1_lib.c:372: 42431 allocations

22.07.2016, 04:53, "Kirill Franko" <frankokirill at yandex.ru>:
> Hi guys!
> I have SSL-proxy server which send me error "ssl handshake failure" in browser and other proxy-tools.
> But when I use ncat or openssl-tool the proxy work fine.
>
> When i'm trying to use direct remoteSSLproxy.com as HTTPS-proxy (in Firefox for example) I'm getting an error:
>
> HTTP/1.0 500 handshakefailed
> Via: 1.0 192.168.10.111 (Web Gateway)
> Connection: Close
> Content-Type: text/html
> Cache-Control: no-cache
> Content-Length: 1944
>
> But when I'm connecting with openssl(openssl s_client -connect remoteSSLproxy.com:443  -tls1) or ncat (ncat --ssl remoteSSLproxy.com:443) proxy working fine.
>
> Please help me to make working tunnel.
> I think I need tunnel like below:
> localhost->localhostSSLtl
> s1:443->remoteSSLproxy.com:443
>
> Working examples:
> openssl s_client -connect remoteSSLproxy.com:443  -tls1
> openssl s_client -connect remoteSSLproxy.com:443  -cipher HIGH
> openssl s_client -connect remoteSSLproxy.com:443  -cipher MEDIUM
>
> Not working:
> $ openssl s_client -connect remoteSSLproxy.com:443  -cipher LOW
> CONNECTED(00000003)
> 17269:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s23_clnt.c:593:
>
> Not working:
> $ openssl s_client -connect remoteSSLproxy.com:443  -ssl2
> CONNECTED(00000003)
> 17261:error:140EC11B:SSL routines:SSL2_READ_INTERNAL:illegal padding:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s2_pkt.c:243:
>
> Not working:
> $ openssl s_client -connect remoteSSLproxy.com:443  -ssl3
> CONNECTED(00000003)
> 17262:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
> 17262:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:566:
>
> Thanks!
> ,
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


More information about the stunnel-users mailing list