[stunnel-users] Stunnel Connectivity Issue

Dheeraj Gautam dheeraj.gautam at arborfs.com
Thu Aug 3 14:37:36 CEST 2017


Hi Liz,



Find attached stunnel log herewith, yes the configured remote server IP
address and port details are correct.

At remote end they have allowed our source address and they are getting an
error during TLS handshake, the issue appears to be with the TLS
certificate and are sending them back resulting in the handshake error.

Also, please let us know if we can have a call with you and remote session
to get this fix.

I will be thankful to you.

Regards,

Dheeraj Gautam



*From:* Liz Turi [mailto:lturi at maehc.org]
*Sent:* Thursday, August 3, 2017 5:58 PM
*To:* Dheeraj Gautam <dheeraj.gautam at arborfs.com>; cbrowne at cbcs-usa.com;
stunnel-users at stunnel.org
*Cc:* Gurpreet Ahuja <gurpreet.ahuja at arborfs.com>; Sumit Sharma <
sumit.sharma at arborfs.com>; Ishu Singh <ishu.singh at arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue



What do your debug logs say? What happens when you send a test message
through? Are you sure you have the remote IP address/port correct? Is there
IP filtering or a firewall in place between the two?



*Liz Turi*

Sr. Consultant

Massachusetts eHealth Collaborative

860 Winter Street, Waltham, MA 02451

(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589

www.maehc.org

[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>



*From:* Dheeraj Gautam [mailto:dheeraj.gautam at arborfs.com
<dheeraj.gautam at arborfs.com>]
*Sent:* Thursday, August 3, 2017 5:27 AM
*To:* Liz Turi <lturi at maehc.org>; cbrowne at cbcs-usa.com;
stunnel-users at stunnel.org
*Cc:* Gurpreet Ahuja <gurpreet.ahuja at arborfs.com>; Sumit Sharma <
sumit.sharma at arborfs.com>; Ishu Singh <ishu.singh at arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue



Hi Liz,



We have stuck badly to establish stunnel connection with one of our
partner, We have configured Client mode configuration on our server to
connect server to run the application.



Below is the config which We have done on my server:



; ***************************************** Example TLS Client mode services

; Certificate

cert = Talomoncert.pem

key = Talomonkey.pem

CAfile = TalomonCACerts.pem

;FIPS

fips=no

; Protocol version (all, SSLv2, SSLv3, TLSv1)

sslVersion = TLSv1.2



; Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1



; Some debugging stuff useful for troubleshooting

debug = 7

output = stunnel.log



; Use it for client mode

client = yes

; Service-level configuration

[FIX]

accept = 127.0.0.1:9260

connect = 69.191.230.34:8228

;protocol=connect

;protocolHost= 69.191.230.34:8228

TIMEOUTconnect  = 5



Our partner saying that they are not getting any TLS connection on their
server due to which connection is not establishing.



Could you please help us to get this sort out as we have no more idea how
we can troubleshoot this.



Thanks in advance.



Regards,



Dheeraj Gautam



*From:* Liz Turi [mailto:lturi at maehc.org]
*Sent:* Tuesday, June 13, 2017 11:40 PM
*To:* Dheeraj Gautam <dheeraj.gautam at arborfs.com>; cbrowne at cbcs-usa.com;
stunnel-users at stunnel.org
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue



Hi, Dheeraj,



Your logs say that you’re connecting successfully to the port that your
application is listening on. Have you tried testing from the application,
or calls to the application?



This line (along with the next couple of lines) suggest that telnet is
connecting through to the remote host listening on 8228.



2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228



It closes the connection via telnet because telnet isn’t going to run your
application for you.



We need more information about how you’re connecting to your application?
(or intending to)





*Liz Turi*

Sr. Consultant

Massachusetts eHealth Collaborative

860 Winter Street, Waltham, MA 02451

(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589

www.maehc.org

[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>



*From:* stunnel-users [mailto:stunnel-users-bounces at stunnel.org
<stunnel-users-bounces at stunnel.org>] *On Behalf Of *Dheeraj Gautam
*Sent:* Tuesday, June 13, 2017 1:21 PM
*To:* cbrowne at cbcs-usa.com; stunnel-users at stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue



Hi Browne,



I am not understand like what config I have to do in stunnel config file.



As per application it will trigger 8228 port of remote server, but at the
momen stunnel is working only when I am trying to telnet localhost on 9233
port.



Nothing is happening when running the application, don’t know what I am
missing as I am the new for stunnel.



Please help to fix this out.



Regards,



Dheeraj Gautam







*From:* stunnel-users [mailto:stunnel-users-bounces at stunnel.org
<stunnel-users-bounces at stunnel.org>] *On Behalf Of *Carter Browne
*Sent:* Tuesday, June 13, 2017 10:41 PM
*To:* stunnel-users at stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue



Dheeraj,

stunnel will keep the connection open for as long as your applications
keeps it open.  When you exit telnet, it closes the connection.  I use
stunnel mostly for RDP, VNC and telnet and as long the application is
active, the port is open.  You need to have your application open the local
port you want to route via stunnel (in your example 127.0.0.1:9233).  As
long as your application keeps the connection open (ignoring such issues as
communications failures), stunnel will maintain the application.  Telnet is
a great tool for determining connectivity, but your application is going to
have to handle the connection going forward.

Carter Browne



On 6/13/2017 12:01 PM, Dheeraj Gautam wrote:

Hi Liz,



Thanks for your reply.



Actually we need to run a service which will work only once stunnel
connection establish and the service will work till the time connection
connected.



But at the moment I don’t have idea like how the stunnel will remain
connected.



Could you please suggest me to fix this so that stunnel connection remain
connected and I can run the application.



Waiting for your valuable response.



Regards,



Dheeraj Gautam



*From:* Liz Turi [mailto:lturi at maehc.org <lturi at maehc.org>]
*Sent:* Tuesday, June 13, 2017 9:19 PM
*To:* Dheeraj Gautam <dheeraj.gautam at arborfs.com>
<dheeraj.gautam at arborfs.com>; Małgorzata Olszówka
<Malgorzata.Olszowka at stunnel.org> <Malgorzata.Olszowka at stunnel.org>
*Cc:* stunnel-users at stunnel.org
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue



Hi, Dheeraj,



Are you testing the connection with Telnet? Or are you testing with the
application. What I noticed in testing the connection is that once the
command is completed, the connection is closed.



However, when I test from my application, its only closed once all
transactions in that session are completed, and will show how much data was
passed on (following from my logs at the end of a non-telnet test session.



*2017.06.13 10:16:08 LOG6[1]: Negotiated TLSv1.2 ciphersuite
AES256-GCM-SHA384 (256-bit encryption)*

*2017.06.13 10:16:18 LOG6[1]: Read socket closed (readsocket)*

*2017.06.13 10:16:18 LOG6[1]: SSL_shutdown successfully sent close_notify
alert*

*2017.06.13 10:16:18 LOG6[1]: TLS closed (SSL_read)*

*2017.06.13 10:16:18 LOG5[1]: Connection closed: 2791 byte(s) sent to TLS,
1641 byte(s) sent to socket*



*Liz Turi*

Sr. Consultant

Massachusetts eHealth Collaborative

860 Winter Street, Waltham, MA 02451

(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589

www.maehc.org

[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>



*From:* stunnel-users [mailto:stunnel-users-bounces at stunnel.org
<stunnel-users-bounces at stunnel.org>] *On Behalf Of *Dheeraj Gautam
*Sent:* Tuesday, June 13, 2017 11:41 AM
*To:* Małgorzata Olszówka <Malgorzata.Olszowka at stunnel.org>
*Cc:* stunnel-users at stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue



HI Guys,



below is the config which i have configured with TLSv1.2, but still
connection establishing only for while when i telnet telnet 127.0.0.1 9233.
and just after connection closed.



[TCP]

client=yes

cert = BBG_cert.pem

key = BBG_key.pem

verifyChain = yes

CAfile = BBG_CACerts.pem

connect = 69.191.198.34:8228

accept  = 127.0.0.1:9233

sslVersion = TLSv1.2



below the logs:



2017.06.13 11:57:49 LOG5[main]: Reading configuration from file stunnel.conf

2017.06.13 11:57:49 LOG5[main]: UTF-8 byte order mark detected

2017.06.13 11:57:49 LOG5[main]: FIPS mode disabled

2017.06.13 11:57:49 LOG3[main]: Service [TCP]: Each service must define two
endpoints

2017.06.13 11:57:49 LOG3[main]: Failed to reload the configuration file

2017.06.13 16:37:16 LOG5[main]: Reading configuration from file stunnel.conf

2017.06.13 16:37:16 LOG5[main]: UTF-8 byte order mark detected

2017.06.13 16:37:16 LOG5[main]: FIPS mode disabled

2017.06.13 16:37:16 LOG4[main]: Service [TCP] uses "verifyChain" without
subject checks

2017.06.13 16:37:16 LOG4[main]: Use "checkHost" or "checkIP" to restrict
trusted certificates

2017.06.13 16:37:16 LOG5[main]: Configuration successful

2017.06.13 16:38:38 LOG5[11]: Service [TCP] accepted connection from
127.0.0.1:62736

2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228

2017.06.13 16:38:38 LOG5[11]: Service [TCP] connected remote server from
172.16.1.23:62737

2017.06.13 16:38:39 LOG5[11]: Certificate accepted at depth=0: C=US, ST=NEW
YORK, L=NEW YORK, O=Bloomberg LP, OU=FIXBETA, CN=fixbeta.bloomberg.com,
emailAddress=caadmin at bloomberg.com

2017.06.13 16:39:10 LOG5[11]: Connection closed: 0 byte(s) sent to TLS, 0
byte(s) sent to socket



i want connection remained connected every time so that i can run the
application.



application can be work only if the connection remain connected.



please help me to sort this out.



Regards,



Dheeraj Gautam



On 25 May 2017 at 12:29, Małgorzata Olszówka <
Malgorzata.Olszowka at stunnel.org> wrote:

Could you please let us know what parameters we are missing here due to
which connection is not establishing with remote server.

Although, stunnel logs indicating that configuration successful, but in
logs no where is mentioned about the connection is it connected or not,



Hello Dheeraj,

You should set the verifyChain option in order to verify the certificate
stored in the file specified with CAfile:
verifyChain = yes

Then you can test your connection:
telnet 127.0.0.1 9233
the stunnel logs will show information about the connection attempt.

Regards,
Małgorzata
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users





www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it
is addressed.  If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system.  If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses.  We would advise that you carry out your own
virus checks, especially before opening an attachment.


CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.



www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it
is addressed.  If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system.  If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses.  We would advise that you carry out your own
virus checks, especially before opening an attachment.



_______________________________________________

stunnel-users mailing list

stunnel-users at stunnel.org

https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users





www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it
is addressed.  If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system.  If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses.  We would advise that you carry out your own
virus checks, especially before opening an attachment.


CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.



www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it
is addressed.  If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system.  If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses.  We would advise that you carry out your own
virus checks, especially before opening an attachment.


CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.

-- 
 

www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary 
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it 
is addressed.  If you are not the intended recipient, please notify the 
author immediately by telephone or by replying to this e-mail, and then 
delete all copies of the e-mail on your system.  If you are not the 
intended recipient, you must not use, disclose, distribute, copy, print or 
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and 
any attachment has been checked for viruses, we cannot guarantee that they 
are virus free and we cannot accept liability for any damage sustained as a 
result of software viruses.  We would advise that you carry out your own 
virus checks, especially before opening an attachment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1636 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1605 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 1693 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image013.png
Type: image/png
Size: 1659 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image015.png
Type: image/png
Size: 1626 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image020.png
Type: image/png
Size: 1707 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image022.png
Type: image/png
Size: 1690 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0015.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image023.png
Type: image/png
Size: 1675 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0016.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image024.png
Type: image/png
Size: 1729 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0017.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel.log
Type: application/octet-stream
Size: 54184 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170803/e4329b97/attachment-0001.obj>


More information about the stunnel-users mailing list