SSL proxy with stunnel
up vote
4
down vote
favorite
I'm trying to set an SSL connection with stunnel. Some kind of SSL proxy.
Final aim
Connect http only CLIENT to https only SERVER.
My plan is
- CLIENT: change endpoint to PROXY
- PROXY: use stunnel to receive requests from CLIENT and forward them to SERVER
stunnel.conf
cert = /etc/stunnel/stunnel.pem
foreground = yes
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
[my_route]
accept = 7121
connect = SERVER:443
;connect = SERVER:443/somedata
Test 1
$openssl s_client -connect SERVER:443
New, TLSv1/SSLv3, Server public key is 2048 bit
Test 2
openssl s_client -connect PROXY:7121
New, TLSv1/SSLv3, Server public key is 2048 bit
Result (connecting from CLIENT to SERVER through PROXY).
Service [my_route] accepted (FD=3) from 10.0.2.2:12345
Service [my_route] started
Service [my_route] accepted connection from 10.0.2.2:12345
SSL state (accept): before/accept initialization
SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Local socket (FD=3) closed
Service [my_route] finished (0 left)
Questions
Why doesn't the IP match to SERVER? Why is it connectiong to 10.0.2.2?
Does it mean that I'm connecting to a wrong server? How can that happen?What does this error say? That remote server uses another version of SSL, doesn't it?
proxy ssl stunnel
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
add a comment |
up vote
4
down vote
favorite
I'm trying to set an SSL connection with stunnel. Some kind of SSL proxy.
Final aim
Connect http only CLIENT to https only SERVER.
My plan is
- CLIENT: change endpoint to PROXY
- PROXY: use stunnel to receive requests from CLIENT and forward them to SERVER
stunnel.conf
cert = /etc/stunnel/stunnel.pem
foreground = yes
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
[my_route]
accept = 7121
connect = SERVER:443
;connect = SERVER:443/somedata
Test 1
$openssl s_client -connect SERVER:443
New, TLSv1/SSLv3, Server public key is 2048 bit
Test 2
openssl s_client -connect PROXY:7121
New, TLSv1/SSLv3, Server public key is 2048 bit
Result (connecting from CLIENT to SERVER through PROXY).
Service [my_route] accepted (FD=3) from 10.0.2.2:12345
Service [my_route] started
Service [my_route] accepted connection from 10.0.2.2:12345
SSL state (accept): before/accept initialization
SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Local socket (FD=3) closed
Service [my_route] finished (0 left)
Questions
Why doesn't the IP match to SERVER? Why is it connectiong to 10.0.2.2?
Does it mean that I'm connecting to a wrong server? How can that happen?What does this error say? That remote server uses another version of SSL, doesn't it?
proxy ssl stunnel
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I'm trying to set an SSL connection with stunnel. Some kind of SSL proxy.
Final aim
Connect http only CLIENT to https only SERVER.
My plan is
- CLIENT: change endpoint to PROXY
- PROXY: use stunnel to receive requests from CLIENT and forward them to SERVER
stunnel.conf
cert = /etc/stunnel/stunnel.pem
foreground = yes
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
[my_route]
accept = 7121
connect = SERVER:443
;connect = SERVER:443/somedata
Test 1
$openssl s_client -connect SERVER:443
New, TLSv1/SSLv3, Server public key is 2048 bit
Test 2
openssl s_client -connect PROXY:7121
New, TLSv1/SSLv3, Server public key is 2048 bit
Result (connecting from CLIENT to SERVER through PROXY).
Service [my_route] accepted (FD=3) from 10.0.2.2:12345
Service [my_route] started
Service [my_route] accepted connection from 10.0.2.2:12345
SSL state (accept): before/accept initialization
SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Local socket (FD=3) closed
Service [my_route] finished (0 left)
Questions
Why doesn't the IP match to SERVER? Why is it connectiong to 10.0.2.2?
Does it mean that I'm connecting to a wrong server? How can that happen?What does this error say? That remote server uses another version of SSL, doesn't it?
proxy ssl stunnel
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
I'm trying to set an SSL connection with stunnel. Some kind of SSL proxy.
Final aim
Connect http only CLIENT to https only SERVER.
My plan is
- CLIENT: change endpoint to PROXY
- PROXY: use stunnel to receive requests from CLIENT and forward them to SERVER
stunnel.conf
cert = /etc/stunnel/stunnel.pem
foreground = yes
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
[my_route]
accept = 7121
connect = SERVER:443
;connect = SERVER:443/somedata
Test 1
$openssl s_client -connect SERVER:443
New, TLSv1/SSLv3, Server public key is 2048 bit
Test 2
openssl s_client -connect PROXY:7121
New, TLSv1/SSLv3, Server public key is 2048 bit
Result (connecting from CLIENT to SERVER through PROXY).
Service [my_route] accepted (FD=3) from 10.0.2.2:12345
Service [my_route] started
Service [my_route] accepted connection from 10.0.2.2:12345
SSL state (accept): before/accept initialization
SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Local socket (FD=3) closed
Service [my_route] finished (0 left)
Questions
Why doesn't the IP match to SERVER? Why is it connectiong to 10.0.2.2?
Does it mean that I'm connecting to a wrong server? How can that happen?What does this error say? That remote server uses another version of SSL, doesn't it?
proxy ssl stunnel
proxy ssl stunnel
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
edited Nov 3 '14 at 3:52
bwDraco
36.5k36135177
36.5k36135177
asked Dec 29 '12 at 12:40
Ilya
2112
asked Dec 29 '12 at 12:40
Ilya
2112
asked Dec 29 '12 at 12:40
Ilya
2112
2112
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31
add a comment |
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31
add a comment |
3 Answers
3
active
oldest
votes
up vote
0
down vote
- Why doesn't the IP match to SERVER? Why is it connectiong to
10.0.2.2?
Because that IP address is not the address of the server it is connecting to, but the address of the client machine it is receiving from (running openssl s_client).
Does it mean that I'm connecting to a wrong server? How can that
happen?
No, it has nothing to do with the server.
- What does this error say? That remote server uses another version of SSL, doesn't it?
It means that your stunnel tries to speak SSL to the client (openssl s_client) connecting. They don't seem to agree on the SSL protocol version to use.
However, this is plain wrong. In the configuration you want to set up, stunnel should wait for HTTP connections, and tunnel those connection with HTTPS to SERVER. Therefore you may not use openssl s_client to connect to your stunnel as openssl s_client would use SSL and stunnel would be waiting for non-SSL connections.
To solve this, you'll need an extra line client = yes in your configuration. Then, instead of using openssl s_client as the client for your stunnel, you should either use telnet (telnet server2 7121), or a program able to speak HTTP to your server (like a web browser, or similar, with a URL starting like http://PROXY:7121/...).
Also, it is highly recommended to use IP addresses in your configuration file (instead of textual host names).
Something like this should work for you:
[my_route]
client = yes
accept = 7121
connect = aaa.bbb.ccc.ddd:443
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
add a comment |
up vote
0
down vote
Seems like this exact issue is addressed in this answer on Server Fault; the bolded part seems apropos to your scenario:
The
stunnelserver hasoptions = NO_SSLv3, but the client is
trying to connect using SSLv3. You need to upgrade the client to
support a newer version of SSL or you need to change the stunnel
configuration to accept SSLv3.
edited Apr 13 '17 at 12:14
Community♦
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
add a comment |
up vote
-1
down vote
adding this to the config file will do .
sslversion = all
and you might have missed another thing . you should explicitly set "client = yes" or it defaults to "no" .
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f525611%2fssl-proxy-with-stunnel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
- Why doesn't the IP match to SERVER? Why is it connectiong to
10.0.2.2?
Because that IP address is not the address of the server it is connecting to, but the address of the client machine it is receiving from (running openssl s_client).
Does it mean that I'm connecting to a wrong server? How can that
happen?
No, it has nothing to do with the server.
- What does this error say? That remote server uses another version of SSL, doesn't it?
It means that your stunnel tries to speak SSL to the client (openssl s_client) connecting. They don't seem to agree on the SSL protocol version to use.
However, this is plain wrong. In the configuration you want to set up, stunnel should wait for HTTP connections, and tunnel those connection with HTTPS to SERVER. Therefore you may not use openssl s_client to connect to your stunnel as openssl s_client would use SSL and stunnel would be waiting for non-SSL connections.
To solve this, you'll need an extra line client = yes in your configuration. Then, instead of using openssl s_client as the client for your stunnel, you should either use telnet (telnet server2 7121), or a program able to speak HTTP to your server (like a web browser, or similar, with a URL starting like http://PROXY:7121/...).
Also, it is highly recommended to use IP addresses in your configuration file (instead of textual host names).
Something like this should work for you:
[my_route]
client = yes
accept = 7121
connect = aaa.bbb.ccc.ddd:443
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
add a comment |
up vote
0
down vote
- Why doesn't the IP match to SERVER? Why is it connectiong to
10.0.2.2?
Because that IP address is not the address of the server it is connecting to, but the address of the client machine it is receiving from (running openssl s_client).
Does it mean that I'm connecting to a wrong server? How can that
happen?
No, it has nothing to do with the server.
- What does this error say? That remote server uses another version of SSL, doesn't it?
It means that your stunnel tries to speak SSL to the client (openssl s_client) connecting. They don't seem to agree on the SSL protocol version to use.
However, this is plain wrong. In the configuration you want to set up, stunnel should wait for HTTP connections, and tunnel those connection with HTTPS to SERVER. Therefore you may not use openssl s_client to connect to your stunnel as openssl s_client would use SSL and stunnel would be waiting for non-SSL connections.
To solve this, you'll need an extra line client = yes in your configuration. Then, instead of using openssl s_client as the client for your stunnel, you should either use telnet (telnet server2 7121), or a program able to speak HTTP to your server (like a web browser, or similar, with a URL starting like http://PROXY:7121/...).
Also, it is highly recommended to use IP addresses in your configuration file (instead of textual host names).
Something like this should work for you:
[my_route]
client = yes
accept = 7121
connect = aaa.bbb.ccc.ddd:443
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
add a comment |
up vote
0
down vote
up vote
0
down vote
- Why doesn't the IP match to SERVER? Why is it connectiong to
10.0.2.2?
Because that IP address is not the address of the server it is connecting to, but the address of the client machine it is receiving from (running openssl s_client).
Does it mean that I'm connecting to a wrong server? How can that
happen?
No, it has nothing to do with the server.
- What does this error say? That remote server uses another version of SSL, doesn't it?
It means that your stunnel tries to speak SSL to the client (openssl s_client) connecting. They don't seem to agree on the SSL protocol version to use.
However, this is plain wrong. In the configuration you want to set up, stunnel should wait for HTTP connections, and tunnel those connection with HTTPS to SERVER. Therefore you may not use openssl s_client to connect to your stunnel as openssl s_client would use SSL and stunnel would be waiting for non-SSL connections.
To solve this, you'll need an extra line client = yes in your configuration. Then, instead of using openssl s_client as the client for your stunnel, you should either use telnet (telnet server2 7121), or a program able to speak HTTP to your server (like a web browser, or similar, with a URL starting like http://PROXY:7121/...).
Also, it is highly recommended to use IP addresses in your configuration file (instead of textual host names).
Something like this should work for you:
[my_route]
client = yes
accept = 7121
connect = aaa.bbb.ccc.ddd:443
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
- Why doesn't the IP match to SERVER? Why is it connectiong to
10.0.2.2?
Because that IP address is not the address of the server it is connecting to, but the address of the client machine it is receiving from (running openssl s_client).
Does it mean that I'm connecting to a wrong server? How can that
happen?
No, it has nothing to do with the server.
- What does this error say? That remote server uses another version of SSL, doesn't it?
It means that your stunnel tries to speak SSL to the client (openssl s_client) connecting. They don't seem to agree on the SSL protocol version to use.
However, this is plain wrong. In the configuration you want to set up, stunnel should wait for HTTP connections, and tunnel those connection with HTTPS to SERVER. Therefore you may not use openssl s_client to connect to your stunnel as openssl s_client would use SSL and stunnel would be waiting for non-SSL connections.
To solve this, you'll need an extra line client = yes in your configuration. Then, instead of using openssl s_client as the client for your stunnel, you should either use telnet (telnet server2 7121), or a program able to speak HTTP to your server (like a web browser, or similar, with a URL starting like http://PROXY:7121/...).
Also, it is highly recommended to use IP addresses in your configuration file (instead of textual host names).
Something like this should work for you:
[my_route]
client = yes
accept = 7121
connect = aaa.bbb.ccc.ddd:443
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
answered Nov 3 '14 at 3:58
Laszlo Valko
4771612
4771612
add a comment |
add a comment |
up vote
0
down vote
Seems like this exact issue is addressed in this answer on Server Fault; the bolded part seems apropos to your scenario:
The
stunnelserver hasoptions = NO_SSLv3, but the client is
trying to connect using SSLv3. You need to upgrade the client to
support a newer version of SSL or you need to change the stunnel
configuration to accept SSLv3.
edited Apr 13 '17 at 12:14
Community♦
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
add a comment |
up vote
0
down vote
Seems like this exact issue is addressed in this answer on Server Fault; the bolded part seems apropos to your scenario:
The
stunnelserver hasoptions = NO_SSLv3, but the client is
trying to connect using SSLv3. You need to upgrade the client to
support a newer version of SSL or you need to change the stunnel
configuration to accept SSLv3.
edited Apr 13 '17 at 12:14
Community♦
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
add a comment |
up vote
0
down vote
up vote
0
down vote
Seems like this exact issue is addressed in this answer on Server Fault; the bolded part seems apropos to your scenario:
The
stunnelserver hasoptions = NO_SSLv3, but the client is
trying to connect using SSLv3. You need to upgrade the client to
support a newer version of SSL or you need to change the stunnel
configuration to accept SSLv3.
edited Apr 13 '17 at 12:14
Community♦
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
Seems like this exact issue is addressed in this answer on Server Fault; the bolded part seems apropos to your scenario:
The
stunnelserver hasoptions = NO_SSLv3, but the client is
trying to connect using SSLv3. You need to upgrade the client to
support a newer version of SSL or you need to change the stunnel
configuration to accept SSLv3.
edited Apr 13 '17 at 12:14
Community♦
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
1
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
answered Nov 3 '14 at 4:02
JakeGould
30.9k1093137
30.9k1093137
add a comment |
add a comment |
up vote
-1
down vote
adding this to the config file will do .
sslversion = all
and you might have missed another thing . you should explicitly set "client = yes" or it defaults to "no" .
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
add a comment |
up vote
-1
down vote
adding this to the config file will do .
sslversion = all
and you might have missed another thing . you should explicitly set "client = yes" or it defaults to "no" .
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
add a comment |
up vote
-1
down vote
up vote
-1
down vote
adding this to the config file will do .
sslversion = all
and you might have missed another thing . you should explicitly set "client = yes" or it defaults to "no" .
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
adding this to the config file will do .
sslversion = all
and you might have missed another thing . you should explicitly set "client = yes" or it defaults to "no" .
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
edited Jan 23 '15 at 15:14
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
answered Nov 3 '14 at 3:19
把友情留在无盐
325211
325211
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f525611%2fssl-proxy-with-stunnel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What do you mean with "that uses only ssl, https only"
– nixda
Dec 29 '12 at 13:33
I mean that it does not support http. It suppoorts only https.
– Ilya
Dec 29 '12 at 14:25
Ah,of course, my fault. I interpreted it wrong on my first edit
– nixda
Dec 29 '12 at 14:31