stunnel crashing

Posted by Jay on Server Fault See other posts from Server Fault or by Jay
Published on 2010-04-20T16:02:50Z Indexed on 2012/07/02 21:18 UTC
Read the original article Hit count: 274

Filed under:
|
|

I'm trying to use stunnel to secure a legacy application's communications. I can't seem to get it setup and working. Can anyone provide any hints where I'm going wrong?

Here's what I'm trying to accomplish:

A windows service on a client machine connects to a server on port 7000 using TCP. I'd like to encrypt the communication between client and server.

Here's what I've tried:

Created a new server that accepts ssl connections on port 7443. Got a certificate for the server and installed it. That seems to work with my test setup.

Installed stunnel on my windows machine (version 7.43 from the distribution archive file). Installed libssl32.dll and libeay32.dll in the same directory as stunnel.exe ( from the openssl-0.9.8h-1 binary distribution).

Installed it as a service using "stunnel -install"

Configured stunnel as follows:

debug=7
output=C:\p4\internal\Utility\Proxy\proxy.log
service=Proxy
taskbar=no

[exchange]
accept=7000
client=yes
connect=proxy.blah.com:7443

I changed my hosts file to trick the old application into connecting through stunnel:

server.blah.com  127.0.0.1   # when client looks up server it goes to stunnel
proxy.blah.com  IP-address-of-server.blah.com   # stunnel connects to new server

"server.blah.com" now resolves to the machine it's running on (i.e. stunnel). "proxy.blah.com" goes to the real server. stunnel should connect to the server.

I start the stunnel service and try to connect. It looks like it's working but the stunnel service just shuts down with no message.

2010.04.19 13:16:21 LOG5[4924:3716]: stunnel 4.33 on x86-pc-mingw32-gnu with OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:16:21 LOG5[4924:3716]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange accepted connection from 127.0.0.1:4134
2010.04.19 13:16:49 LOG6[4924:3748]: connect_blocking: connecting x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: connect_blocking: connected x.80.60.32:7443
2010.04.19 13:16:49 LOG5[4924:3748]: Service exchange connected remote server from x.253.120.19:4135
2010.04.19 13:20:24 LOG5[3668:3856]: Reading configuration from file stunnel.conf
2010.04.19 13:20:24 LOG7[3668:3856]: Snagged 64 random bytes from C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: Wrote 1024 new random bytes to C:/.rnd
2010.04.19 13:20:24 LOG7[3668:3856]: RAND_status claims sufficient entropy for the PRNG
2010.04.19 13:20:24 LOG7[3668:3856]: PRNG seeded successfully
2010.04.19 13:20:24 LOG7[3668:3856]: SSL context initialized for service exchange
2010.04.19 13:20:24 LOG5[3668:3856]: Configuration successful
2010.04.19 13:20:24 LOG5[3668:3856]: No limit detected for the number of clients
2010.04.19 13:20:24 LOG7[3668:3856]: FD=312 in non-blocking mode
2010.04.19 13:20:24 LOG7[3668:3856]: Option SO_REUSEADDR set on accept socket
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange bound to 0.0.0.0:7000
2010.04.19 13:20:24 LOG7[3668:3856]: Service exchange opened FD=312
2010.04.19 13:20:24 LOG5[3668:3856]: stunnel 4.33 on x86-pc-mingw32-gnu with OpenSSL 0.9.8h 28 May 2008
2010.04.19 13:20:24 LOG5[3668:3856]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.04.19 13:21:02 LOG7[3668:4556]: Service exchange accepted FD=372 from 127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:4556]: Creating a new thread
2010.04.19 13:21:02 LOG7[3668:4556]: New thread created
2010.04.19 13:21:02 LOG7[3668:3756]: Service exchange started
2010.04.19 13:21:02 LOG7[3668:3756]: FD=372 in non-blocking mode
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange accepted connection from 127.0.0.1:4156
2010.04.19 13:21:02 LOG7[3668:3756]: FD=396 in non-blocking mode
2010.04.19 13:21:02 LOG6[3668:3756]: connect_blocking: connecting x.80.60.32:7443
2010.04.19 13:21:02 LOG7[3668:3756]: connect_blocking: s_poll_wait x.80.60.32:7443: waiting 10 seconds
2010.04.19 13:21:02 LOG5[3668:3756]: connect_blocking: connected x.80.60.32:7443
2010.04.19 13:21:02 LOG5[3668:3756]: Service exchange connected remote server from x.253.120.19:4157
2010.04.19 13:21:02 LOG7[3668:3756]: Remote FD=396 initialized
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): before/connect initialization
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server hello A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server certificate A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read server done A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write client key exchange A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write change cipher spec A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 write finished A
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 flush data
2010.04.19 13:21:02 LOG7[3668:3756]: SSL state (connect): SSLv3 read finished A

The client thinks the connection is closed:

No connection could be made because the target machine actively refused it 127.0.0.1:7000
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at Service.ConnUtility.Connect()

Any suggestions?

© Server Fault or respective owner

Related posts about security

Related posts about ssl