Re: https et stunnel
On Mon, 23 Jul 2007 23:03:18 +0200
Jean-Philippe THIERRY <jphthierry@free.fr> wrote:
> Bonsoir,
>
> je me débats un peu avec la configuration de stunnel4. Je voudrais créer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connecter de l'extérieur. L'erreur que j'obtiens est la suivante :
>
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
> 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190:41560 permitted by libwrap
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.216.190:41560
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/accept initialization
> 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
>
> Ma configuration est la suivante :
>
> ; Sample stunnel configuration file by Michal Trojnara 2002-2006
> ; Some options used here may not be adequate for your particular configuration
> ; Please make sure you understand them (especially the effect of chroot jail)
>
> ; Certificate/key is needed in server mode and optional in client mode
> cert = /etc/stunnel/stunnel.pem
> ;key = /etc/stunnel/mail.pem
> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> sslVersion = SSLv3
>
> ; Some security enhancements for UNIX systems - comment them out on Win32
> chroot = /var/lib/stunnel4/
> setuid = stunnel4
> setgid = stunnel4
> ; PID is created inside chroot jail
> pid = /stunnel4.pid
>
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ;compression = rle
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ; CApath is located inside chroot jail
> ;CApath = /certs
> ; It's often easier to use CAfile
> ;CAfile = /etc/stunnel/certs.pem
> ; Don't forget to c_rehash CRLpath
> ; CRLpath is located inside chroot jail
> ;CRLpath = /crls
> ; Alternatively you can use CRLfile
> ;CRLfile = /etc/stunnel/crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> debug = 7
> output = /var/log/stunnel4/stunnel.log
>
> ; Use it for client mode
> ;client = yes
>
> ; Service-level configuration
>
> [https]
> accept = 443
> connect = 192.168.0.6:80
>
> Je suis à court d'idées alors si l'un d'entre-vous en a une...
>
> Jean-Philippe
>
>
après quelques recherches supplémentaires, j'ai légèrement modifié stunnel.conf :
client=no
sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certificate unknown
2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
Reply to: