Re: https et stunnel

To: debian-user-french@lists.debian.org
Subject: Re: https et stunnel
From: Jean-Philippe THIERRY <jphthierry@free.fr>
Date: Tue, 24 Jul 2007 23:12:24 +0200
Message-id: <[🔎] 20070724231224.3878e3c8@localhost.localdomain>
In-reply-to: <[🔎] 20070723234733.30c62798@localhost.localdomain>
References: <[🔎] 20070723230318.48fa1224@localhost.localdomain> <[🔎] 20070723234733.30c62798@localhost.localdomain>

On Mon, 23 Jul 2007 23:47:33 +0200
Jean-Philippe THIERRY <jphthierry@free.fr> wrote:

> On Mon, 23 Jul 2007 23:03:18 +0200
> Jean-Philippe THIERRY <jphthierry@free.fr> wrote:
> 
> > Bonsoir,
> > 
> > je me débats un peu avec la configuration de stunnel4. Je voudrais créer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connecter de l'extérieur. L'erreur que j'obtiens est la suivante :
> > 
> > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
> > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
> > 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
> > 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0
> > 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190:41560 permitted by libwrap
> > 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.216.190:41560
> > 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/accept initialization
> > 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> > 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
> > 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
> > 
> > Ma configuration est la suivante :
> > 
> > ; Sample stunnel configuration file by Michal Trojnara 2002-2006
> > ; Some options used here may not be adequate for your particular configuration
> > ; Please make sure you understand them (especially the effect of chroot jail)
> > 
> > ; Certificate/key is needed in server mode and optional in client mode
> > cert = /etc/stunnel/stunnel.pem
> > ;key = /etc/stunnel/mail.pem
> > ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> > sslVersion = SSLv3
> > 
> > ; Some security enhancements for UNIX systems - comment them out on Win32
> > chroot = /var/lib/stunnel4/
> > setuid = stunnel4
> > setgid = stunnel4
> > ; PID is created inside chroot jail
> > pid = /stunnel4.pid
> > 
> > ; Some performance tunings
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> > ;compression = rle
> > 
> > ; Workaround for Eudora bug
> > ;options = DONT_INSERT_EMPTY_FRAGMENTS
> > 
> > ; Authentication stuff
> > ;verify = 2
> > ; Don't forget to c_rehash CApath
> > ; CApath is located inside chroot jail
> > ;CApath = /certs
> > ; It's often easier to use CAfile
> > ;CAfile = /etc/stunnel/certs.pem
> > ; Don't forget to c_rehash CRLpath
> > ; CRLpath is located inside chroot jail
> > ;CRLpath = /crls
> > ; Alternatively you can use CRLfile
> > ;CRLfile = /etc/stunnel/crls.pem
> > 
> > ; Some debugging stuff useful for troubleshooting
> > debug = 7
> > output = /var/log/stunnel4/stunnel.log
> > 
> > ; Use it for client mode
> > ;client = yes
> > 
> > ; Service-level configuration
> > 
> > [https]
> > accept  = 443
> > connect = 192.168.0.6:80
> > 
> > Je suis à court d'idées alors si l'un d'entre-vous en a une...
> > 
> > Jean-Philippe
> > 
> > 
> 
> après quelques recherches supplémentaires, j'ai légèrement modifié stunnel.conf :
> 
> client=no
> sslVersion = all
> 
> maintenant, j'obtiens l'erreur suivante :
> 
> SSL state (accept): before/accept initialization
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certificate unknown
> 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
> 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
> 
> pas beaucoup mieux :-(
> 
> Jean-Philippe
> 
> P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
> 
> 
Apparemment, je n'obtiens cette erreur que depuis mon terminal Blackberry. Il semble qu'il lui faille le certificat à l'avance sans quoi il ne se comporte pas normalement (ne propose pas d'accepter le certificat pour la durée de la session par exemple).

Bref globalement ça fonctionne. Reste ce petit détail à régler.

Jean-Philippe

Reply to:

References:
- https et stunnel
  - From: Jean-Philippe THIERRY <jphthierry@free.fr>
- Re: https et stunnel
  - From: Jean-Philippe THIERRY <jphthierry@free.fr>

Prev by Date: Re: Mise à jour, signature de paquets
Next by Date: Re: Mise Ã jour, signature de paquets
Previous by thread: Re: https et stunnel
Next by thread: sha256+pam
Index(es):
- Date
- Thread