Hi Guys, I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend: STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com sni = https:www.test.com connect = 192.168.64.220:80 [testing] sni = https:testing.com sni = https:www.testing.com connect = 192.168.64.253:80 I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com works but test.com does not. Its the same for testing.com and www.testing.com This is what the log file show too: 2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left) I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version. Any thoughts? -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott, Your configuration should be either: [https] accept = 443 connect = 80 [test_com] sni = https:test.com connect = 192.168.64.220:80 [www_test_com] sni = https:www.test.com connect = 192.168.64.220:80 [testing_com] sni = https:testing.com connect = 192.168.64.253:80 [www_testing_com] sni = https:www.testing.com connect = 192.168.64.253:80 or [https] accept = 443 connect = 80 [test] sni = https:*test.com connect = 192.168.64.220:80 [testing] sni = https:*testing.com connect = 192.168.64.253:80 Mike On 17.03.2015 14:46, Scott McKeown wrote:
Hi Guys,
I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:
STunnel Version is: stunnel -version stunnel 5.11 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni = https:test.com <http://test.com> sni = https:www.test.com <http://www.test.com> connect = 192.168.64.220:80 <http://192.168.64.220:80>
[testing] sni = https:testing.com <http://testing.com> sni = https:www.testing.com <http://www.testing.com> connect = 192.168.64.253:80 <http://192.168.64.253:80>
I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com <http://www.test.com> works but test.com <http://test.com> does not. Its the same for testing.com <http://testing.com> and www.testing.com <http://www.testing.com>
This is what the log file show too:
2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com <http://testing.com> 2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com <http://testing.com> 2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert 2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128 <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128 <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization 2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com <http://testing.com> 2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com <http://testing.com> 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)
I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.
Any thoughts?
-- With Kind Regards.
Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVCDZWAAoJEC78f/DUFuAUVmMP/jbvB9JHnkzTKCjv50vdaPNE fcB5lGN8xjYkS2RToqi8dt0HBOIRUYAMgnyD6ifdPvMIs8Wo4qkE61axVGmeI3bE sXdVv7jBwVXlx1pDzrD7fplTyumkMw/qSdrXe3W9LkaeBcCXtWDgDeJx6VfoiJ/0 tHE4lfOHTGiDl7MuVAUateILxdeUIA7vvrywmtKowIA+pJN2bgBmWDgcy45YAZe1 irjzxPBQxQtcizvTgW3eNL1TL+yO1k5oOT33l6aPitLq2TaZVwrDzsK9XKdEmD9Z 7lsa/lFqDEqWTxZ6TetGSnNM+Z6tOTD+jFj0PJvOohLYG/v+NPB4tc5U6z+4jl2S SBjuMymFAb5uT9UD32MB9puDL8HVqLi7zU88NPYPZVsVdQtUMKKAOtv6FMVNF8Uh qIbsUqMQMTSJiAFSNLbplBnsabUW4CEzs3A0eIbKg+XdKhfbK2vc/RYyORmXQGqT 7ZfeohaE5LVxjEZei6e7Bc+Gm+yz4Avki4t0AR3iS/j6tyBUJFnzk56NmhELLwao kQ+p4l1HWcoRKYLkybDmrxJHKH7O1iUyLW9qVsHNsPi/UsDB9yf+Avb69QOK66M+ ufQ0TF/zLW89SBIGMPtc0fhBM6vTpNPt27SK9138nNgCqX+0UgV2hXwrCDSecYNk P4tT4ckWBkwIVM6eqrSQ =EEX8 -----END PGP SIGNATURE-----
participants (2)
-
Michal Trojnara -
Scott McKeown