-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott,
Your configuration should be either: [https] accept = 443 connect = 80 [test_com] sni = https:test.com connect = 192.168.64.220:80 [www_test_com] sni = https:www.test.com connect = 192.168.64.220:80 [testing_com] sni = https:testing.com connect = 192.168.64.253:80 [www_testing_com] sni = https:www.testing.com connect = 192.168.64.253:80 or [https] accept = 443 connect = 80 [test] sni = https:*test.com connect = 192.168.64.220:80 [testing] sni = https:*testing.com connect = 192.168.64.253:80 Mike On 17.03.2015 14:46, Scott McKeown wrote: > Hi Guys, > > I've got a small issue where I'm trying to use multiple SNI rules > in an STunnel frontend: > > STunnel Version is: stunnel -version stunnel 5.11 on > x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL > 1.0.1e 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 > TLS:ENGINE,FIPS,OCSP,PSK,SNI > > Global options: debug = daemon.notice RNDbytes > = 64 RNDfile = /dev/urandom RNDoverwrite = > yes > > Service-level options: ciphers = FIPS (with "fips = > yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 > (with "fips = no") curve = prime256v1 options > = NO_SSLv2 options = NO_SSLv3 sessionCacheSize > = 1000 sessionCacheTimeout = 300 seconds stack > = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose > = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle > = 43200 seconds verify = none > > > stunnel.conf is: [https] accept = 443 connect = 80 [www_test] sni > = https:test.com <http://test.com> sni = https:www.test.com > <http://www.test.com> connect = 192.168.64.220:80 > <http://192.168.64.220:80> > > [testing] sni = https:testing.com <http://testing.com> sni = > https:www.testing.com <http://www.testing.com> connect = > 192.168.64.253:80 <http://192.168.64.253:80> > > > I've created local DNS rules for each of these Hosts but the > problem is that only the last entered sni rule gets matched so for > example www.test.com <http://www.test.com> works but test.com > <http://test.com> does not. Its the same for testing.com > <http://testing.com> and www.testing.com <http://www.testing.com> > > > This is what the log file show too: > > 2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) > from 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 > 20:01:19 LOG7[12808]: Service [https] started 2015.03.03 20:01:19 > LOG5[12808]: Service [https] accepted connection from > 192.168.63.50:53123 <http://192.168.63.50:53123> 2015.03.03 > 20:01:19 LOG7[12808]: SSL state (accept): before/accept > initialization 2015.03.03 20:01:19 LOG6[12808]: SNI: requested > servername: testing.com <http://testing.com> 2015.03.03 20:01:19 > LOG3[12808]: SNI: no pattern matched servername: testing.com > <http://testing.com> 2015.03.03 20:01:19 LOG7[12808]: SSL alert > (write): fatal: unrecognized name 2015.03.03 20:01:19 LOG3[12808]: > SSL_accept: 1408A0E2: error:1408A0E2:SSL > routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 > 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 > byte(s) sent to socket 2015.03.03 20:01:19 LOG7[12808]: Local > socket (FD=21) closed 2015.03.03 20:01:19 LOG7[12808]: Service > [https] finished (7 left) 2015.03.03 20:01:29 LOG6[12805]: Read > socket closed (readsocket) 2015.03.03 20:01:29 LOG7[12805]: Sending > close_notify alert 2015.03.03 20:01:29 LOG7[12805]: SSL alert > (write): warning: close notify 2015.03.03 20:01:29 LOG6[12805]: > SSL_shutdown successfully sent close_notify alert 2015.03.03 > 20:01:30 LOG6[12805]: SSL socket closed (SSL_read) 2015.03.03 > 20:01:30 LOG7[12805]: Sent socket write shutdown 2015.03.03 > 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, > 642 byte(s) sent to socket 2015.03.03 20:01:30 LOG7[12805]: Remote > socket (FD=14) closed 2015.03.03 20:01:30 LOG7[12805]: Local socket > (FD=13) closed 2015.03.03 20:01:30 LOG7[12805]: Service [www_test] > finished (6 left) 2015.03.03 20:01:49 LOG7[12776]: Service [https] > accepted (FD=13) from 192.168.63.50:53128 > <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: > Service [https] started 2015.03.03 20:01:49 LOG5[12809]: Service > [https] accepted connection from 192.168.63.50:53128 > <http://192.168.63.50:53128> 2015.03.03 20:01:49 LOG7[12809]: SSL > state (accept): before/accept initialization 2015.03.03 20:01:49 > LOG6[12809]: SNI: requested servername: testing.com > <http://testing.com> 2015.03.03 20:01:49 LOG3[12809]: SNI: no > pattern matched servername: testing.com <http://testing.com> > 2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: > unrecognized name 2015.03.03 20:01:49 LOG3[12809]: SSL_accept: > 1408A0E2: error:1408A0E2:SSL > routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext 2015.03.03 > 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 > byte(s) sent to socket 2015.03.03 20:01:49 LOG7[12809]: Local > socket (FD=13) closed 2015.03.03 20:01:49 LOG7[12809]: Service > [https] finished (6 left) > > I have seen a couple of patch files floating around but they are > for older versions and I can't get them to compile into the v5.11 > version. > > Any thoughts? > > > -- With Kind Regards. > > Scott McKeown Loadbalancer.org http://www.loadbalancer.org Tel (UK) > - +44 (0) 3303801064 (24x7) Tel (US) - +1 888.867.9504 (Toll > Free)(24x7) > > > _______________________________________________ stunnel-users > mailing list [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVCDZWAAoJEC78f/DUFuAUVmMP/jbvB9JHnkzTKCjv50vdaPNE fcB5lGN8xjYkS2RToqi8dt0HBOIRUYAMgnyD6ifdPvMIs8Wo4qkE61axVGmeI3bE sXdVv7jBwVXlx1pDzrD7fplTyumkMw/qSdrXe3W9LkaeBcCXtWDgDeJx6VfoiJ/0 tHE4lfOHTGiDl7MuVAUateILxdeUIA7vvrywmtKowIA+pJN2bgBmWDgcy45YAZe1 irjzxPBQxQtcizvTgW3eNL1TL+yO1k5oOT33l6aPitLq2TaZVwrDzsK9XKdEmD9Z 7lsa/lFqDEqWTxZ6TetGSnNM+Z6tOTD+jFj0PJvOohLYG/v+NPB4tc5U6z+4jl2S SBjuMymFAb5uT9UD32MB9puDL8HVqLi7zU88NPYPZVsVdQtUMKKAOtv6FMVNF8Uh qIbsUqMQMTSJiAFSNLbplBnsabUW4CEzs3A0eIbKg+XdKhfbK2vc/RYyORmXQGqT 7ZfeohaE5LVxjEZei6e7Bc+Gm+yz4Avki4t0AR3iS/j6tyBUJFnzk56NmhELLwao kQ+p4l1HWcoRKYLkybDmrxJHKH7O1iUyLW9qVsHNsPi/UsDB9yf+Avb69QOK66M+ ufQ0TF/zLW89SBIGMPtc0fhBM6vTpNPt27SK9138nNgCqX+0UgV2hXwrCDSecYNk P4tT4ckWBkwIVM6eqrSQ =EEX8 -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
