Hello all,
For a remote tls1 web service :
$ # openssl s_client -connect myremote:7002 -tls1
CONNECTED(00000004)
depth=0 CN = xxx, OU = xxx, O = xxx, C = xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = xxx, OU = xxx, O = xxx, C = xxx
verify return:1
---
Certificate chain
...
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8zCCAdsCBGCvjhEwDQYJKoZIhvcNAQEFBQAwPjEOMAwGA1UEAxMFRUZXRUIx
...
QG9sNNhQW65rRVmdqy/g0cBbLKRKhmRCS+ajRIzBcO9ZmMe42TES
-----END CERTIFICATE-----
subject=XXX
issuer=XXX
---
No client certificate CA names sent
---
SSL handshake has read 889 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 2D9F8D8833A459C16C1D01F0C92F8EB7
Session-ID-ctx:
Master-Key:
1BF68D1AAEEC291A60252ECD63C374661FBBE028FB39A75DDA29E4E3FB6FE34CFC80F875F9E16F9D7C840F185757F583
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1625842735
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
closed
$
I can test it alright with an "old" curl
$ curl --version
curl 7.15.4 (sparc-sun-solaris2.9) libcurl/7.15.4 OpenSSL/0.9.7g zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: IPv6 Largefile NTLM SSL libz
...like this
$ curl -skL https://myremote:7002/MyWebService?WSDL
<?xml version="1.0" encoding="UTF-8"?>
...
</soap:address>
</port>
</service>
</definitions>
I want to tls1.2-enable myremote:7002 with stunnel, and run a tls1.2 curl
instead.
My stunnel installation
$ /opt/csw/bin/stunnel -version
Initializing inetd mode configuration
stunnel 5.59 on sparc-sun-solaris2.10 platform
Compiled with OpenSSL 1.0.2u 20 Dec 2019
Running with OpenSSL 1.0.2o 27 Mar 2018
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
Global options:
RNDbytes = 1024
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
curves = prime256v1
debug = daemon.notice
logId = sequential
options = NO_SSLv2
I start it with this service config:
[my12]
client = no
accept = 7002
connect = myremote:7002
cert = /etc/opt/csw/stunnel/stunnel.crt
key = /etc/opt/csw/stunnel/stunnel.key
sslVersion = TLSv1.2
debug = 7
and test it with a fairly recent curl
$ /opt/csw/bin/curl --version
curl 7.61.0 (sparc-sun-solaris2.10) libcurl/7.61.0 OpenSSL/1.0.2o zlib/1.2.8
libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4)
Release-Date: 2018-07-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb
smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
UnixSockets HTTPS-proxy PSL Metalink
Alas, the recent curl call
$ /opt/csw/bin/curl -skL https://myremote:7002/MyWebService?WSDL
...fails with exit status 23
In verbose mode we get
* Trying 127.0.0.1...
* TCP_NODELAY set
* Failed to set TCP_KEEPALIVE on fd 4
* Connected to localhost (127.0.0.1) port 7002 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/opt/csw/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=TS; ST=Westfarthing; L=Hobbiton; O=Thorin and Company;
OU=Burglars; CN=ahost.theshire.net; [email protected]
* start date: Jun 30 09:24:25 2021 GMT
* expire date: Jun 30 09:24:25 2022 GMT
* issuer: C=TS; ST=Westfarthing; L=Hobbiton; O=Thorin and Company;
OU=Burglars; CN=ahost.theshire.net; [email protected]
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
> GET /MyWebService?WSDL HTTP/1.1
> Host: localhost:7002
> User-Agent: curl/7.61.0
> Accept: */*
>
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 7)
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
$
I tried various curl flags - nothing works.
In the meantime stunnel logs no errors
Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: Service
[my12] accepted connection from 127.0.0.1:39165
Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]:
s_connect: connected 10.240.28.69:7002
Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: Service
[my12] connected remote server from xxx.yyy.zzz.www:39166
Jul 9 16:17:10 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]:
Connection closed: 7 byte(s) sent to TLS, 116 byte(s) sent to socket
What am i doing wrong!?
Thanks in advance!
_______________________________________________
stunnel-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
