https et stunnel

Le
Jean-Philippe THIERRY
Bonsoir,

je me débats un peu avec la configuration de stunnel4. Je voudrais crée=
r un tunnel https mon serveur web ne m'implémentant pas. Initialement tou=
t fonctionnait, mais depuis une mise à jour, impossible de me connecter d=
e l'extérieur. L'erreur que j'obtiens est la suivante :

2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with=
code 0
2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190:4=
1560 permitted by libwrap
2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.216.=
190:41560
2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/accep=
t initialization
2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:1408=
F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent t=
o SSL, 0 bytes sent to socket
2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)

Ma configuration est la suivante :

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configurat=
ion
; Please make sure you understand them (especially the effect of chroot jai=
l)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept = 443
connect = 192.168.0.6:80

Je suis à court d'idées alors si l'un d'entre-vous en a une

Jean-Philippe
Vidéos High-Tech et Jeu Vidéo
Téléchargements
Vos réponses
Gagnez chaque mois un abonnement Premium avec GNT : Inscrivez-vous !
Trier par : date / pertinence
Jean-Philippe THIERRY
Le #9772471
On Mon, 23 Jul 2007 23:03:18 +0200
Jean-Philippe THIERRY
Bonsoir,

je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :

2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished wi th code 0
2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190 :41560 permitted by libwrap
2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.21 6.190:41560
2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/acc ept initialization
2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:14 08F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)

Ma configuration est la suivante :

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configur ation
; Please make sure you understand them (especially the effect of chroot j ail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept = 443
connect = 192.168.0.6:80

Je suis à court d'idées alors si l'un d'entre-vous en a une...

Jean-Philippe





après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :

client=no
sslVersion = all

maintenant, j'obtiens l'erreur suivante :

SSL state (accept): before/accept initialization
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read c lient hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certifi cate unknown
2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:1409 4416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent t o SSL, 0 bytes sent to socket
2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)

pas beaucoup mieux :-(

Jean-Philippe

P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le la n.
Jean-Philippe THIERRY
Le #9591281
On Mon, 23 Jul 2007 23:47:33 +0200
Jean-Philippe THIERRY
On Mon, 23 Jul 2007 23:03:18 +0200
Jean-Philippe THIERRY
> Bonsoir,
>
> je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :
>
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
> 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.1 90:41560 permitted by libwrap
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79. 216.190:41560
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/a ccept initialization
> 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error: 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes se nt to SSL, 0 bytes sent to socket
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
>
> Ma configuration est la suivante :
>
> ; Sample stunnel configuration file by Michal Trojnara 2002-2006
> ; Some options used here may not be adequate for your particular config uration
> ; Please make sure you understand them (especially the effect of chroot jail)
>
> ; Certificate/key is needed in server mode and optional in client mode
> cert = /etc/stunnel/stunnel.pem
> ;key = /etc/stunnel/mail.pem
> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> sslVersion = SSLv3
>
> ; Some security enhancements for UNIX systems - comment them out on Win 32
> chroot = /var/lib/stunnel4/
> setuid = stunnel4
> setgid = stunnel4
> ; PID is created inside chroot jail
> pid = /stunnel4.pid
>
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ;compression = rle
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ; CApath is located inside chroot jail
> ;CApath = /certs
> ; It's often easier to use CAfile
> ;CAfile = /etc/stunnel/certs.pem
> ; Don't forget to c_rehash CRLpath
> ; CRLpath is located inside chroot jail
> ;CRLpath = /crls
> ; Alternatively you can use CRLfile
> ;CRLfile = /etc/stunnel/crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> debug = 7
> output = /var/log/stunnel4/stunnel.log
>
> ; Use it for client mode
> ;client = yes
>
> ; Service-level configuration
>
> [https]
> accept = 443
> connect = 192.168.0.6:80
>
> Je suis à court d'idées alors si l'un d'entre-vous en a une...
>
> Jean-Philippe
>
>

après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :

client=no
sslVersion = all

maintenant, j'obtiens l'erreur suivante :

SSL state (accept): before/accept initialization
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e certificate A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server done A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flus h data
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certi ficate unknown
2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14 094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)

pas beaucoup mieux :-(

Jean-Philippe

P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.




Apparemment, je n'obtiens cette erreur que depuis mon terminal Blackberry. Il semble qu'il lui faille le certificat à l'avance sans quoi il ne se co mporte pas normalement (ne propose pas d'accepter le certificat pour la dur ée de la session par exemple).

Bref globalement ça fonctionne. Reste ce petit détail à régler.

Jean-Philippe
Publicité
Poster une réponse
Anonyme