je me d=E9bats un peu avec la configuration de stunnel4. Je voudrais cr=E9e=
r un tunnel https mon serveur web ne m'impl=E9mentant pas. Initialement tou=
t fonctionnait, mais depuis une mise =E0 jour, impossible de me connecter d=
e l'ext=E9rieur. L'erreur que j'obtiens est la suivante :
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with=
code 0
2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190:4=
1560 permitted by libwrap
2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.216.=
190:41560
2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/accep=
t initialization
2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:1408=
F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent t=
o SSL, 0 bytes sent to socket
2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
Ma configuration est la suivante :
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configurat=
ion
; Please make sure you understand them (especially the effect of chroot jai=
l)
; Certificate/key is needed in server mode and optional in client mode
cert =3D /etc/stunnel/stunnel.pem
;key =3D /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion =3D SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot =3D /var/lib/stunnel4/
setuid =3D stunnel4
setgid =3D stunnel4
; PID is created inside chroot jail
pid =3D /stunnel4.pid
; Workaround for Eudora bug
;options =3D DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify =3D 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath =3D /certs
; It's often easier to use CAfile
;CAfile =3D /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath =3D /crls
; Alternatively you can use CRLfile
;CRLfile =3D /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug =3D 7
output =3D /var/log/stunnel4/stunnel.log
; Use it for client mode
;client =3D yes
; Service-level configuration
[https]
accept =3D 443
connect =3D 192.168.0.6:80
Je suis =E0 court d'id=E9es alors si l'un d'entre-vous en a une...
Cette action est irreversible, confirmez la suppression du commentaire ?
Signaler le commentaire
Veuillez sélectionner un problème
Nudité
Violence
Harcèlement
Fraude
Vente illégale
Discours haineux
Terrorisme
Autre
Jean-Philippe THIERRY
On Mon, 23 Jul 2007 23:03:18 +0200 Jean-Philippe THIERRY wrote:
Bonsoir,
je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished wi th code 0 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190 :41560 permitted by libwrap 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.21 6.190:41560 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/acc ept initialization 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:14 08F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
Ma configuration est la suivante :
; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configur ation ; Please make sure you understand them (especially the effect of chroot j ail)
; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/stunnel.pem ;key = /etc/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log
; Use it for client mode ;client = yes
; Service-level configuration
[https] accept = 443 connect = 192.168.0.6:80
Je suis à court d'idées alors si l'un d'entre-vous en a une...
Jean-Philippe
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read c lient hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certifi cate unknown 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:1409 4416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent t o SSL, 0 bytes sent to socket 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le la n.
je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished wi th code 0
2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190 :41560 permitted by libwrap
2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.21 6.190:41560
2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/acc ept initialization
2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:14 08F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
Ma configuration est la suivante :
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configur ation
; Please make sure you understand them (especially the effect of chroot j ail)
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/mail.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
[https]
accept = 443
connect = 192.168.0.6:80
Je suis à court d'idées alors si l'un d'entre-vous en a une...
Jean-Philippe
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no
sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read c lient hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certifi cate unknown
2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:1409 4416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent t o SSL, 0 bytes sent to socket
2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le la n.
On Mon, 23 Jul 2007 23:03:18 +0200 Jean-Philippe THIERRY wrote:
Bonsoir,
je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :
2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished wi th code 0 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.190 :41560 permitted by libwrap 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79.21 6.190:41560 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/acc ept initialization 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error:14 08F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
Ma configuration est la suivante :
; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configur ation ; Please make sure you understand them (especially the effect of chroot j ail)
; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/stunnel.pem ;key = /etc/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel4/stunnel.log
; Use it for client mode ;client = yes
; Service-level configuration
[https] accept = 443 connect = 192.168.0.6:80
Je suis à court d'idées alors si l'un d'entre-vous en a une...
Jean-Philippe
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read c lient hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write certificate A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 write server done A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flush data 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certifi cate unknown 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:1409 4416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent t o SSL, 0 bytes sent to socket 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le la n.
Jean-Philippe THIERRY
On Mon, 23 Jul 2007 23:47:33 +0200 Jean-Philippe THIERRY wrote:
On Mon, 23 Jul 2007 23:03:18 +0200 Jean-Philippe THIERRY wrote:
> Bonsoir, > > je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante : > > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe > 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.1 90:41560 permitted by libwrap > 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79. 216.190:41560 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/a ccept initialization > 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error: 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes se nt to SSL, 0 bytes sent to socket > 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left) > > Ma configuration est la suivante : > > ; Sample stunnel configuration file by Michal Trojnara 2002-2006 > ; Some options used here may not be adequate for your particular config uration > ; Please make sure you understand them (especially the effect of chroot jail) > > ; Certificate/key is needed in server mode and optional in client mode > cert = /etc/stunnel/stunnel.pem > ;key = /etc/stunnel/mail.pem > ; Protocol version (all, SSLv2, SSLv3, TLSv1) > sslVersion = SSLv3 > > ; Some security enhancements for UNIX systems - comment them out on Win 32 > chroot = /var/lib/stunnel4/ > setuid = stunnel4 > setgid = stunnel4 > ; PID is created inside chroot jail > pid = /stunnel4.pid > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ;compression = rle > > ; Workaround for Eudora bug > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > ; Authentication stuff > ;verify = 2 > ; Don't forget to c_rehash CApath > ; CApath is located inside chroot jail > ;CApath = /certs > ; It's often easier to use CAfile > ;CAfile = /etc/stunnel/certs.pem > ; Don't forget to c_rehash CRLpath > ; CRLpath is located inside chroot jail > ;CRLpath = /crls > ; Alternatively you can use CRLfile > ;CRLfile = /etc/stunnel/crls.pem > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = /var/log/stunnel4/stunnel.log > > ; Use it for client mode > ;client = yes > > ; Service-level configuration > > [https] > accept = 443 > connect = 192.168.0.6:80 > > Je suis à court d'idées alors si l'un d'entre-vous en a une... > > Jean-Philippe > >
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e certificate A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server done A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flus h data 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certi ficate unknown 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14 094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
Apparemment, je n'obtiens cette erreur que depuis mon terminal Blackberry. Il semble qu'il lui faille le certificat à l'avance sans quoi il ne se co mporte pas normalement (ne propose pas d'accepter le certificat pour la dur ée de la session par exemple).
Bref globalement ça fonctionne. Reste ce petit détail à régler.
> Bonsoir,
>
> je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante :
>
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode
> 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe
> 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.1 90:41560 permitted by libwrap
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79. 216.190:41560
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/a ccept initialization
> 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error: 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes se nt to SSL, 0 bytes sent to socket
> 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left)
>
> Ma configuration est la suivante :
>
> ; Sample stunnel configuration file by Michal Trojnara 2002-2006
> ; Some options used here may not be adequate for your particular config uration
> ; Please make sure you understand them (especially the effect of chroot jail)
>
> ; Certificate/key is needed in server mode and optional in client mode
> cert = /etc/stunnel/stunnel.pem
> ;key = /etc/stunnel/mail.pem
> ; Protocol version (all, SSLv2, SSLv3, TLSv1)
> sslVersion = SSLv3
>
> ; Some security enhancements for UNIX systems - comment them out on Win 32
> chroot = /var/lib/stunnel4/
> setuid = stunnel4
> setgid = stunnel4
> ; PID is created inside chroot jail
> pid = /stunnel4.pid
>
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> ;compression = rle
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> ;verify = 2
> ; Don't forget to c_rehash CApath
> ; CApath is located inside chroot jail
> ;CApath = /certs
> ; It's often easier to use CAfile
> ;CAfile = /etc/stunnel/certs.pem
> ; Don't forget to c_rehash CRLpath
> ; CRLpath is located inside chroot jail
> ;CRLpath = /crls
> ; Alternatively you can use CRLfile
> ;CRLfile = /etc/stunnel/crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> debug = 7
> output = /var/log/stunnel4/stunnel.log
>
> ; Use it for client mode
> ;client = yes
>
> ; Service-level configuration
>
> [https]
> accept = 443
> connect = 192.168.0.6:80
>
> Je suis à court d'idées alors si l'un d'entre-vous en a une...
>
> Jean-Philippe
>
>
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no
sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server hello A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e certificate A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server done A
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flus h data
2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certi ficate unknown
2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14 094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
Apparemment, je n'obtiens cette erreur que depuis mon terminal Blackberry. Il semble qu'il lui faille le certificat à l'avance sans quoi il ne se co mporte pas normalement (ne propose pas d'accepter le certificat pour la dur ée de la session par exemple).
Bref globalement ça fonctionne. Reste ce petit détail à régler.
On Mon, 23 Jul 2007 23:47:33 +0200 Jean-Philippe THIERRY wrote:
On Mon, 23 Jul 2007 23:03:18 +0200 Jean-Philippe THIERRY wrote:
> Bonsoir, > > je me débats un peu avec la configuration de stunnel4. Je voudrais cr éer un tunnel https mon serveur web ne m'implémentant pas. Initialement tout fonctionnait, mais depuis une mise à jour, impossible de me connect er de l'extérieur. L'erreur que j'obtiens est la suivante : > > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 8 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083189168]: FD 9 in non-blocking mode > 2007.07.23 22:10:21 LOG7[9273:3083314880]: Cleaning up the signal pipe > 2007.07.23 22:10:21 LOG6[9273:3083314880]: Child process 9276 finished with code 0 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: Connection from 217.79.216.1 90:41560 permitted by libwrap > 2007.07.23 22:10:21 LOG5[9273:3083189168]: https connected from 217.79. 216.190:41560 > 2007.07.23 22:10:21 LOG7[9273:3083189168]: SSL state (accept): before/a ccept initialization > 2007.07.23 22:10:21 LOG3[9273:3083189168]: SSL_accept: 1408F10B: error: 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > 2007.07.23 22:10:21 LOG5[9273:3083189168]: Connection reset: 0 bytes se nt to SSL, 0 bytes sent to socket > 2007.07.23 22:10:21 LOG7[9273:3083189168]: https finished (0 left) > > Ma configuration est la suivante : > > ; Sample stunnel configuration file by Michal Trojnara 2002-2006 > ; Some options used here may not be adequate for your particular config uration > ; Please make sure you understand them (especially the effect of chroot jail) > > ; Certificate/key is needed in server mode and optional in client mode > cert = /etc/stunnel/stunnel.pem > ;key = /etc/stunnel/mail.pem > ; Protocol version (all, SSLv2, SSLv3, TLSv1) > sslVersion = SSLv3 > > ; Some security enhancements for UNIX systems - comment them out on Win 32 > chroot = /var/lib/stunnel4/ > setuid = stunnel4 > setgid = stunnel4 > ; PID is created inside chroot jail > pid = /stunnel4.pid > > ; Some performance tunings > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > ;compression = rle > > ; Workaround for Eudora bug > ;options = DONT_INSERT_EMPTY_FRAGMENTS > > ; Authentication stuff > ;verify = 2 > ; Don't forget to c_rehash CApath > ; CApath is located inside chroot jail > ;CApath = /certs > ; It's often easier to use CAfile > ;CAfile = /etc/stunnel/certs.pem > ; Don't forget to c_rehash CRLpath > ; CRLpath is located inside chroot jail > ;CRLpath = /crls > ; Alternatively you can use CRLfile > ;CRLfile = /etc/stunnel/crls.pem > > ; Some debugging stuff useful for troubleshooting > debug = 7 > output = /var/log/stunnel4/stunnel.log > > ; Use it for client mode > ;client = yes > > ; Service-level configuration > > [https] > accept = 443 > connect = 192.168.0.6:80 > > Je suis à court d'idées alors si l'un d'entre-vous en a une... > > Jean-Philippe > >
après quelques recherches supplémentaires, j'ai légèrement modifi é stunnel.conf :
client=no sslVersion = all
maintenant, j'obtiens l'erreur suivante :
SSL state (accept): before/accept initialization 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 read client hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server hello A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e certificate A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 writ e server done A 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL state (accept): SSLv3 flus h data 2007.07.23 23:06:46 LOG7[9532:3082927024]: SSL alert (read): fatal: certi ficate unknown 2007.07.23 23:06:46 LOG3[9532:3082927024]: SSL_accept: 14094416: error:14 094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2007.07.23 23:06:46 LOG5[9532:3082927024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2007.07.23 23:06:46 LOG7[9532:3082927024]: https finished (0 left)
pas beaucoup mieux :-(
Jean-Philippe
P.S. : pour info, je n'ai aucune difficulté à me connecter depuis le lan.
Apparemment, je n'obtiens cette erreur que depuis mon terminal Blackberry. Il semble qu'il lui faille le certificat à l'avance sans quoi il ne se co mporte pas normalement (ne propose pas d'accepter le certificat pour la dur ée de la session par exemple).
Bref globalement ça fonctionne. Reste ce petit détail à régler.