Could you please suggest how we get this sort out, our partner is claiming
that issue is at our end.
We have setup this stunnel connection with TLSv1.2 on our Window 2012
server.
Could you share any doc which explain how should we integrate our service
with stunnel.
Also, please confirm is our configuration correct or not? We have to send
request along with TLS.
Regards,
Dheeraj Gautam
*From:* Liz Turi [mailto:***@maehc.org]
*Sent:* Thursday, August 3, 2017 6:21 PM
*To:* Dheeraj Gautam <***@arborfs.com>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Iâm sorry, Dheeraj,
I cannot do that.
*Liz Turi*
Sr. Consultant
Massachusetts eHealth Collaborative
860 Winter Street, Waltham, MA 02451
(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589
www.maehc.org
[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>
*From:* Dheeraj Gautam [mailto:***@arborfs.com
<***@arborfs.com>]
*Sent:* Thursday, August 3, 2017 8:46 AM
*To:* Liz Turi <***@maehc.org>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Hi Liz,
The logs are being generating only when I am doing telnet to myself like
telnet 127.0.0.1 9260.
No logs are coming while running the application.
Could you please remote my machine so that you can get complete
understanding about the setup.
Regards,
Dheeraj Gautam
*From:* Liz Turi [mailto:***@maehc.org]
*Sent:* Thursday, August 3, 2017 6:13 PM
*To:* Dheeraj Gautam <***@arborfs.com>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
This looks like youâre successfully negotiating your client connection to
the remote server, but thereâs no data being transferred.
*Liz Turi*
Sr. Consultant
Massachusetts eHealth Collaborative
860 Winter Street, Waltham, MA 02451
(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589
www.maehc.org
[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>
*From:* Dheeraj Gautam [mailto:***@arborfs.com
<***@arborfs.com>]
*Sent:* Thursday, August 3, 2017 8:38 AM
*To:* Liz Turi <***@maehc.org>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Hi Liz,
Find attached stunnel log herewith, yes the configured remote server IP
address and port details are correct.
At remote end they have allowed our source address and they are getting an
error during TLS handshake, the issue appears to be with the TLS
certificate and are sending them back resulting in the handshake error.
Also, please let us know if we can have a call with you and remote session
to get this fix.
I will be thankful to you.
Regards,
Dheeraj Gautam
*From:* Liz Turi [mailto:***@maehc.org]
*Sent:* Thursday, August 3, 2017 5:58 PM
*To:* Dheeraj Gautam <***@arborfs.com>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
What do your debug logs say? What happens when you send a test message
through? Are you sure you have the remote IP address/port correct? Is there
IP filtering or a firewall in place between the two?
*Liz Turi*
Sr. Consultant
Massachusetts eHealth Collaborative
860 Winter Street, Waltham, MA 02451
(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589
www.maehc.org
[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>
*From:* Dheeraj Gautam [mailto:***@arborfs.com
<***@arborfs.com>]
*Sent:* Thursday, August 3, 2017 5:27 AM
*To:* Liz Turi <***@maehc.org>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Cc:* Gurpreet Ahuja <***@arborfs.com>; Sumit Sharma <
***@arborfs.com>; Ishu Singh <***@arborfs.com>
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Hi Liz,
We have stuck badly to establish stunnel connection with one of our
partner, We have configured Client mode configuration on our server to
connect server to run the application.
Below is the config which We have done on my server:
; ***************************************** Example TLS Client mode services
; Certificate
cert = Talomoncert.pem
key = Talomonkey.pem
CAfile = TalomonCACerts.pem
;FIPS
fips=no
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1.2
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[FIX]
accept = 127.0.0.1:9260
connect = 69.191.230.34:8228
;protocol=connect
;protocolHost= 69.191.230.34:8228
TIMEOUTconnect = 5
Our partner saying that they are not getting any TLS connection on their
server due to which connection is not establishing.
Could you please help us to get this sort out as we have no more idea how
we can troubleshoot this.
Thanks in advance.
Regards,
Dheeraj Gautam
*From:* Liz Turi [mailto:***@maehc.org]
*Sent:* Tuesday, June 13, 2017 11:40 PM
*To:* Dheeraj Gautam <***@arborfs.com>; ***@cbcs-usa.com;
stunnel-***@stunnel.org
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Hi, Dheeraj,
Your logs say that youâre connecting successfully to the port that your
application is listening on. Have you tried testing from the application,
or calls to the application?
This line (along with the next couple of lines) suggest that telnet is
connecting through to the remote host listening on 8228.
2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228
It closes the connection via telnet because telnet isnât going to run your
application for you.
We need more information about how youâre connecting to your application?
(or intending to)
*Liz Turi*
Sr. Consultant
Massachusetts eHealth Collaborative
860 Winter Street, Waltham, MA 02451
(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589
www.maehc.org
[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>
*From:* stunnel-users [mailto:stunnel-users-***@stunnel.org
<stunnel-users-***@stunnel.org>] *On Behalf Of *Dheeraj Gautam
*Sent:* Tuesday, June 13, 2017 1:21 PM
*To:* ***@cbcs-usa.com; stunnel-***@stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue
Hi Browne,
I am not understand like what config I have to do in stunnel config file.
As per application it will trigger 8228 port of remote server, but at the
momen stunnel is working only when I am trying to telnet localhost on 9233
port.
Nothing is happening when running the application, donât know what I am
missing as I am the new for stunnel.
Please help to fix this out.
Regards,
Dheeraj Gautam
*From:* stunnel-users [mailto:stunnel-users-***@stunnel.org
<stunnel-users-***@stunnel.org>] *On Behalf Of *Carter Browne
*Sent:* Tuesday, June 13, 2017 10:41 PM
*To:* stunnel-***@stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue
Dheeraj,
stunnel will keep the connection open for as long as your applications
keeps it open. When you exit telnet, it closes the connection. I use
stunnel mostly for RDP, VNC and telnet and as long the application is
active, the port is open. You need to have your application open the local
port you want to route via stunnel (in your example 127.0.0.1:9233). As
long as your application keeps the connection open (ignoring such issues as
communications failures), stunnel will maintain the application. Telnet is
a great tool for determining connectivity, but your application is going to
have to handle the connection going forward.
Carter Browne
On 6/13/2017 12:01 PM, Dheeraj Gautam wrote:
Hi Liz,
Thanks for your reply.
Actually we need to run a service which will work only once stunnel
connection establish and the service will work till the time connection
connected.
But at the moment I donât have idea like how the stunnel will remain
connected.
Could you please suggest me to fix this so that stunnel connection remain
connected and I can run the application.
Waiting for your valuable response.
Regards,
Dheeraj Gautam
*From:* Liz Turi [mailto:***@maehc.org <***@maehc.org>]
*Sent:* Tuesday, June 13, 2017 9:19 PM
*To:* Dheeraj Gautam <***@arborfs.com>
<***@arborfs.com>; MaÅgorzata Olszówka
<***@stunnel.org> <***@stunnel.org>
*Cc:* stunnel-***@stunnel.org
*Subject:* RE: [stunnel-users] Stunnel Connectivity Issue
Hi, Dheeraj,
Are you testing the connection with Telnet? Or are you testing with the
application. What I noticed in testing the connection is that once the
command is completed, the connection is closed.
However, when I test from my application, its only closed once all
transactions in that session are completed, and will show how much data was
passed on (following from my logs at the end of a non-telnet test session.
*2017.06.13 10:16:08 LOG6[1]: Negotiated TLSv1.2 ciphersuite
AES256-GCM-SHA384 (256-bit encryption)*
*2017.06.13 10:16:18 LOG6[1]: Read socket closed (readsocket)*
*2017.06.13 10:16:18 LOG6[1]: SSL_shutdown successfully sent close_notify
alert*
*2017.06.13 10:16:18 LOG6[1]: TLS closed (SSL_read)*
*2017.06.13 10:16:18 LOG5[1]: Connection closed: 2791 byte(s) sent to TLS,
1641 byte(s) sent to socket*
*Liz Turi*
Sr. Consultant
Massachusetts eHealth Collaborative
860 Winter Street, Waltham, MA 02451
(m) 339-222-6614 (o) 781-907-7204 (f) 781-207-8589
www.maehc.org
[image: fb_icon]
<https://www.facebook.com/massachusettsehealthcollab?fref=nf>[image:
li_icon]
<https://www.linkedin.com/company/massachusetts-ehealth-collaborative?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1432746657126%2Ctas%3AMassachusetts+eHEalth>[image:
tw_icon] <https://twitter.com/MAeHC_org>
*From:* stunnel-users [mailto:stunnel-users-***@stunnel.org
<stunnel-users-***@stunnel.org>] *On Behalf Of *Dheeraj Gautam
*Sent:* Tuesday, June 13, 2017 11:41 AM
*To:* MaÅgorzata Olszówka <***@stunnel.org>
*Cc:* stunnel-***@stunnel.org
*Subject:* Re: [stunnel-users] Stunnel Connectivity Issue
HI Guys,
below is the config which i have configured with TLSv1.2, but still
connection establishing only for while when i telnet telnet 127.0.0.1 9233.
and just after connection closed.
[TCP]
client=yes
cert = BBG_cert.pem
key = BBG_key.pem
verifyChain = yes
CAfile = BBG_CACerts.pem
connect = 69.191.198.34:8228
accept = 127.0.0.1:9233
sslVersion = TLSv1.2
below the logs:
2017.06.13 11:57:49 LOG5[main]: Reading configuration from file stunnel.conf
2017.06.13 11:57:49 LOG5[main]: UTF-8 byte order mark detected
2017.06.13 11:57:49 LOG5[main]: FIPS mode disabled
2017.06.13 11:57:49 LOG3[main]: Service [TCP]: Each service must define two
endpoints
2017.06.13 11:57:49 LOG3[main]: Failed to reload the configuration file
2017.06.13 16:37:16 LOG5[main]: Reading configuration from file stunnel.conf
2017.06.13 16:37:16 LOG5[main]: UTF-8 byte order mark detected
2017.06.13 16:37:16 LOG5[main]: FIPS mode disabled
2017.06.13 16:37:16 LOG4[main]: Service [TCP] uses "verifyChain" without
subject checks
2017.06.13 16:37:16 LOG4[main]: Use "checkHost" or "checkIP" to restrict
trusted certificates
2017.06.13 16:37:16 LOG5[main]: Configuration successful
2017.06.13 16:38:38 LOG5[11]: Service [TCP] accepted connection from
127.0.0.1:62736
2017.06.13 16:38:38 LOG5[11]: s_connect: connected 69.191.198.34:8228
2017.06.13 16:38:38 LOG5[11]: Service [TCP] connected remote server from
172.16.1.23:62737
2017.06.13 16:38:39 LOG5[11]: Certificate accepted at depth=0: C=US, ST=NEW
YORK, L=NEW YORK, O=Bloomberg LP, OU=FIXBETA, CN=fixbeta.bloomberg.com,
emailAddress=***@bloomberg.com
2017.06.13 16:39:10 LOG5[11]: Connection closed: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
i want connection remained connected every time so that i can run the
application.
application can be work only if the connection remain connected.
please help me to sort this out.
Regards,
Dheeraj Gautam
On 25 May 2017 at 12:29, MaÅgorzata Olszówka <
***@stunnel.org> wrote:
Could you please let us know what parameters we are missing here due to
which connection is not establishing with remote server.
Although, stunnel logs indicating that configuration successful, but in
logs no where is mentioned about the connection is it connected or not,
Hello Dheeraj,
You should set the verifyChain option in order to verify the certificate
stored in the file specified with CAfile:
verifyChain = yes
Then you can test your connection:
telnet 127.0.0.1 9233
the stunnel logs will show information about the connection attempt.
Regards,
MaÅgorzata
_______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
_______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.
CONFIDENTIALITY NOTICE
The information contained in this email transmission is legally privileged
and confidential information intended only for the use of the addressee
named above. If the reader of this message is not the intended recipient
you are hereby notified that any dissemination, distribution or copying of
this email transmission is strictly prohibited. If you have received this
email transmission in error, please notify us immediately. Thank you.
--
www.arborfs.com
This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged.
It is intended solely for the use of the individual or entity to which it
is addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, you must not use, disclose, distribute, copy, print or
rely on this e-mail.
Whilst we have taken reasonable precautions to ensure that this e-mail and
any attachment has been checked for viruses, we cannot guarantee that they
are virus free and we cannot accept liability for any damage sustained as a
result of software viruses. We would advise that you carry out your own
virus checks, especially before opening an attachment.