stunnel: erro ssl3_get_record ao usar o TLS 1.2

Question

stunnel: erro ssl3_get_record ao usar o TLS 1.2

#1 resposta do (0 votos)
#2 resposta do (-1 votos)

3

Estou tentando usar stunnel para poder usar HTTPS (porta 443) em meu localhost para um servidor da web de desenvolvimento em execução localmente na porta 8000.

Ele inicia e aceita conexões, mas toda vez que eu abro https://localhost:443 , a conexão é reinicializada imediatamente.

Os certificados em questão são do tipo TLSv1.2, conforme a configuração.

Comando para iniciar o stunnel :

$ sudo stunnel www.example.com.conf

O arquivo de configuração:

pid=

cert = certs/www.example.com/fullchain.pem
key = certs/www.example.com/privkey.pem
sslVersion = TLSv1.2
foreground = yes
output = log/www.example.com.log
debug = 7

[https]
accept=443
connect=8000

A saída do comando:

2018.05.20 16:54:38 LOG7[ui]: Clients allowed=500
2018.05.20 16:54:38 LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
2018.05.20 16:54:38 LOG5[ui]: Compiled/running with OpenSSL 1.1.0g  2 Nov 2017
2018.05.20 16:54:38 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2018.05.20 16:54:38 LOG7[ui]: errno: (*__errno_location ())
2018.05.20 16:54:38 LOG5[ui]: Reading configuration from file /home/helgihg/stunnel/www.example.com.conf
2018.05.20 16:54:38 LOG5[ui]: UTF-8 byte order mark not detected
2018.05.20 16:54:38 LOG5[ui]: FIPS mode disabled
2018.05.20 16:54:38 LOG7[ui]: Compression disabled
2018.05.20 16:54:38 LOG7[ui]: Snagged 64 random bytes from /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: Wrote 1024 new random bytes to /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: PRNG seeded successfully
2018.05.20 16:54:38 LOG6[ui]: Initializing service [https]
2018.05.20 16:54:38 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.05.20 16:54:38 LOG7[ui]: TLS options: 0x02024004 (+0x02004000, -0x00000000)
2018.05.20 16:54:38 LOG6[ui]: Loading certificate from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Certificate loaded from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Loading private key from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG6[ui]: Private key loaded from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG7[ui]: Private key check succeeded
2018.05.20 16:54:38 LOG7[ui]: DH initialization
2018.05.20 16:54:38 LOG7[ui]: Could not load DH parameters from certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Using dynamic DH parameters
2018.05.20 16:54:38 LOG7[ui]: ECDH initialization
2018.05.20 16:54:38 LOG7[ui]: ECDH initialized with curve prime256v1
2018.05.20 16:54:38 LOG5[ui]: Configuration successful
2018.05.20 16:54:38 LOG7[ui]: Binding service [https]
2018.05.20 16:54:38 LOG7[ui]: Listening file descriptor created (FD=7)
2018.05.20 16:54:38 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.05.20 16:54:38 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443
2018.05.20 16:54:38 LOG7[ui]: No pid file being created
2018.05.20 16:54:38 LOG7[cron]: Cron thread initialized

Aqui está o que acontece quando eu visito com um navegador:

2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55668
2018.05.20 16:55:20 LOG7[0]: Service [https] started
2018.05.20 16:55:20 LOG7[0]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:55668
2018.05.20 16:55:20 LOG6[0]: Peer certificate not required
2018.05.20 16:55:20 LOG7[0]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[0]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[0]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[0]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55670
2018.05.20 16:55:20 LOG7[1]: Service [https] started
2018.05.20 16:55:20 LOG7[1]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[1]: Service [https] accepted connection from 127.0.0.1:55670
2018.05.20 16:55:20 LOG6[1]: Peer certificate not required
2018.05.20 16:55:20 LOG7[1]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[1]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[1]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[1]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55672
2018.05.20 16:55:20 LOG7[2]: Service [https] started
2018.05.20 16:55:20 LOG7[2]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[2]: Service [https] accepted connection from 127.0.0.1:55672
2018.05.20 16:55:20 LOG6[2]: Peer certificate not required
2018.05.20 16:55:20 LOG7[2]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[2]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[2]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[2]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55674
2018.05.20 16:55:20 LOG7[3]: Service [https] started
2018.05.20 16:55:20 LOG7[3]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[3]: Service [https] accepted connection from 127.0.0.1:55674
2018.05.20 16:55:20 LOG6[3]: Peer certificate not required
2018.05.20 16:55:20 LOG7[3]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[3]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[3]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[3]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55676
2018.05.20 16:55:20 LOG7[4]: Service [https] started
2018.05.20 16:55:20 LOG7[4]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[4]: Service [https] accepted connection from 127.0.0.1:55676
2018.05.20 16:55:20 LOG6[4]: Peer certificate not required
2018.05.20 16:55:20 LOG7[4]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[4]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[4]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[4]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[4]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55678
2018.05.20 16:55:20 LOG7[5]: Service [https] started
2018.05.20 16:55:20 LOG7[5]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[5]: Service [https] accepted connection from 127.0.0.1:55678
2018.05.20 16:55:20 LOG6[5]: Peer certificate not required
2018.05.20 16:55:20 LOG7[5]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[5]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[5]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[5]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[5]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55680
2018.05.20 16:55:20 LOG7[6]: Service [https] started
2018.05.20 16:55:20 LOG7[6]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[6]: Service [https] accepted connection from 127.0.0.1:55680
2018.05.20 16:55:20 LOG6[6]: Peer certificate not required
2018.05.20 16:55:20 LOG7[6]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[6]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[6]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[6]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55682
2018.05.20 16:55:20 LOG7[7]: Service [https] started
2018.05.20 16:55:20 LOG7[7]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[7]: Service [https] accepted connection from 127.0.0.1:55682
2018.05.20 16:55:20 LOG6[7]: Peer certificate not required
2018.05.20 16:55:20 LOG7[7]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[7]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[7]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[7]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[7]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55684
2018.05.20 16:55:20 LOG7[8]: Service [https] started
2018.05.20 16:55:20 LOG7[8]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[8]: Service [https] accepted connection from 127.0.0.1:55684
2018.05.20 16:55:20 LOG6[8]: Peer certificate not required
2018.05.20 16:55:20 LOG7[8]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[8]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[8]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[8]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[8]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55686
2018.05.20 16:55:20 LOG7[9]: Service [https] started
2018.05.20 16:55:20 LOG7[9]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[9]: Service [https] accepted connection from 127.0.0.1:55686
2018.05.20 16:55:20 LOG6[9]: Peer certificate not required
2018.05.20 16:55:20 LOG7[9]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[9]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[9]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[9]: Service [https] finished (0 left)

Suspeito que este seja o problema:

2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request

Mas não sei por que envolve o protocolo SSLv3 desatualizado no assunto. A configuração anterior que eu usei 3 anos atrás realmente usou o SSLv3, mas este é um certificado TLSv1.2 e a configuração denota claramente o TLSv3. Minha versão do stunnel , na verdade, não parece suportar o SSLv3, nem acho que precise dele.

É onde estou preso. Qualquer ajuda profundamente apreciada.

linux ubuntu stunnel

por Teekin 20.05.2018 / 19:01

2 respostas

-1

Adicione "https: //" antes do endereço do seu servidor e a porta onde o stunnel está escutando. por exemplo, link . Usar o Google Chrome parece não funcionar, então tente com o Firefox (v. 65).

por 17.02.2019 / 01:50

Tags linux ubuntu stunnel

Como habilitar a resolução de nome de host (dns) para contêineres lxd do host lxd? slapd não inicia (devido a falta de certificado?)

score 0 · Accepted Answer

Como tantas vezes, encontrei a resposta depois de postar a pergunta. Às vezes ajuda apenas perguntar, parece.

Eu sinceramente não entendo as razões técnicas por trás disso, mas a solução foi simplesmente ir em frente e definir o meu domínio www.example.com em /etc/hosts e usar isso em vez de localhost.

Assim:

127.0.0.1    www.example.com

Em seguida, https://www.example.com funciona muito bem, executando meu host local.