stunnel - como configurar stunnel para lidar com ssl e anexar http com ele?

Question

stunnel - como configurar stunnel para lidar com ssl e anexar http com ele?

#1 resposta do (3 votos)

4

Estou executando o Google App Engine, que é um servidor da Web http com alguns redirecionamentos e outras informações em tempo real. Mas ele não tem SSL para incluir, então é impossível fazer HTTPS.

Portanto, eu estava tentando stunnel fazer SSL e conectar o HTTP a ele, mas não funciona ao usar o Google App Engine e o Stunnel.

$ cat /etc/stunnel/stunnel.conf
pid = /stunnel.pid
cert=/var/tmp/server.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client=yes
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel.log
[SSL]
accept=0.0.0.0:443
connect=80

Veja os registros:

2014.02.06 09:13:34 LOG5[8293:140556325660608]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2014.02.06 09:13:34 LOG6[8293:140556325660608]: file ulimit = 1024 (can be changed with 'ulimit -n')
2014.02.06 09:13:34 LOG6[8293:140556325660608]: poll() used - no FD_SETSIZE limit for file descriptors
2014.02.06 09:13:34 LOG5[8293:140556325660608]: 500 clients allowed
2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 9 in non-blocking mode
2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 10 in non-blocking mode
2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 11 in non-blocking mode
2014.02.06 09:13:34 LOG7[8293:140556325660608]: SO_REUSEADDR option set on accept socket
2014.02.06 09:13:34 LOG7[8293:140556325660608]: SSL bound to 0.0.0.0:443
2014.02.06 09:13:34 LOG7[8299:140556325660608]: Created pid file /stunnel.pid

2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49651
2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=13 from 82.x.x.LocalPC:49652
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL started
2014.02.06 09:14:06 LOG7[8299:140556325656320]: FD 12 in non-blocking mode
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06 LOG7[8299:140556325656320]: TCP_NODELAY option set on local socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode
2014.02.06 09:14:06 LOG7[8299:140556325656320]: Waiting for a libwrap process
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process
2014.02.06 09:14:06 LOG7[8299:140556325656320]: Acquired libwrap process #0
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325656320]: Releasing libwrap process #0
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325656320]: Released libwrap process #0
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL permitted by libwrap from 82.x.x.LocalPC:49651
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49652
2014.02.06 09:14:06 LOG5[8299:140556325656320]: SSL accepted connection from 82.x.x.LocalPC:49651
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49652
2014.02.06 09:14:06 LOG7[8299:140556325656320]: FD 15 in non-blocking mode
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 16 in non-blocking mode
2014.02.06 09:14:06 LOG6[8299:140556325656320]: connect_blocking: connecting 82.x.x.x:80
2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80
2014.02.06 09:14:06 LOG7[8299:140556325656320]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06 LOG5[8299:140556325656320]: connect_blocking: connected 82.x.x.x:80
2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06 LOG5[8299:140556325656320]: SSL connected remote server from 82.x.x.x:36426
2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80
2014.02.06 09:14:06 LOG7[8299:140556325656320]: Remote FD=15 initialized
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36427
2014.02.06 09:14:06 LOG7[8299:140556325656320]: TCP_NODELAY option set on remote socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=16 initialized
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL state (connect): before/connect initialization
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL state (connect): SSLv3 write client hello A
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL alert (write): fatal: handshake failure
2014.02.06 09:14:06 LOG3[8299:140556325656320]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization
2014.02.06 09:14:06 LOG5[8299:140556325656320]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A
2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL finished (1 left)
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure
2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left)
2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49653
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 12 in non-blocking mode
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49653
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49653
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode
2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80
2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36428
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=13 initialized
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure
2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left)
2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49654
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 12 in non-blocking mode
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49654
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49654
2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode
2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80
2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80
2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36429
2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=13 initialized
2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure
2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left)

EDIT: aqui para verificar localmente o ssL

$ openssl s_client -ssl3 -connect localhost:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1391675538
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

EDITAR:

Meta: o visitante visita um endereço válido, por exemplo: link (suponha que ele seja válido e tenha arquivos CA, KEY, CERT) e ele não seja encaminhado para o link que deve permanecer como https

1) quando usado o Google App Engine ele não tem a opção HTTPS, como resultado, tudo tem que ser executado como HTTP, agora o serviço está rodando como HTTP, mas quando usuários o usam como http, ele causa outros problemas de segurança

2) portanto, precisávamos de um proxy SSL para esse HTTP, para que o usuário sempre recebesse https mesmo atrás da tela em que estão conectados com http

esta descrição clara?

networking ssl proxy certificates tunneling

por YumYumYum 06.02.2014 / 06:56

1 resposta

Tags networking ssl proxy certificates tunneling

Comandos repetidos em um pipeline de bash Salvando janelas de terminal em hortelã

score 3 · Accepted Answer

O problema é sua configuração (alteração padrão)

client=yes

Mas você precisa stunnel no modo de servidor, ou seja, uma conexão SSL / TLS é oferecida para o lado de fora e encaminhada como uma conexão não criptografada.