stunnel doesn't want to tunnel

**hejira** · 10-07-2005, 17:31

Hi all,

need some advice for the stunnel ipkg package. I recently wrote a small php script that issues certain ether-wake commands to start the pcs im my home lan remotely via thttpd which, by the way, works perfectly. Problem is that thttpd has no ssl features and I'm not so happy with the idea that virtually anyone with the ability to use a packet sniffer should now be able to wake up those pcs.
So my idea was to install the stunnel package which accepts (or better: should accept) ssl encrypted connections on port 443 and reroutes them to the thttp webserver (which runs on port 81). Unfortunatelly, something goes worng and I can't really put my finger on where the problem lies exactly. Maybe someone out there has some experience with this. Anyway, here's my stunnel.conf:

Code:

; Certificate/key is needed in server mode and optional in client mode
cert = /opt/etc/stunnel/stunnel.pem
key = /opt/etc/stunnel/stunnel.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /opt/var/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath;  CApath is located inside chroot jail:
;CApath = /certs
; It's often easier to use CAfile:
;CAfile = /opt/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath;  CRLpath is located inside chroot jail:
;CRLpath = /crls
; Alternatively you can use CRLfile:
;CRLfile = /opt/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

; Service-level configuration
[https]
accept  = 192.168.1.1:443
connect = 192.168.1.1:81
;TIMEOUTclose = 0

; vim:ft=dosini

Browsing to https://my.router causes the IE to display a dialog whether or whether not I would like to accept the stunnel certificate. So I think the "connect to stunnel" part goes well. But then nothing happens until some timeout occurs. The stunnel.log says:

Code:

2005.07.10 17:30:58 LOG5[648:1024]: stunnel 4.07 on mipsel-unknown-linux-gnu PTHREAD+POLL+IPv4 with OpenSSL 0.9.7d 17 Mar 2004
2005.07.10 17:30:58 LOG4[648:1024]: Wrong permissions on /opt/etc/stunnel/stunnel.pem
2005.07.10 17:30:58 LOG7[648:1024]: RAND_status claims sufficient entropy for the PRNG
2005.07.10 17:30:58 LOG6[648:1024]: PRNG seeded successfully
2005.07.10 17:30:58 LOG7[648:1024]: Certificate: /opt/etc/stunnel/stunnel.pem
2005.07.10 17:30:58 LOG7[648:1024]: Key file: /opt/etc/stunnel/stunnel.pem
2005.07.10 17:30:58 LOG6[648:1024]: file ulimit = 1024 (can be changed with 'ulimit -n')
2005.07.10 17:30:58 LOG6[648:1024]: poll() used - no FD_SETSIZE limit for file descriptors
2005.07.10 17:30:58 LOG5[648:1024]: 500 clients allowed
2005.07.10 17:30:58 LOG7[648:1024]: FD 4 in non-blocking mode
2005.07.10 17:30:58 LOG7[648:1024]: FD 5 in non-blocking mode
2005.07.10 17:30:58 LOG7[648:1024]: FD 6 in non-blocking mode
2005.07.10 17:30:58 LOG7[648:1024]: SO_REUSEADDR option set on accept socket
2005.07.10 17:30:58 LOG7[648:1024]: https bound to 0.0.0.0:443
2005.07.10 15:30:58 LOG7[650:1024]: Created pid file /stunnel.pid
2005.07.10 17:32:55 LOG5[654:1024]: stunnel 4.07 on mipsel-unknown-linux-gnu PTHREAD+POLL+IPv4 with OpenSSL 0.9.7d 17 Mar 2004
2005.07.10 17:32:55 LOG4[654:1024]: Wrong permissions on /opt/etc/stunnel/stunnel.pem
2005.07.10 17:32:55 LOG7[654:1024]: RAND_status claims sufficient entropy for the PRNG
2005.07.10 17:32:55 LOG6[654:1024]: PRNG seeded successfully
2005.07.10 17:32:55 LOG7[654:1024]: Certificate: /opt/etc/stunnel/stunnel.pem
2005.07.10 17:32:55 LOG7[654:1024]: Key file: /opt/etc/stunnel/stunnel.pem
2005.07.10 17:32:55 LOG6[654:1024]: file ulimit = 1024 (can be changed with 'ulimit -n')
2005.07.10 17:32:55 LOG6[654:1024]: poll() used - no FD_SETSIZE limit for file descriptors
2005.07.10 17:32:55 LOG5[654:1024]: 500 clients allowed
2005.07.10 17:32:55 LOG7[654:1024]: FD 4 in non-blocking mode
2005.07.10 17:32:55 LOG7[654:1024]: FD 5 in non-blocking mode
2005.07.10 17:32:55 LOG7[654:1024]: FD 6 in non-blocking mode
2005.07.10 17:32:55 LOG7[654:1024]: SO_REUSEADDR option set on accept socket
2005.07.10 17:32:55 LOG7[654:1024]: https bound to 192.168.1.1:443
2005.07.10 15:32:55 LOG7[656:1024]: Created pid file /stunnel.pid
2005.07.10 15:33:21 LOG7[656:1024]: https accepted FD=8 from 192.168.1.4:2921
2005.07.10 15:33:21 LOG7[656:1024]: FD 8 in non-blocking mode
2005.07.10 15:33:21 LOG7[659:1026]: https started
2005.07.10 15:33:21 LOG7[659:1026]: TCP_NODELAY option set on local socket
2005.07.10 15:33:21 LOG5[659:1026]: https connected from 192.168.1.4:2921
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): before/accept initialization
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 read client hello A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 write server hello A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 write certificate A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 write server done A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 flush data
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 read client key exchange A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 read finished A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 write change cipher spec A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 write finished A
2005.07.10 15:33:21 LOG7[659:1026]: SSL state (accept): SSLv3 flush data
2005.07.10 15:33:21 LOG7[659:1026]:    1 items in the session cache
2005.07.10 15:33:21 LOG7[659:1026]:    0 client connects (SSL_connect())
2005.07.10 15:33:21 LOG7[659:1026]:    0 client connects that finished
2005.07.10 15:33:21 LOG7[659:1026]:    0 client renegotiatations requested
2005.07.10 15:33:21 LOG7[659:1026]:    1 server connects (SSL_accept())
2005.07.10 15:33:21 LOG7[659:1026]:    1 server connects that finished
2005.07.10 15:33:21 LOG7[659:1026]:    0 server renegotiatiations requested
2005.07.10 15:33:21 LOG7[659:1026]:    0 session cache hits
2005.07.10 15:33:21 LOG7[659:1026]:    0 session cache misses
2005.07.10 15:33:21 LOG7[659:1026]:    0 session cache timeouts
2005.07.10 15:33:21 LOG6[659:1026]: SSL accepted: new session negotiated
2005.07.10 15:33:21 LOG6[659:1026]: Negotiated ciphers: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
2005.07.10 15:33:21 LOG7[659:1026]: FD 11 in non-blocking mode
2005.07.10 15:33:21 LOG7[659:1026]: https connecting 192.168.1.1:81
2005.07.10 15:33:21 LOG7[659:1026]: connect_wait: waiting 10 seconds
2005.07.10 15:33:21 LOG7[659:1026]: connect_wait: connected
2005.07.10 15:33:21 LOG7[659:1026]: Remote FD=11 initialized
2005.07.10 15:33:21 LOG7[659:1026]: TCP_NODELAY option set on remote socket
2005.07.10 15:33:21 LOG7[659:1026]: SSL socket closed on SSL_read
2005.07.10 15:33:21 LOG5[659:1026]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2005.07.10 15:33:21 LOG7[659:1026]: https finished (-1 left)

I'm really no expert with this and maybe the problem is obvious but I'm trying to accomplish this for quite some time and I'm really at my wits' end. So any advice would be highly welcomed...

Thread: stunnel doesn't want to tunnel

Thread Tools

Rate This Thread

Display

stunnel doesn't want to tunnel

Similar Threads

SSH Tunnel to tunnel HTTP

How to create tunnel beetwen two ASUS wl 500g!?

Tags for this Thread

Posting Permissions