Tom Mart
Reputation: 57
Stunnel SSL23_GET_SERVER_HELLO Error
I am trying to set up stunnel so i can access my IIS static website (http://localhost)
I want to access it via 'https://localhost:443'.
Here is my conf file :
[https]
client= yes
accept = 443
connect = 80
debug = 7
sslVersion = all
cert = D:\stunnel\config\cert.pfx
and here is the errors I am getting :
2017.05.04 12:41:01 LOG5[main]: UTF-8 byte order mark detected
2017.05.04 12:41:01 LOG5[main]: FIPS mode disabled
2017.05.04 12:41:01 LOG4[main]: Service [https] needs authentication to prevent MITM attacks
2017.05.04 12:41:01 LOG5[main]: Configuration successful
2017.05.04 12:41:14 LOG7[80]: Service [https] started
2017.05.04 12:41:14 LOG7[80]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[80]: Service [https] accepted connection from 127.0.0.1:54417
2017.05.04 12:41:14 LOG6[80]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[80]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG7[81]: Service [https] started
2017.05.04 12:41:14 LOG7[81]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[81]: Service [https] accepted connection from 127.0.0.1:54419
2017.05.04 12:41:14 LOG6[81]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[81]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[81]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[81]: Service [https] connected remote server from 127.0.0.1:54420
2017.05.04 12:41:14 LOG7[81]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[81]: Remote descriptor (FD=552) initialized
2017.05.04 12:41:14 LOG6[81]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[81]: Peer certificate not required
2017.05.04 12:41:14 LOG7[81]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[81]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[81]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[81]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[81]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[81]: Remote descriptor (FD=552) closed
2017.05.04 12:41:14 LOG7[81]: Local descriptor (FD=480) closed
2017.05.04 12:41:14 LOG7[81]: Service [https] finished (1 left)
2017.05.04 12:41:14 LOG5[80]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[80]: Service [https] connected remote server from 127.0.0.1:54418
2017.05.04 12:41:14 LOG7[80]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[80]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[80]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[80]: Peer certificate not required
2017.05.04 12:41:14 LOG7[80]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[80]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[80]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[80]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[80]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[80]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[80]: Local descriptor (FD=496) closed
2017.05.04 12:41:14 LOG7[80]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[82]: Service [https] started
2017.05.04 12:41:14 LOG7[82]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[82]: Service [https] accepted connection from 127.0.0.1:54422
2017.05.04 12:41:14 LOG6[82]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[82]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[82]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[82]: Service [https] connected remote server from 127.0.0.1:54423
2017.05.04 12:41:14 LOG7[82]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[82]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[82]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[82]: Peer certificate not required
2017.05.04 12:41:14 LOG7[82]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[82]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[82]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[82]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[82]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[82]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[82]: Local descriptor (FD=544) closed
2017.05.04 12:41:14 LOG7[82]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[83]: Service [https] started
2017.05.04 12:41:14 LOG7[83]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[83]: Service [https] accepted connection from 127.0.0.1:54425
2017.05.04 12:41:14 LOG6[83]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[83]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[83]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[83]: Service [https] connected remote server from 127.0.0.1:54426
2017.05.04 12:41:14 LOG7[83]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[83]: Remote descriptor (FD=540) initialized
2017.05.04 12:41:14 LOG6[83]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[83]: Peer certificate not required
2017.05.04 12:41:14 LOG7[83]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[83]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[83]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[83]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[83]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[83]: Remote descriptor (FD=540) closed
2017.05.04 12:41:14 LOG7[83]: Local descriptor (FD=488) closed
2017.05.04 12:41:14 LOG7[83]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[84]: Service [https] started
2017.05.04 12:41:14 LOG7[84]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[84]: Service [https] accepted connection from 127.0.0.1:54427
2017.05.04 12:41:14 LOG6[84]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[84]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[84]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[84]: Service [https] connected remote server from 127.0.0.1:54428
2017.05.04 12:41:14 LOG7[84]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[84]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[84]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[84]: Peer certificate not required
2017.05.04 12:41:14 LOG7[84]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[84]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[84]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[84]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[84]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[84]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[84]: Local descriptor (FD=484) closed
2017.05.04 12:41:14 LOG7[84]: Service [https] finished (0 left)
I am looking for a basic basic config.
Can anyone advise why it is not working please. Is there anything behind the scenes i need to configure?
Upvotes: 0
Views: 5173
Answers (2)
charlesreid1
Reputation: 4841
This error is coming from the fact that you are not running an Stunnel server on the port you're trying to connect to.
Stunnel requires both a client and a server. The protocol they speak is SSL-wrapped TCP. If you try and point an Stunnel client at a web server like IIS, the Stunnel client will not be able to communicate with it. It's expecting another Stunnel instance running with an Stunnel server config file.
That's why you're seeing the unknown protocol message - when stunnel sends a TCP-wrapped packet that says hello, the web server doesn't understand it so it doesn't say hello back.
2017.05.04 12:41:14 LOG3[84]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[84]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
You can run HTTP or HTTPS over Stunnel, however, once you have the client and server set up. Here are example configuration files for the Stunnel client and Stunnel server that would create an Stunnel connection on port 8000, and allow the client to use port 9999 to access a web server running on the server on port 9998.
Upvotes: 1
Tom Mart
Reputation: 57
'client = yes' makes stunnel encrypt the data received from the client and decrypt the data received from the server.
Resolve by setting client to 'No' :
[https]
client= No
accept = 443
connect = 80
debug = 7
sslVersion = all
cert = D:\stunnel\config\cert.pfx
Upvotes: 3
Related Questions
- Stunnel error: no start line
- Getting a SSL connection to work with STUNNEL/Win32
- Stunnel cert rejected
- OpenSSL connection error SSL23_GET_SERVER_HELLO, but browser and curl works
- stunnel https gets redirected to http
- How to fix "Service [XXX]: SSL server needs a certificate" on an Stunnel server?
- Stunnel on Ubuntu 14.04 despite a clean restart
- SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
- SslStream client unable to complete handshake with stunnel server
- Bad OpenSSL certificate