我正在使用一个应用程序,该应用程序由同一服务器上的 Windows 服务组成,通过 TCP 相互发送消息。每个服务都分配有一个端口,它在该端口上侦听消息。
我想加密此流量以防止其被读取(例如,使用 Wireshark 之类的工具),并且想知道 Stunnel 是否能让我们加密此流量而无需更改产品中的任何代码?
如果我们有服务 B 正在侦听端口 17900 并且服务 A 期望服务 B 正在侦听该端口,是否可以确保从服务 A 到服务 B 的流量被 Stunnel 加密?这甚至是个好主意吗?
我创建了一个 Ubuntu 16.04 lxd 容器并在其中设置了 Stunnel、Tinyproxy 和 OpenVPN 客户端。
目标是通过 Stunnel 连接到 Tinyproxy,并强制 Tinyproxy 使用 OpenVPN 的接口进行传出连接。
Stunnel -> Tinyproxy 工作正常 - 浏览器中的页面按预期加载,但是,一旦我启动 OpenVPN 服务,客户端的 Stunnel 就会因超时而失败,并且浏览器会一直等待响应。
由于 Tinyproxy 1.8.3(ubuntu 16.04 的最新版本)不支持将传出连接绑定到特定接口的选项,我不得不让 OpenVPN 通过其tun0接口添加默认路由。
OpenVPN 客户端作为 expexted 工作 - 来自容器的所有数据包都通过 VPN。带有容器的主机是具有公共 IP 的远程主机。DNAT 已设置到容器中。
我不太熟悉路由内部结构,我只能设置 SNAT/DNAT 并使用 iptables 进行过滤。因此,我无法理解问题的根源。
以下是环境中最重要的参数:
如果配置
$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:16:3e:5f:46:ba
inet addr:10.227.60.197 Bcast:10.227.60.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe5f:46ba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16291 errors:0 dropped:0 overruns:0 frame:0
TX packets:15632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5044056 (5.0 MB) TX bytes:4171187 (4.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2446 errors:0 dropped:0 overruns:0 frame:0
TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2483699 (2.4 MB) TX bytes:2483699 (2.4 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.3 P-t-P:10.8.0.3 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:252 (252.0 B) TX bytes:252 (252.0 B)
路线
$ route -v -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
default 10.227.60.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
10.227.60.0 * 255.255.255.0 U 0 0 0 eth0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
<vpn server IP> 10.227.60.1 255.255.255.255 UGH 0 0 0 eth0
stunnel.con
...
accept = 10.227.60.197:8081
connect = 127.0.0.1:8080
...
tinyproxy.conf
...
Port 8080
Listen 127.0.0.1
...
vpnclient.conf
dev tun
proto udp
remote <vpn server ip> 1195
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
key-direction 1
verb 3
#route-nopull
...
iptables是空的。
我在 3.11.6 上构建了一个带有 NGINX、Node.js 和 stunnel的alpine linux dockerstunnel容器/var/log/stunnel/stunnel.log容器,它是可写/可读的。
$ bash-5.0# stunnel
[ ] Clients allowed=500
[.] stunnel 5.56 on x86_64-alpine-linux-musl platform
[.] Compiled with OpenSSL 1.1.1d 10 Sep 2019
[.] Running with OpenSSL 1.1.1g 21 Apr 2020
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
[ ] errno: (*__errno_location())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[ ] No PRNG seeding was required
[ ] Initializing service [fb-live]
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Loading certificate from file: /certs/cert.pem
[ ] Certificate loaded from file: /certs/cert.pem
[ ] Loading private key from file: /certs/key.pem
[ ] Private key loaded from file: /certs/key.pem
[ ] Private key check succeeded
[:] Service [fb-live] needs authentication to prevent MITM attacks
[.] Configuration successful
[ ] Binding service [fb-live]
[ ] Listening file descriptor created (FD=9)
[ ] Setting accept socket options (FD=9)
[ ] Option SO_REUSEADDR set on accept socket
[ ] Service [fb-live] (FD=9) bound to 0.0.0.0:1936
[!] Cannot open log file: /var/log/stunnel/stunnel.log
[ ] Deallocating section defaults
[ ] Unbinding service [fb-live]
[ ] Service [fb-live] closed (FD=9)
[ ] Service [fb-live] closed
[ ] Deallocating section [fb-live]
$ bash-5.0# find . -name *stunnel*
./usr/lib/stunnel
./usr/lib/stunnel/libstunnel.so
./usr/bin/stunnel3
./usr/bin/stunnel
./var/log/stunnel
./var/log/stunnel/stunnel.log
./var/lib/stunnel
./etc/stunnel
./etc/stunnel/stunnel.conf
./etc/default/stunnel
./run/stunnel
$ bash-5.0# ls /var/log/stunnel/stunnel.log -lash
0 -rw-rw---- 1 root root 0 Oct 9 17:25 /var/log/stunnel/stunnel.log
bash-5.0#
我已经尝试将文件路径移动到不同的目录到 bin 内部,/var/run/stunnel但没有任何东西可以打开它。我相信这就是 stunnel 无法正常加载的原因。
$ grep setuid /etc/stunnel/stunnel.conf
setuid = stunnel
我正在使用 stunnel 和 squid 配置 HTTPS 代理。
但是,我收到了 Mozilla 错误页面“安全连接失败”,以防我通过端口 44444(stunnel)发出浏览器请求。
我错过了什么?
如果我向 ( https://192.168.0.101:44444 ) 发出直接浏览器请求,则 stunnel 接受 44444 端口上的连接并成功将流量转发到 squid 代理端口 (55555),因此,squid 错误页面已收到。
如果我通过 squid 端口(55555)发出请求,一切正常。
SSL 证书是自签名的。由该命令生成:
sudo openssl req -nodes -new -days 365 -newkey rsa:1024 -x509 -keyout serverkey.pem -out servercert.pem
stunnel.log
2020.10.01 17:54:05 LOG7[main]: Found 1 ready file descriptor(s)
2020.10.01 17:54:05 LOG7[main]: FD=4 events=0x2001 revents=0x0
2020.10.01 17:54:05 LOG7[main]: FD=6 events=0x2001 revents=0x1
2020.10.01 17:54:05 LOG7[main]: Service [squid] accepted (FD=3) from 10.140.37.30:42284
2020.10.01 17:54:05 LOG7[33]: Service [squid] started
2020.10.01 17:54:05 LOG7[33]: Option TCP_NODELAY set on local socket
2020.10.01 17:54:05 LOG5[33]: Service [squid] accepted connection from 10.140.37.30:42284
2020.10.01 17:54:05 LOG6[33]: Peer certificate not required
2020.10.01 17:54:05 LOG7[33]: TLS state (accept): before SSL initialization
2020.10.01 17:54:05 LOG3[33]: SSL_accept: 1408F09B: error:1408F09B:SSL routines:ssl3_get_record:https proxy request
stunnel.conf
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
debug = 7
output = /stunnel.log
syslog = no
cert = /etc/stunnel/servercert.pem
key = /etc/stunnel/serverkey.pem
verify = 1
CApath = /certs
CRLpath = /crls
client = no
[squid]
accept = 44444
connect = 55555
squid.conf
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 55555
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
用例:我们有几个不支持 SSL/TLS 身份验证的伊顿 PDU/PSU。我的任务是构建一个 SMTP 中继服务器,它可以接收基本的 SMTP/25 电子邮件并通过 SSL 将它们转发给我们的电子邮件提供商。
注意:中继主机使用 stunnel 在 465 上建立 smtps 连接。
我的 SMTP Postfix 中继服务器能够通过我们的电子邮件提供商 alimail 成功发送邮件。但我无法让它中继来自我们网络上其他主机的电子邮件。
/etc/postfix/main.cf
smtpd_banner = mail01v-la ESMTP
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [127.0.0.1]:5000
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = no
smtp_generic_maps = regexp:/etc/postfix/generic
/etc/postfix/sasl_passwd
[127.0.0.1]:5000 [email protected]:notifypwd
/etc/后缀/通用
/^root@(.*)$/ [email protected]
/etc/stunnel/stunnel.conf
client = yes
foreground = no
[smtps]
accept = 5000
connect = smtp.mxhichina.com:smtps
SMTP Telnet 到提供商
[root@mail01v-la ~]# telnet smtp.mxhichina.com smtp
Trying 205.204.101.152...
Connected to smtp.mxhichina.com.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server
ehlo google.come
250-smtp.aliyun-inc.com
250-STARTTLS
250-8BITMIME
250-AUTH=PLAIN LOGIN XALIOAUTH
250-AUTH PLAIN LOGIN XALIOAUTH
250-PIPELINING
250 DSN
检查通道连接
[root@mail01v-la ~]# telnet 127.0.0.1 5000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server
从中继服务器发送电子邮件
echo "Stack Body" | mail -s "Test Subject for Stack" [email protected]
结果
Feb 14 18:30:29 mail01v-la postfix/pickup[4812]: 3194940DE2: uid=0 from=<root>
Feb 14 18:30:29 mail01v-la postfix/cleanup[4865]: 3194940DE2: message-id=<[email protected]>
Feb 14 18:30:29 mail01v-la postfix/qmgr[2606]: 3194940DE2: from=<[email protected]>, size=481, nrcpt=1 (queue active)
Feb 14 18:30:30 mail01v-la postfix/smtp[4867]: 3194940DE2: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:5000, delay=1.3, delays=0.01/0.01/0.85/0.46, dsn=2.0.0, status=sent (250 Data Ok: queued as freedom)
Feb 14 18:30:30 mail01v-la postfix/qmgr[2606]: 3194940DE2: removed
与其他主机一起测试
随机 CentOS 服务器
/etc/postfix/main.cf
relayhost = [10.96.80.126]:5000
结果
Feb 14 18:06:52 test01v-la postfix/pickup[1247]: BB87C305A42F: uid=0 from=<root>
Feb 14 18:06:52 test01v-la postfix/cleanup[1387]: BB87C305A42F: message-id=<[email protected]>
Feb 14 18:06:52 test01v-la postfix/qmgr[1248]: BB87C305A42F: from=<[email protected]>, size=477, nrcpt=1 (queue active)
Feb 14 18:06:53 test01v-la postfix/smtp[1389]: BB87C305A42F: to=<[email protected]>, relay=10.96.80.126[10.96.80.126]:5000, delay=0.78, delays=0.01/0.01/0.61/0.15, dsn=5.0.0, status=bounced (host 10.96.80.126[10.96.80.126] said: 553 authentication is required (in reply to MAIL FROM command))
伊顿电源
伊顿结果
email[17131]: message error -110 in function smtp_start_session test - (Connection timed out) retrying smtp_start_session test email[17131]: Failed to connect to SMTP server 10.96.80.126:5000 with username [email protected]
__
这是我第一次做这样的设置。我的知识中可能有很多漏洞让我感到悲伤。
在正确的设置中,您是否甚至需要为想要使用中继服务器的任何主机重新键入凭据?例如,在eaton smtp 配置中,它应该是sasl 文件中使用的电子邮件的凭据吗?还是允许使用后缀转发的系统帐户?或者后缀/通用文件中定义的帐户名称?有点失落。
stunnel 甚至是我应该通过 ssl/tls 连接的正确方式吗?我在 smtp.mxhichina.com 的 telnet 提示符中看到了 starttls。
老实说,我认为我过于复杂了,或者遗漏了一些明显的东西。如果有人有更好的设置来适应我的用例,也将不胜感激。
仅将 SSL 连接从 Stunnel 切换到 Postfix
结果
Feb 20 11:27:22 mail01v-la postfix/qmgr[1537]: 6B38AE5EE: from=<[email protected]>, size=479, nrcpt=1 (queue active)
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: CLIENT wrappermode (port smtps/465) is unimplemented
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: instead, send to (port submission/587) with STARTTLS
Feb 20 11:27:40 mail01v-la postfix/smtp[1558]: 6B38AE5EE: to=<[email protected]>, relay=smtp.mxhichina.com[205.204.101.152]:465, delay=613, delays=595/0.02/19/0, dsn=4.4.2, status=deferred (lost connection with smtp.mxhichina.com[205.204.101.152] while receiving the initial server greeting)
Feb 20 11:32:22 mail01v-la postfix/qmgr[1537]: A3F736B2: from=<[email protected]>, size=477, nrcpt=1 (queue active)
主文件
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [smtp.mxhichina.com]:465
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_wrappermode = yes
soft_bounce = yes
smtp_sasl_auth_soft_bounce = yes
/etc/postfix/sasl_passwd
smtp.mxhichina.com [email protected]:notifypwd
嗨 ServerFault 社区,
我已于 2018 年 4 月 30 日和 2018 年 5 月 16 日将其发布到 stunnel-users 邮件列表,网址为https://www.stunnel.org/pipermail/stunnel-users/2018-April/006000.html,不幸的是那里没有人似乎知道答案,所以现在我正在和这里的专家一起试试运气。
以下是从邮件到邮件列表的逐字引用。
嗨列表,
我刚刚加入了 stunnel 社区。
出于 PCI 合规性的原因,我正在将我们的邮件服务器的面向公众的端口迁移到 stunnel。
到目前为止,我已经设法开始工作:
- 带有 starttls 的 imap (143/tcp)
- imaps (993/tcp)
- 带有 starttls 的 pop3 (110/tcp)
- pop3s (995/tcp)
我的麻烦在于带有 starttls 的 smtp(25/tcp,587/tcp)。
我现在尝试了几个不同的邮件客户端,每个人都告诉我服务器不支持身份验证协议。
我已经安装了 stunnel 5.44。在我的配置中设置相关部分:
[mail2-imap] protocol = imap accept = 143 connect = <mail-fqdn>:143 [mail2-imaps] accept = 993 connect = <mail-fqdn>:143 [mail2-pop3] protocol = pop3 accept = 110 connect = <mail-fqdn>:110 [mail2-pop3s] accept = 995 connect = <mail-fqdn>:110 [mail2-smtp] protocol = smtp accept = 25 connect = <mail-fqdn>:25 [mail2-smtps] accept = 465 connect = <mail-fqdn>:465 [mail2-smtps-submission] debug = 7 protocol = smtp accept = 587 connect = <mail-fqdn>:587在日志文件中,我在连接时有以下条目
2018.04.30 09:20:50 LOG7[5]: Service [mail2-smtps-submission] started 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on local socket 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] accepted connection from 41.13.8.49:56890 2018.04.30 09:20:50 LOG6[5]: s_connect: connecting 10.10.11.2:587 2018.04.30 09:20:50 LOG7[5]: s_connect: s_poll_wait 10.10.11.2:587: waiting 10 seconds 2018.04.30 09:20:50 LOG5[5]: s_connect: connected 10.10.11.2:587 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] connected remote server from 10.10.11.11:42466 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on remote socket 2018.04.30 09:20:50 LOG7[5]: Remote descriptor (FD=23) initialized 2018.04.30 09:20:50 LOG7[5]: RFC 2487 detected 2018.04.30 09:20:50 LOG7[5]: <- 220 <mail-fqdn> ESMTP Postfix 2018.04.30 09:20:50 LOG7[5]: -> 220 <mail-fqdn> stunnel for ESMTP Postfix 2018.04.30 09:20:51 LOG7[5]: <- EHLO [100.125.153.220] 2018.04.30 09:20:51 LOG7[5]: -> 250-<mail-fqdn> 2018.04.30 09:20:51 LOG7[5]: -> 250 STARTTLS 2018.04.30 09:20:51 LOG7[5]: <- STARTTLS 2018.04.30 09:20:51 LOG7[5]: -> 220 Go ahead 2018.04.30 09:20:51 LOG6[5]: Peer certificate not required 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): before/accept initialization 2018.04.30 09:20:51 LOG7[5]: SNI: no virtual services defined 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client hello A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server hello A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write certificate A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write key exchange A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server done A 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 flush data 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client certificate A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read client key exchange A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read certificate verify A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read finished A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write change cipher spec A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write finished A 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 flush data 2018.04.30 09:20:52 LOG7[5]: New session callback 2018.04.30 09:20:52 LOG7[5]: 2 server accept(s) requested 2018.04.30 09:20:52 LOG7[5]: 2 server accept(s) succeeded 2018.04.30 09:20:52 LOG7[5]: 0 server renegotiation(s) requested 2018.04.30 09:20:52 LOG7[5]: 0 session reuse(s) 2018.04.30 09:20:52 LOG7[5]: 2 internal session cache item(s) 2018.04.30 09:20:52 LOG7[5]: 0 internal session cache fill-up(s) 2018.04.30 09:20:52 LOG7[5]: 0 internal session cache miss(es) 2018.04.30 09:20:52 LOG7[5]: 0 external session cache hit(s) 2018.04.30 09:20:52 LOG7[5]: 0 expired session(s) retrieved 2018.04.30 09:20:52 LOG6[5]: TLS accepted: new session negotiated 2018.04.30 09:20:52 LOG6[5]: No peer certificate received 2018.04.30 09:20:52 LOG6[5]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2018.04.30 09:20:52 LOG7[5]: Compression: null, expansion: null 2018.04.30 09:20:52 LOG6[5]: Read socket closed (read hangup) 2018.04.30 09:20:52 LOG7[5]: Sending close_notify alert 2018.04.30 09:20:52 LOG7[5]: TLS alert (write): warning: close notify 2018.04.30 09:20:52 LOG6[5]: SSL_shutdown successfully sent close_notify alert 2018.04.30 09:20:52 LOG6[5]: TLS fd: Connection reset by peer (104) 2018.04.30 09:20:52 LOG6[5]: TLS socket closed (SSL_read) 2018.04.30 09:20:52 LOG7[5]: Sent socket write shutdown 2018.04.30 09:20:52 LOG5[5]: Connection closed: 156 byte(s) sent to TLS, 30 byte(s) sent to socket 2018.04.30 09:20:52 LOG7[5]: Remote descriptor (FD=23) closed 2018.04.30 09:20:52 LOG7[5]: Local descriptor (FD=22) closed 2018.04.30 09:20:52 LOG7[5]: Service [mail2-smtps-submission] finished (4 left)这是我从 K9-Mail K9-Mail 错误中得到的错误
谷歌邮件应用程序只是告诉我: 谷歌邮件错误
Alpine(linux命令行smtp客户端) Alpine客户端错误
大师有什么建议吗?
亲切的问候
我在 Red Hat Linux 6.8 上有一个 Stunnel 4.29,它不会启动并发出“没有这样的文件或目录”错误:
# /usr/bin/stunnel /etc/stunnel/agent/dynatrace-agent.conf
2017.05.03 19:04:26 LOG7[3880:140667243153344]: Snagged 64 random bytes from /root/.rnd
2017.05.03 19:04:26 LOG7[3880:140667243153344]: Wrote 1024 new random bytes to /root/.rnd
2017.05.03 19:04:26 LOG7[3880:140667243153344]: RAND_status claims sufficient entropy for the PRNG
2017.05.03 19:04:26 LOG7[3880:140667243153344]: PRNG seeded successfully
2017.05.03 19:04:26 LOG3[3880:140667243153344]: nil: No such file or directory (2)
使用 strace 我看到一个可疑的尝试统计文件“nil”:
# strace -e trace=stat -f /usr/bin/stunnel /etc/stunnel/agent/dynatrace-agent.conf
stat("/root/.rnd", {st_mode=S_IFREG|0600, st_size=1024, ...}) = 0
stat("/root/.rnd", {st_mode=S_IFREG|0600, st_size=1024, ...}) = 0
stat("/root/.rnd", {st_mode=S_IFREG|0600, st_size=1024, ...}) = 0
stat("nil", 0x7ffe119643d0) = -1 ENOENT (No such file or directory)
2017.05.03 19:11:30 LOG7[3916:140189915436992]: Snagged 64 random bytes from /root/.rnd
2017.05.03 19:11:30 LOG7[3916:140189915436992]: Wrote 1024 new random bytes to /root/.rnd
2017.05.03 19:11:30 LOG7[3916:140189915436992]: RAND_status claims sufficient entropy for the PRNG
2017.05.03 19:11:30 LOG7[3916:140189915436992]: PRNG seeded successfully
2017.05.03 19:11:30 LOG3[3916:140189915436992]: nil: No such file or directory (2)
+++ exited with 1 +++
我还看到尝试连接到套接字失败:
# strace -e trace=connect -f /usr/bin/stunnel /etc/stunnel/agent/dynatrace-agent.conf
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
2017.05.03 19:12:54 LOG7[3928:139643326924736]: Snagged 64 random bytes from /root/.rnd
2017.05.03 19:12:54 LOG7[3928:139643326924736]: Wrote 1024 new random bytes to /root/.rnd
2017.05.03 19:12:54 LOG7[3928:139643326924736]: RAND_status claims sufficient entropy for the PRNG
2017.05.03 19:12:54 LOG7[3928:139643326924736]: PRNG seeded successfully
2017.05.03 19:12:54 LOG3[3928:139643326924736]: nil: No such file or directory (2)
+++ exited with 1 +++
这是我的配置文件:
# cat /etc/stunnel/agent/dynatrace-agent.conf
; This stunnel config is managed by Puppet.
cert = nil
key = nil
CAfile = nil
CRLfile = nil
sslVersion = TLSv1
verify = 2
chroot = /var/lib/stunnel/dynatrace-agent
setuid = dtagent
setgid = dtagent
pid = dynatrace-agent.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/dynatrace-agent.log
client = yes
[dynatrace-agent]
accept = localhost:9998
connect = x.x.x.x:7443
版本信息:
# stunnel -version
stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug = 5
pid = /var/run/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES
curve = prime256v1
key = /etc/stunnel/stunnel.pem
session = 300 seconds
stack = 65536 bytes
sslVersion = all
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
我正在尝试使用stunnel让旧的 usenet 客户端支持 SSL。我尝试了以下配置:
[myservice]
accept = <LOCAL_PORT>
connect = <REMOTE_HOST>:<REMOTE_PORT>
但 stunnel 一直因错误而失败:
Section myservice: SSL server needs a certificate
我究竟做错了什么?
在 SSLv3 上成功使用了 stunnel 多年。简单配置适用于较旧的 stunnel 和 SSLv3:
[noteworthypop]
accept = 110
connect = secure.emailsrvr.com:995
[noteworthysmtp]
accept = 25
connect = secure.emailsrvr.com:465
但是,由于 rackspace 关闭了 SSL v3,因此此配置对我不起作用。
我们更新到当前的 stunnel (5.07),它支持 TLS。我们在 Windows 2008 服务器上运行 stunnel。
上面的conf不起作用。添加协议行没有区别。例如
[noteworthypop]
client = yes
accept = 110
connect = secure.emailsrvr.com:995
protocol = pop3
[noteworthysmtp]
client = yes
accept = 25
connect = secure.emailsrvr.com:465
protocol = smtp
尝试弹出时,日志显示:
2014.11.06 14:25:01 LOG7[2800]: Service [noteworthypop] accepted (FD=356) from 192.168.110.203:62058
2014.11.06 14:25:01 LOG7[2800]: Creating a new thread
2014.11.06 14:25:01 LOG7[2800]: New thread created
2014.11.06 14:25:01 LOG7[3232]: Service [noteworthypop] started
2014.11.06 14:25:01 LOG5[3232]: Service [noteworthypop] accepted connection from 192.168.110.203:62058
2014.11.06 14:25:01 LOG6[3232]: s_connect: connecting 98.129.185.2:465
2014.11.06 14:25:01 LOG7[3232]: s_connect: s_poll_wait 98.129.185.2:465: waiting 10 seconds
2014.11.06 14:25:01 LOG5[3232]: s_connect: connected 98.129.185.2:465
2014.11.06 14:25:01 LOG5[3232]: Service [noteworthypop] connected remote server from 192.168.97.23:62960
2014.11.06 14:25:01 LOG7[3232]: Remote socket (FD=360) initialized
2014.11.06 14:25:01 LOG7[3232]: RFC 2595 detected
但它坐。pop 客户端没有任何动作,没有任何反应。
欢迎提出建议!
谢谢!
我正在使用 stunnel 处理多个域证书。我有两个域 test.int 和 test1.int 并为每个域提供了多个证书和一个默认证书。我使用stunnel 的sni 选项来提供多个域证书。使用 javascript websocket 我正在尝试连接到安全服务器,但日志文件输出显示
SNI: extension not received from the client
所以我不确定 sni 选项是否支持。任何人都可以帮我解释它的工作与否。“SNI:未从客户端收到扩展”语句是什么意思。
提前感谢您的宝贵答案。
我的 stunnel.config 文件
output=/var/log/stunnel.log
pid=
debug = 7
fips = no
compression = rle
options = NO_SSLv2
syslog = no
[websockets]
cert = /usr/local/etc/stunnel/default.crt
key = /usr/local/etc/stunnel/default.key
accept = 0.0.0.0:9443
connect = 127.0.0.1:9000
[sni1]
sni = websockets:mailxf.test.int
cert = /usr/local/etc/stunnel/test.int.crt
key = /usr/local/etc/stunnel/test.int.key
connect = 127.0.0.1:9000
[sni2]
sni = websockets:mailxf.test1.int
cert = /usr/local/etc/stunnel/test1.int.crt
key = /usr/local/etc/stunnel/test1.int.key
connect = 127.0.0.1:9000
日志文件输出
Service [websockets] accepted (FD=9) from 192.168.0.132:38257
2014.04.14 18:30:32 LOG7[7085:139648669734672]: Service [websockets] started
2014.04.14 18:30:32 LOG5[7085:139648669734672]: Service [websockets] accepted connection from 192.168.0.132:38257
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): before/accept initialization
**2014.04.14 18:30:32 LOG5[7085:139648669734672]: SNI: extension not received from the client**
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 read client hello A
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 write server hello A
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 write change cipher spec A
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 write finished A
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 flush data
2014.04.14 18:30:32 LOG7[7085:139648669734672]: SSL state (accept): SSLv3 read finished A
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 2 items in the session cache
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 client connects (SSL_connect())
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 client connects that finished
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 client renegotiations requested
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 19 server connects (SSL_accept())
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 19 server connects that finished
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 server renegotiations requested
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 14 session cache hits
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 external session cache hits
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 0 session cache misses
2014.04.14 18:30:32 LOG7[7085:139648669734672]: 2 session cache timeouts
2014.04.14 18:30:32 LOG6[7085:139648669734672]: SSL accepted: previous session reused
2014.04.14 18:30:32 LOG6[7085:139648669734672]: connect_blocking: connecting 127.0.0.1:9000
2014.04.14 18:30:32 LOG7[7085:139648669734672]: connect_blocking: s_poll_wait 127.0.0.1:9000: waiting 10 seconds
2014.04.14 18:30:32 LOG5[7085:139648669734672]: connect_blocking: connected 127.0.0.1:9000
2014.04.14 18:30:32 LOG5[7085:139648669734672]: Service [websockets] connected remote server from 127.0.0.1:44325
2014.04.14 18:30:32 LOG7[7085:139648669734672]: Remote socket (FD=10) initialized
用于连接安全服务器的 Javascript 代码,
wss://mailxf.test.int:9443/bo/socket.bo.php
我正在使用 webbrowser 版本作为 Chrome 26 和 firefox 24 和操作系统版本 centos 6。