1

I have stunnel listening on port 80 and acting as a client connecting to Apache listening on port 443. Configuration is below. What I'm finding is that if I attempt to connect to localhost:80 the connection is fine but if I connect to 127.0.0.1:80

When I check Apache's logs it indicates that stunnel is using localhost as the SNI both times, but the HTTP request lists localhost in one case and 127.0.0.1 in another. Is it possible to tell stunnel to either use whatever is in the HTTP request or to somehow configure two clients each with different SNI values?

stunnel.conf:

debug = 7
options = NO_SSLv2

[xmlrpc-httpd]
client = yes
accept = 80
connect = 443

Apache error.log:

[error] Hostname localhost provided via SNI and hostname 127.0.0.1 provided via HTTP are different

Apache access.log:

"GET / HTTP/1.1" 200 2138 "-" "Wget/1.13.4 (linux-gnu)"
"GET / HTTP/1.1" 400 743 "-" "Wget/1.13.4 (linux-gnu)"

wget:

$wget -d localhost
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: localhost
Connection: Keep-Alive

---request end---

$wget -d 127.0.0.1
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: 127.0.0.1
Connection: Keep-Alive

---request end---

edit:

Apache Config

Nothing out of the ordinary, it's just a virtual host listening to 443

<VirtualHost *:443>
Huckle
  • 111
  • 1
  • 7
  • What does the virtualhost/SNI config look like - do you need SNI at all, if you're using localhost? – Shane Madden Oct 27 '13 at 06:46
  • I don't actually need it, but there is a valid use case for it. – Huckle Oct 27 '13 at 06:52
  • I don't know of any way to get stunnel to read the incoming HTTP `Host` header and construct its SNI handshake based on that - but why not just have the client browser connect via SSL and send its own SNI? – Shane Madden Oct 27 '13 at 06:56
  • I have a client that is not ssl-aware, which is why I'm using stunnel in the first place. – Huckle Oct 27 '13 at 07:27
  • Did you find a solution? We're in the same situation, using stunnel to forward from Varnish to an SSL enabled backend. We're hitting the same SNI issue because we have multiple `Host` header values. – chmac Jan 13 '14 at 17:19

1 Answers1

1

It looks like you can force this with the client config item:

sni = server_name

http://www.stunnel.org/static/stunnel.html - Search for SNI

Paul Doom
  • 841
  • 6
  • 9
  • I can force it to one value or another, but it already defaults to only one value (localhost). The problem is that requests might be sent to multiple values (127.0.0.1, or any synonyms) – Huckle Oct 28 '13 at 00:13
  • Ah, gotcha. A Varnish or Apache HTTPD reverse proxy might be a better bet in this case to give you much more flexibility in normalizing and rewriting. – Paul Doom Oct 28 '13 at 04:10