I'm trying to use stunnel
to be able to use HTTPS (port 443) on my localhost for a development web server running locally on port 8000.
It starts and accepts connections, but every time I open https://localhost:443
, the connection is reset immediately.
The certificates in question are of type TLSv1.2, as per the configuration.
Command for starting stunnel
:
$ sudo stunnel www.example.com.conf
The configuration file:
pid=
cert = certs/www.example.com/fullchain.pem
key = certs/www.example.com/privkey.pem
sslVersion = TLSv1.2
foreground = yes
output = log/www.example.com.log
debug = 7
[https]
accept=443
connect=8000
The output of the command:
2018.05.20 16:54:38 LOG7[ui]: Clients allowed=500
2018.05.20 16:54:38 LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
2018.05.20 16:54:38 LOG5[ui]: Compiled/running with OpenSSL 1.1.0g 2 Nov 2017
2018.05.20 16:54:38 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2018.05.20 16:54:38 LOG7[ui]: errno: (*__errno_location ())
2018.05.20 16:54:38 LOG5[ui]: Reading configuration from file /home/helgihg/stunnel/www.example.com.conf
2018.05.20 16:54:38 LOG5[ui]: UTF-8 byte order mark not detected
2018.05.20 16:54:38 LOG5[ui]: FIPS mode disabled
2018.05.20 16:54:38 LOG7[ui]: Compression disabled
2018.05.20 16:54:38 LOG7[ui]: Snagged 64 random bytes from /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: Wrote 1024 new random bytes to /home/helgihg/.rnd
2018.05.20 16:54:38 LOG7[ui]: PRNG seeded successfully
2018.05.20 16:54:38 LOG6[ui]: Initializing service [https]
2018.05.20 16:54:38 LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.05.20 16:54:38 LOG7[ui]: TLS options: 0x02024004 (+0x02004000, -0x00000000)
2018.05.20 16:54:38 LOG6[ui]: Loading certificate from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Certificate loaded from file: certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Loading private key from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG6[ui]: Private key loaded from file: certs/www.example.com/privkey.pem
2018.05.20 16:54:38 LOG7[ui]: Private key check succeeded
2018.05.20 16:54:38 LOG7[ui]: DH initialization
2018.05.20 16:54:38 LOG7[ui]: Could not load DH parameters from certs/www.example.com/fullchain.pem
2018.05.20 16:54:38 LOG6[ui]: Using dynamic DH parameters
2018.05.20 16:54:38 LOG7[ui]: ECDH initialization
2018.05.20 16:54:38 LOG7[ui]: ECDH initialized with curve prime256v1
2018.05.20 16:54:38 LOG5[ui]: Configuration successful
2018.05.20 16:54:38 LOG7[ui]: Binding service [https]
2018.05.20 16:54:38 LOG7[ui]: Listening file descriptor created (FD=7)
2018.05.20 16:54:38 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.05.20 16:54:38 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443
2018.05.20 16:54:38 LOG7[ui]: No pid file being created
2018.05.20 16:54:38 LOG7[cron]: Cron thread initialized
Here is what happens when I visit with a browser:
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55668
2018.05.20 16:55:20 LOG7[0]: Service [https] started
2018.05.20 16:55:20 LOG7[0]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:55668
2018.05.20 16:55:20 LOG6[0]: Peer certificate not required
2018.05.20 16:55:20 LOG7[0]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[0]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[0]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[0]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55670
2018.05.20 16:55:20 LOG7[1]: Service [https] started
2018.05.20 16:55:20 LOG7[1]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[1]: Service [https] accepted connection from 127.0.0.1:55670
2018.05.20 16:55:20 LOG6[1]: Peer certificate not required
2018.05.20 16:55:20 LOG7[1]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[1]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[1]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[1]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55672
2018.05.20 16:55:20 LOG7[2]: Service [https] started
2018.05.20 16:55:20 LOG7[2]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[2]: Service [https] accepted connection from 127.0.0.1:55672
2018.05.20 16:55:20 LOG6[2]: Peer certificate not required
2018.05.20 16:55:20 LOG7[2]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[2]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[2]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[2]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55674
2018.05.20 16:55:20 LOG7[3]: Service [https] started
2018.05.20 16:55:20 LOG7[3]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[3]: Service [https] accepted connection from 127.0.0.1:55674
2018.05.20 16:55:20 LOG6[3]: Peer certificate not required
2018.05.20 16:55:20 LOG7[3]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[3]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[3]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[3]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55676
2018.05.20 16:55:20 LOG7[4]: Service [https] started
2018.05.20 16:55:20 LOG7[4]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[4]: Service [https] accepted connection from 127.0.0.1:55676
2018.05.20 16:55:20 LOG6[4]: Peer certificate not required
2018.05.20 16:55:20 LOG7[4]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[4]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[4]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[4]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[4]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55678
2018.05.20 16:55:20 LOG7[5]: Service [https] started
2018.05.20 16:55:20 LOG7[5]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[5]: Service [https] accepted connection from 127.0.0.1:55678
2018.05.20 16:55:20 LOG6[5]: Peer certificate not required
2018.05.20 16:55:20 LOG7[5]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[5]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[5]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[5]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[5]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55680
2018.05.20 16:55:20 LOG7[6]: Service [https] started
2018.05.20 16:55:20 LOG7[6]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[6]: Service [https] accepted connection from 127.0.0.1:55680
2018.05.20 16:55:20 LOG6[6]: Peer certificate not required
2018.05.20 16:55:20 LOG7[6]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[6]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[6]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[6]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[6]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55682
2018.05.20 16:55:20 LOG7[7]: Service [https] started
2018.05.20 16:55:20 LOG7[7]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[7]: Service [https] accepted connection from 127.0.0.1:55682
2018.05.20 16:55:20 LOG6[7]: Peer certificate not required
2018.05.20 16:55:20 LOG7[7]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[7]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[7]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[7]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[7]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55684
2018.05.20 16:55:20 LOG7[8]: Service [https] started
2018.05.20 16:55:20 LOG7[8]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[8]: Service [https] accepted connection from 127.0.0.1:55684
2018.05.20 16:55:20 LOG6[8]: Peer certificate not required
2018.05.20 16:55:20 LOG7[8]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[8]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[8]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[8]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[8]: Service [https] finished (0 left)
2018.05.20 16:55:20 LOG7[ui]: Found 1 ready file descriptor(s)
2018.05.20 16:55:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2018.05.20 16:55:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2018.05.20 16:55:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:55686
2018.05.20 16:55:20 LOG7[9]: Service [https] started
2018.05.20 16:55:20 LOG7[9]: Option TCP_NODELAY set on local socket
2018.05.20 16:55:20 LOG5[9]: Service [https] accepted connection from 127.0.0.1:55686
2018.05.20 16:55:20 LOG6[9]: Peer certificate not required
2018.05.20 16:55:20 LOG7[9]: TLS state (accept): before SSL initialization
2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
2018.05.20 16:55:20 LOG5[9]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.05.20 16:55:20 LOG7[9]: Local descriptor (FD=3) closed
2018.05.20 16:55:20 LOG7[9]: Service [https] finished (0 left)
I suspect that this is the problem:
2018.05.20 16:55:20 LOG3[9]: SSL_accept: 1408F09C: error:1408F09C:SSL routines:ssl3_get_record:http request
But I don't know why it's involving the outdated SSLv3 protocol in the matter. The previous configuration that I used 3 years ago did indeed use SSLv3, but this is a TLSv1.2 certificate and the configuration clearly denotes TLSv3. My version of stunnel
does in fact not seem to support SSLv3, nor do I think I need it.
That's where I'm stuck. Any help deeply appreciated.