After having installed stunnel-proxy Firefox doesn't no longer connect Port 80

[Andreji]

Hello, please help me.
I've installed the stunnel-proxy, and all the things with SSL and https are working fine. But now the Firefox ist no longer able to connect HFS on the normal way, Port 80! But the ping to my DynDNS-host is working; only the browser doesn't connect.
Even after deactivating the stunnel-proxy, no http is possible.
Now I've an SSL-server, but not a parallel normal server with HTTP.
I've done all just as the stunnel-tutorial describes it, but now I need help.
Firewall works, the NAT-router works, where the fault can be?
Thanks
Andreji

[rejetto]

did you change the "accept connections on" ?

[Andreji]

Thanks for reply.
No, I did not change this item. It remains stll on "Any address".

But in the meantime I have found the following phenomene:
By looking with "netstat", I have found that on the ip-address of my server-machine
no port 80 is enumerated. The other ports of my other services - e.g. the FTP-server with his port 21,
are on status "listening". Now - although the HFS says it is listening on port 80,
no port 80 on my machine is reachable.

[rejetto]

....no idea!
HFS should at least report an error if it cannot open the port.

mmmmm maybe the software that's impeding it instead of preventing the opening it's breaking it after

[raybob]

Do you have STunnel configured to use port 443 as it should?  Can Firefox get to HFS via that?

[Andreji]

I have removed the stunnel proxy. With stunnel and the port 443 it has been working all fine.
But now I have real trouble with HFs and the port 80:
HFs with port 80 ist reachable under localhost 127.0.0.1,
but not under the IP address of my server 192.168.0.7.
In the HFs log is no fault visible.
My FTP server FileZilla is reachable, also my other server ports.
I have checked my NAT configuration on my router - the port 80 is forwarded.
My Windows firewall is deactivated.
Now I show you in the attachment the output of my "netstat" command.
Can you help me with this?
Best Regards
Andreji

[rejetto]

what if on the same computer (where localhost works) you try to use your browser on http://192.168.0.7/ ?

[Andreji]

Oh yes - then occurs the same: the browsers refuse connection - the firefox on the same machine and the Internet Explorer 8 on another machine. On localhost the HFS is reachable.
Is there anything suspicious in my "netstat" output?
By the way: the server machine is clean - there are running the windows-firewall, the ClamWin Antivirus and the ThreatFire.
Regards
Andreji

[Andreji]

Hi, problem is fixed!

I must have misanderstandig the item No. 7 in "Secure your Server" - here in copy:

7. Start HFS (version 2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply” in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.

I've removed the "\127.0.0.1", and now it works fine with the reachable port 80.
And now I'm able to make further experiments with a second instance of HFS.

Many thanks
Andreji

[SilentPliz]

Hi Andreji !

I've removed the "\127.0.0.1", and now it works fine with the reachable port 80.

This is not really a good idea to remove the "reversed ban".

Rather write:

\127.0.0.1;192.168.0.7

[Andreji]

Hello,

the new situation is the following:
I am running HFS listening on port 44300 with all the configurations,
and also stunnel with all the configurations, written in the tutorial.
Now my firefox does not longer accept my https-site. In the attachment
I send to you the stunnel-log. Now I have trouble with my "stunnel.pem"
certificate, but in the past it has been working fine.
In the stunnel.conf I have set the debug-level from 5 to 7.
Can you tell me, what now is the reason? I have much trouble with interpreting
the "stunnel.log".

Thanks
Andreji

[SilentPliz]

Hi !

https://192.168.0.7/ does not work with Firefox?

Try this configuration file, normally it should suit you.
Corrects it if necessary for paths to the log file and the "rnd" file.

Code: [Select]

; Lines preceded with a “;” are comments.
; Empty lines are ignored.

; ***********************************************************************************************
; * Global options *
; ***********************************************************************************************

; Log (1=minimal, 5=recommended, 7=all)
; Preceed with a ";" to disable logging.
debug = 5
; Path to log file
output = stunnel.log

; Data compression algorithms: deflate, zlib or rle
compression = deflate

; Disable FIPS mode to allow non-approved protocols and algorithms.
fips = yes

; ***********************************************************************************************
; * Service defaults may also be specified in individual service sections. *
; ***********************************************************************************************

; Certificate and key are needed in server mode and optional in client mode.
cert = stunnel.pem
key = stunnel.pem

; Path to file with random seed data.
RNDfile  = C:/.rnd

; The SSL library will use data from this file first to seed the random number generator.
RNDoverwrite = yes

; Some performance tuning...
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Disable support for insecure SSLv2 protocol.
options = NO_SSLv2

; To get a list of supported cuves use:
;    openssl> ecparam -list_curves
; Default curve: prime256v1
; ECDH curve name:

curve = prime256v1

; These options provide additional security at some performance degradation.
options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; ***********************************************************************************************
; * Service definitions (at least one service has to be defined) *
; ***********************************************************************************************

; SSL server mode service
; Stunnel listens (and accepts) to: 0.0.0.0 from the Port 443 (HTTPS)
; and connects HFS locally to port: 127.0.0.1:44300 (HTTP)

[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
Local = 192.168.0.7

; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL.
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks.

TIMEOUTclose = 0

EDIT: I don't see anything problematic in your log file.

[Andreji]

Hi SilentPliz,

with this new "stunnel.conf" there is also malfunction.
In the attachment there is the new stunnel.log, but
only with debug-level 5. The paths however are o.k.
Can you figure it out, or may I switch to debug-level 7?

Regards
Andreji

[SilentPliz]

Hi !

It seems that the following message:  SSL3_GET_RECORD:wrong version number is due to an error on the client side (firefox).

See if "your" firefox is properly configured to use the SSL v3 protocol (see attached picture).

[Andreji]

Thanks, but my firefox has the same SSL-configuration as shown on your picture.
Now I tried to connect with stunnel-debug-level 7. In the attachment you see the new log.
Regards
Andreji