Problem with HFS/STunnel. Please help me..

[Noobie]

Hi guys! First of all I'd like to give best thanks to the makers of HFS. Great software for people like myself, who don't know a lot about servers and just want to share files. Like many folks using HFS, I am also trying to use STunnel to transfer encrypted data via internet. I was following the http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server guide 2 times to get this to work, and I guess I made no mistakes. Here's my problem. When trying to access         httpS://"My IP number"        I get a "bad certificate" error in firefox and Stunnel log file. The log looks like this:

https accepted FD=200 from "My IP Number":3019
Creating a new thread
New thread created
https started
FD 200 in non-blocking mode
TCP_NODELAY option set on local socket
https accepted connection from "My IP Number":3019
SL state (accept): before/accept initialization
SSL state (accept): SSLv3 read client hello A
SSL state (accept): SSLv3 write server hello A
SSL state (accept): SSLv3 write certificate A
SSL state (accept): SSLv3 write server done A
SSL state (accept): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_accept: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
https finished (0 left)


This is the port configuration that I'm using (I've done EVERYTHING EXACTLY like the tutorial says):
accept = 0.0.0.0:443
connect = 127.0.0.1:80

When creating the pem key in the last line I insert        http://"My IP number"      ,and after all is set up (configuration presented in the tutorial is done), when I enter      https://"My IP number"       address to my browser, firefox generates the "bad certificate error". I can still click to accept the certificate temporarily, and after I do so, another message appears. Something like (translation-probably not exact): "firefox tried to connect to      "My Ip number"      , however the certificate presented by the address belongs to       http://"My Ip number"       If there is a suspicion, that the certificate doesn't belong to       "My Ip number"      please cancel the connection. At that point I have three options:
1.Show certificate (which correctly shows the data I put when generating the pem key)
2.Ok.
3.Cancel
When I hit OK, I get the         httpS://"My IP number"        in gold(certificate works?), loading is done, but I get a BLANK PAGE. Stunnel gives the log shown above.
PLEASE HELP ME, as I guess the problem probably is not complicated at all, but I'm a newbie (but not a stupid newbie). I've been trying to get this to work for a half day now, but I failed to do so.. Any help will be greatly appreciated.. I'm totally stuck now.. Won't move forward without outside help...
Ps: "My Ip number" is of course my real ip number, without the quotation marks.

[Foggy]

I havn't used STunnel with hfs but it sounds as if its the certificate that is the problem, So i suggest try creating a new certificate.

[Noobie]

I've tried to change the certificate many times. Used my IP number as the common name. Should work, but it doesn't. Got the same problem. Bad certificate, https://"My Ip number" in gold, blank screen. Are there possibly any other (free) ways to transfer encrypted files using HFS?

[maverick]

No.  Stunnel is the solution and works very good.  If my memory is correct the stunnel package comes with a example certificate (stunnel.pem).  Does it work for you using this certificate?  If so, your problem is with the certificate you tried to create. 

[Noobie]

The only difference I get is that my browser shows such message: "web page "localhost" uses a certificate that has expired". When I choose "continue", I get the same message as before. I'll translate what it says cause it might be important (I did not do that in the first post). It goes something like this:

An attempt of verification of "localhost" as trusted web page has failed.
This may be caused because:
- The browser does not recognise the organ of certification.
- The server is not properly configured, so the certificate does not contain necessary data
- A connection with a web page that pretends to be "localhost" was established

When I choose ok, I get the same message as mentioned in first post(chck certificate,ok,cancel). Then https://"My Ip number" in gold, blank screen. So, according to Mav, the problem must be something else. Any ideas?


Ps: I have found an alternative solution to my problem. It's probably good for folks, who don't/can't use Stunnel, and just want to safely share a limited number of files to family, friends. So this is what You can do. Use TrueCrypt (great, free software) to make an encrypted "container" for Your file(s), put the file(s) in the "container", and share it using HFS. Of course, anybody who dl's it needs to have TrueCrypt and know the correct password to decrypt the "container".

Ps2: Somebody probably mentioned this already.
 

[Noobie]

But anyway, I would really appreciate any help with the STunnel working You guys.

[maverick]

There is good information in the forum and the wiki.  Search.  Here is a good thread to start from...

http://www.rejetto.com/forum/index.php?PHPSESSID=10daa55fc699fb511e9df446a8dbe6cf&topic=3083.0

[Noobie]

I've already checked each and every thread on this forum that could help. Guess I'll have to try to understand better how STunnel works. Need more time. Still thanks for the response.

[Noobie]

Halleluyah. I got it working. My bad.. I was using some customised template that wasn't cooperating well, and all I had to do was just to change it to default...., unfortunately something is still not right.... If the access to the URL is set to "free" everything works as it should. However, when I'm logged in, I cannot browse all the contents of the server in https, because something kicks me out to http.. I remember reading something about the same issue in some thread, but I don't think the guy actually made it. Are there any possible solutions how to fix this?

[Foggy]

search through the template code and look for any links that point to files in your hfs(eg. pics, files) and make sure its https:// not http://

[Noobie]

I'm not exactly sure what to look for. Could You show me what parts of the code I have to change, using the default template setting as example?

[Unknown8063]

To follow Foggy's advice, I'd just search and replace the entire template file for all occurrences of http://% to https://% - the percent sign being the first character of the host symbol that inevitably follows (I always like to be safe when I search and replace ).

If you need to, copy the template code into notepad for the search and replace and then copy it back to HFS.

[Noobie]

Hey, that's what I allways say to my gf, safety first .

I understood Foggy's advice same as You did, but every time I change the needed HTTP's to HTTPS's in the template (the hfs-provided one), my action does not produce any substantial results. Still, when I'm logged in and move the cursor over a file/directory (server content) on my browser, I can see the preview (bottom-left in firefox) of a webpage starting with http:// (Grrrr...)

If there is no restrict access set, the preview starts, as it should, with https:// (Whoopee.)

I'm pretty sure I made no mistakes implementing the advice given by Foggy.
I guess this is not sufficient for solving the problem, but I may be wrong  .
I think I'm gonna google for some html tutorial  .

Damn. I really thought all this would go smoother.
HFS is still great, though.

[Foggy]

I just installed STunnel and am using the default certificate to test with. The default template is working fine for me, I didn't have to change anything in the code.

This may be a stupid question but are you accessing your hfs though the https protocol or the http protocol?

[Noobie]

I don' t quite understand the purpose of Your question. I think I need to clarify. I have no problem accessing hfs with https. The problem is, that I cannot browse all the content of my server in https when I'm logged in. Everything works fine when the restricted access is not set. As I see now, in my case, the only way to protect the files on hfs (username/password protection) when using stunnel, is to put them straight to VFS (exempli gratia, just    https://localhost/file1  ,  https://localhost/file2  ,  https://localhost/file3  ,  etc.), and set restricted access to each one of them. The major disadvantage of this solution is that anyone has access to my filelist. I am not very pleased with that.