Trouble connecting HFS thru Stunnel

[kaede]

Hello everyone! got a problem connecting Stunnel to HFS. First, I followed step by step the tutorial:
http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server
but still got some unexpected errors... hope u guys can help me.... I searched the forum and there is a post about my problem or at least I think is the same problem but its in russian....  and the stunnel faqs site doesnt say much either.

well here is the error:

Code: [Select]

Creating a new thread
2007.06.05 03:22:22 LOG7[2884:424]: New thread created
2007.06.05 03:22:22 LOG7[2884:3056]: https started
2007.06.05 03:22:22 LOG7[2884:3056]: FD 248 in non-blocking mode
2007.06.05 03:22:22 LOG7[2884:3056]: TCP_NODELAY option set on local socket
2007.06.05 03:22:22 LOG5[2884:3056]: https accepted connection from 192.168.1.1:2512
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): before/accept initialization
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read client hello A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write server hello A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write certificate A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write server done A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 flush data
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read client key exchange A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read finished A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write change cipher spec A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write finished A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 flush data
2007.06.05 03:22:22 LOG7[2884:3056]:    1 items in the session cache
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client connects (SSL_connect())
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client connects that finished
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client renegotiations requested
2007.06.05 03:22:22 LOG7[2884:3056]:    1 server connects (SSL_accept())
2007.06.05 03:22:22 LOG7[2884:3056]:    1 server connects that finished
2007.06.05 03:22:22 LOG7[2884:3056]:    0 server renegotiations requested
2007.06.05 03:22:22 LOG7[2884:3056]:    0 session cache hits
2007.06.05 03:22:22 LOG7[2884:3056]:    1 session cache misses
2007.06.05 03:22:22 LOG7[2884:3056]:    0 session cache timeouts
2007.06.05 03:22:22 LOG6[2884:3056]: SSL accepted: new session negotiated
2007.06.05 03:22:22 LOG6[2884:3056]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2007.06.05 03:22:22 LOG7[2884:3056]: FD 280 in non-blocking mode
2007.06.05 03:22:22 LOG7[2884:3056]: https connecting 192.168.1.92:44300
2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
2007.06.05 03:22:22 LOG5[2884:3056]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.06.05 03:22:22 LOG7[2884:3056]: https finished (0 left)
I think this is the problem:

Code: [Select]

2007.06.05 03:22:22 LOG7[2884:3056]: https connecting 192.168.1.92:44300
2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
At first I tried 127.0.0.1:44300 the same used in the tutorial.... same error in stunnel
Then I switch to 192.168.1.92:44300 which is my static local address... and deleted the Bans---"/127.0.0.1" the result is the same above.

I can connect to stunnel thru out side the router, so trouble with forwarding and firewall inside the router can be rule out.
Beside that Im running a software firewall too, these are the rules:
Stunnel --> TCP in/out --> localport:443 --> remote address and port: any
HFS --> TCP in/out --> localport:44300 --> remote address and port: any

[Todd]

kaede, I was having the same issue, and my log showed the exact same thing.  For me it was surrounding allowing the local network (through the router) access to the tunnel.  If you don't allow it, only your machine running it will be allowed access via localhost (127.0.0.1).  In the ban section, please put this in on one line.

\127.0.0.1;192.168.*

This should allow your local network to connect to HFS via STunnel.  

[kaede]

Thx Todd, I tried "\127.0.0.1;192.168.1.*" and "\127.0.0.1;192.168.* same error here...
Maybe its the router (linksys rv082), although its no likely since I can pickup the attempt on Stunnels log, but just to be sure I try it again tomorrow accessing form a friends PC. (I was thinking to install a VNC to his computer since having 2 ips sometimes really comming handy  )

Does anyone know what <WSACONNREFUSED> mean?

[jimbo]

First there are no quotes around the ban ip's.

Second here is a google link explaining WSACONNREFUSED
http://www.google.com/search?q=WSACONNREFUSED&sourceid=opera&num=0&ie=utf-8&oe=utf-8

[kaede]

First, I DID NOT used Quotes "" thats a noob mistake, I though It wasnt necessary so I did not mention that earlier. Second: google The WSACONNREFUSED wow!! Jimbo, I wont ask something that is in google search already. Here is one for you "STFW" if you dont know what it means use google. Thx for the effort thou.

Just return from my friends home and tried using his PC to connect mine. I recieved the same error 10061, although the Stunnel pickup the attempt so did my firewall. So I think that the router is not the issue here... it must be something between HSF and Stunnel that can not communicate.

More details: The address I input in the Browser is "http://httpS://xxx.xxx.xxx.xxx/" (without the quotes) and I also tried it with my home dns using dyndns "https://mydns/" and also I tried "http://xxx.xxx.xxx.xxx:443/" and "http://mydns:443/ all attemps were pickedup by Stunnel and shows me the "Certificate Acceptance option" but after that I got these errors:
IE7: "Navigation to the webpage was canceled"
Firefox: "The connection was reset... The connection to the server was reset while the page was loading..."

Anyone has other suggestion? Im kinda stuck..

[maverick]

A couple of things to check:

1. stunnel.conf -> what do you show in the following section?
[https]
accept  = 443
connect = 80
TIMEOUTclose = 0
It should be the same as above or if you use a different port for connect you can use that as well.  However, the defaults above seem to work the best for me, as long as nothing else depends on using port 80.  In this setup, HFS would use port 80.

2.  You mention you use a software firewall.  Give full tcp access for HFS and stunnel for the ports they use.

3.  You didn't mention hardware firewall - the one in your router.  Here you have to also give access to those applications and the ports they use.

[kaede]

Hello mav:
ok, here is the complete setting:
HFS Server = 192.168.1.92 static ip

a> Router Setting:
a1> Firewall: Allow always --> TCP --> port:443 --> source ip:Any --> Destination ip:192.168.1.92
a2>Forwarding: name: HTTPS --> port:433 --> 192.168.1.92

b>Software firewall setting:
b1> STunnel --> Allow Always --> Protocol: TCP and UDP (just to make sure all pass thru) --> Direction: Both (just to make sure all pass thru) --> local port:443 --> Remote port and Address: Any --> application: Stunnel.exe [set to log].
b2> HFS --> Allow Always --> Protocol: TCP --> Direction: Both --> localport: 80 --> Remote port and Address: Any --> Application:hfs.exe [set to log].
b3> Blockall: Deny Always --> Protocol:all  --> localport:any --> remote address and port:any  --> application:all [set to log].

**The firewall rules are set in that order so the Blockall can show me if any attempt was denied so I can make further adjustments.

c>Stunnel.conf
c1> I started with this one:
[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0
The accept is set to all IP on port:443
And only connect to 127.0.0.1 port: 44300 (of course, that is the port I use in HFS)
c2> Later I tried Mavericks setting:
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
the only difference is that it can be connected by all address to port 80 and of course I changed the HFS to 80

d> HFS
First I deleted the Bans list, so no more \127.0.0.1 or \192.168.1.*
d1> used port 44300 together with c1> and b2> localport:44300 setting
d2> I used port 80 together with c2> and b2> localport:80 setting

I think thats all... It should works I still get this error 10061 connection refused 

[Todd]

C1 settings are wrong - you don't include an IP address

This is not true if you are using the guide provided here:

http://www.rejetto.com/wiki/index.php/HFS:_Secure_your_server#HTTPS_and_SSL

This is how mine and others are set up and are running without issue.

If you are NOT using that guide, then you don't use C1, but then use C2.

[~GeeS~]

Just passing by ...

... This is how mine and others are set up and are running without issue. ...

I'm glad that my manual is still working fine. I've triple-checked it in the past on several occasions with setups from scratch ... and sometimes i forget the procedure myself.
Instead from the wiki you could also follow the instructions from the original thread at http://www.rejetto.com/forum/index.php?topic=3083.45 because it easier to read.

So https://127.0.0.1:443 (Stunnel) is responsive, but forwarding to http://127.0.0.1:44300 (HFS) does not respond or refuses connection.
My suggestion:
Does http://127.0.0.1:44300 (HFS) respond? It should, because no Stunnel involved.
Try to use a fresh version of HFS, disable any limits, bans, referrer etc .
If you use a firewall on 127.0.0.1 switch it off completely for testing.
Do you use some caching or webfiltering software like proxomitron etc., switch it off for testing.
Your OS?
It does work, just try harder! good luck!
BTW IP numbers in front of the ports in the stunnel scripts were implemented in the Stunnelversion mentioned in the manual e.g. 0.0.0.0:80 = all on port 80

[kaede]

Allright Guys!!! Its working now!!!!  and Ive found the problem.
Just as Mav and Gees pointed out it was the software firewall that was blocking the connection between the softwares..., but strangely it does not show the blocked packs log. Maybe its a bug in the firewall software coz after I restarted the firewall manually it started to show the blockall's log and guess what: Stunnel is in it 

OK so what went wrong:
simple, the b1> firewall rule just wasnt enough, it just point to port 443 only!!! and STUNNEL does need another port to comunicate to HFS like this one:

NEW STUNNEL RULE:
TCP --> remote: localhost:xxxx --> local: localhost [127.0.0.1:80] --> application Stunnel.exe
Viola!!! CONNECTION ESTABLISHED

So, resuming all, I only have to make a minor adjustment to rule c1>, instead of port 443 I will include a list of ports which obviously includes the port used by HFS.
So I would kindly suggest that the tutorial includes necesary software firewalls rule. It does say that the firewall need to be opened at port 443, assuming for stunnel, but doest not say anything else. It is good to add:
"open port 443 and the port asigned for HFS to stunnel application in your software firewall" I think it will save us a lot of pain.

Finally, I would like to add the following things:
stunnel.conf:
[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:80
TIMEOUTclose = 0
Those inputs are completely valid, and you DO NOT I repeat DO NOT need to forward or open port for HFS in your ROUTER

Thx VERY MUCH guys for the help!!

[kaede]

This is a little complement of the tutorial written by ~Gees~
http://www.rejetto.com/forum/index.php?topic=3083.msg1022798#msg1022798

If you encounter this kind of error:

Code: [Select]

2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
2007.06.05 03:22:22 LOG5[2884:3056]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socketAnd you are using a Router and a Software firewall, this could be the solution:

Complete Firewall Rule for HFS and Stunnel:
Data:
--The Server hosting HFS and Stunnel from now on we call it 192.168.1.100
--Im using port 80 for HFS, if you are using other port feel free to change the rule 2a) and 2b) where port 80 you should change it to the port of your choice.

1) Router
firewall: Always Allow -- TCP -- port:443 -- source ip:Any -- Destination ip: 192.168.1.100
forwarding: Always allow -- port:443 -- forward to -- 192.168.1.100

2)Software Firewall Rules
a) name: Stunnel -- Always Allow -- TCP -- IN/OUT -- Local port:443; 80 -- Remote Address:Any -- RemotePort:Any -- App:Stunnel.exe
b) name: HFS -- Always Allow -- TCP -- IN/OUT -- Local port:80 -- Remote Address:Any -- Remote Port:Any -- App:HSF.exe

In case you are still getting "connection refused" try changing 2a) Local port:Any
regards

[~GeeS~]

Nice to hear that your Stunnel/HFS is working now!
But I've still some comments:

- In the tutorial i've not given instructions on how to configure routers and firewalls on purpose because every configuration is different and it would be much more confusing to discuss every possible configuration. A user who uses a router and/or a firewall should know what (s)he is doing.
I still do not understand why you are using a firewall in your router anda firewall in your machine.

- In your comments you suggest the combo https://127.0.0.1:443 (Stunnel) forwarding to http://127.0.0.1:80 (HFS). This is not my intended combo! Stunnel should forward to a port different to 80 (default Http) like 44300, which also should not be accesible from the outside, because otherwise stunnel could be bypassed! Port 80 could be used for a second instance of HFS for standard, non-encrypted http-server.

But there are many ways to skin a cat ... and you are free to do it as you like.

[kaede]

Thx ~GeeS~!!!

Well, routers have firewall but you cant control the actual "application" that is using that port, therefore combining with a software firewall you have absolutely full control of the application that you are running. Its just a matter of how secure you want it to be.

If u did not open port 80 in the router, the bypass trick wont work. As you can see in the Router firewall rule I wrote, only Stunnels 443 is open. Beside, the Port 80 its just an example. Of course, any port superior of 1024 is better. For example 44300 

The forwarding localhost:443 to localhost:80, well its not a "forwarding" rule, its actually a software firewall rule and its applied only to stunnel.exe meaning that for the stunnel.exe (the application) the only ports that it can access are (443 and 80). The port 80 in this case is used by HFS.

Actually you can use mostly any port to do anything, for example: before this I was using port 80 for uTorrent and worked just fine, it just a matter of how you configure it.

To be sure about the bypass Ive just recheck the configuration. The following test is to see if using the rule I set for router and firewall can be bypassed form outside (internet) if the HFS is set to port 80. Entering in the address bar your public address follow by :80/

settings of HFS to leave it wide open:
Port 80
delete \127.0.0.1 in the Ban list.
Menu --> Accept connections on --> Any address.
This way HFS can connect to any address and its listening at port 80.

How did I check:

First: if you connect using your public ip (the one assigned by your ISP) and adding ":80/" at the end it will probably link to your router administration page.  See this post: http://www.rejetto.com/forum/index.php?topic=3083.msg1015853#msg1015853 from blueeagle69. All he could see is his router, he is trying to connect to his HFS thru local network using a public IP.

Second: if you connect to the PC that is hosting HFS using the private ip within the local network of course, you will get access. But that is local network (inside your home or office network) and is not form outside (internet).

So there are 2 ways to test it:
1) Connect from somewhere else.
2) you can use a anonymously surf page or a proxy like this one: http://www.htmlblock.co.uk/anon.php

To start, connect to your HFS like usual for example: https://myhomeserver.com/ You can see in the Stunnel's log that the incoming connection ip address is different than your public ip. like this one: 213.171.218.198 that is the ip of www.htmlblock.co.uk
Once you make sure that you are accessing your HFS form outside. Connect using http://yourpublicip:80/ and see what happens. If everything is secure you should get a "Error: Could Not Connect to Server" message. If you can connect to your HFS either you are connecting from your local network or your router has the HFS port open.

After all the propose of using STUNNEL is to secure our HFS some people like 80 some like 44300 and some like 666 (Im using this one now) is entirely up to the user. But like I said, if you are behind a router and have a software firewall and you want STUNNEL then those are the rules to open ports. And of course configuration of software firewall and routers may differ one from each other but the logic are always the same.

One last thing (its getting too long now) using dyndns webhop to redirect your address so you dont have to write the "https" anymore is really good trick.

regards!

[bmartino1]

sounds like your using openssl (no fips) support...

see link for further help:
http://www.rejetto.com/forum/hfs-~-http-file-server/stunnel-and-hfs-%28securing-your-hfs%29/msg1058480/#msg1058480