http - Stunnel SSL23_GET_SERVER_HELLO 错误

Question

我正在尝试设置 stunnel，以便可以访问我的 IIS 静态网站 ( http://localhost )

我想通过“ https://localhost:443 ”访问它。

这是我的conf文件：

[https]
client= yes
accept = 443
connect = 80
debug = 7
sslVersion = all
cert = D:\stunnel\config\cert.pfx

这是我得到的错误：

2017.05.04 12:41:01 LOG5[main]: UTF-8 byte order mark detected
2017.05.04 12:41:01 LOG5[main]: FIPS mode disabled
2017.05.04 12:41:01 LOG4[main]: Service [https] needs authentication to prevent MITM attacks
2017.05.04 12:41:01 LOG5[main]: Configuration successful
2017.05.04 12:41:14 LOG7[80]: Service [https] started
2017.05.04 12:41:14 LOG7[80]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[80]: Service [https] accepted connection from 127.0.0.1:54417
2017.05.04 12:41:14 LOG6[80]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[80]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG7[81]: Service [https] started
2017.05.04 12:41:14 LOG7[81]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[81]: Service [https] accepted connection from 127.0.0.1:54419
2017.05.04 12:41:14 LOG6[81]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[81]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[81]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[81]: Service [https] connected remote server from 127.0.0.1:54420
2017.05.04 12:41:14 LOG7[81]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[81]: Remote descriptor (FD=552) initialized
2017.05.04 12:41:14 LOG6[81]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[81]: Peer certificate not required
2017.05.04 12:41:14 LOG7[81]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[81]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[81]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[81]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[81]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[81]: Remote descriptor (FD=552) closed
2017.05.04 12:41:14 LOG7[81]: Local descriptor (FD=480) closed
2017.05.04 12:41:14 LOG7[81]: Service [https] finished (1 left)
2017.05.04 12:41:14 LOG5[80]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[80]: Service [https] connected remote server from 127.0.0.1:54418
2017.05.04 12:41:14 LOG7[80]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[80]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[80]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[80]: Peer certificate not required
2017.05.04 12:41:14 LOG7[80]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[80]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[80]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[80]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[80]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[80]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[80]: Local descriptor (FD=496) closed
2017.05.04 12:41:14 LOG7[80]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[82]: Service [https] started
2017.05.04 12:41:14 LOG7[82]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[82]: Service [https] accepted connection from 127.0.0.1:54422
2017.05.04 12:41:14 LOG6[82]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[82]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[82]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[82]: Service [https] connected remote server from 127.0.0.1:54423
2017.05.04 12:41:14 LOG7[82]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[82]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[82]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[82]: Peer certificate not required
2017.05.04 12:41:14 LOG7[82]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[82]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[82]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[82]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[82]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[82]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[82]: Local descriptor (FD=544) closed
2017.05.04 12:41:14 LOG7[82]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[83]: Service [https] started
2017.05.04 12:41:14 LOG7[83]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[83]: Service [https] accepted connection from 127.0.0.1:54425
2017.05.04 12:41:14 LOG6[83]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[83]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[83]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[83]: Service [https] connected remote server from 127.0.0.1:54426
2017.05.04 12:41:14 LOG7[83]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[83]: Remote descriptor (FD=540) initialized
2017.05.04 12:41:14 LOG6[83]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[83]: Peer certificate not required
2017.05.04 12:41:14 LOG7[83]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[83]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[83]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[83]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[83]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[83]: Remote descriptor (FD=540) closed
2017.05.04 12:41:14 LOG7[83]: Local descriptor (FD=488) closed
2017.05.04 12:41:14 LOG7[83]: Service [https] finished (0 left)
2017.05.04 12:41:14 LOG7[84]: Service [https] started
2017.05.04 12:41:14 LOG7[84]: Option TCP_NODELAY set on local socket
2017.05.04 12:41:14 LOG5[84]: Service [https] accepted connection from 127.0.0.1:54427
2017.05.04 12:41:14 LOG6[84]: s_connect: connecting 127.0.0.1:80
2017.05.04 12:41:14 LOG7[84]: s_connect: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2017.05.04 12:41:14 LOG5[84]: s_connect: connected 127.0.0.1:80
2017.05.04 12:41:14 LOG5[84]: Service [https] connected remote server from 127.0.0.1:54428
2017.05.04 12:41:14 LOG7[84]: Option TCP_NODELAY set on remote socket
2017.05.04 12:41:14 LOG7[84]: Remote descriptor (FD=304) initialized
2017.05.04 12:41:14 LOG6[84]: SNI: sending servername: localhost
2017.05.04 12:41:14 LOG6[84]: Peer certificate not required
2017.05.04 12:41:14 LOG7[84]: TLS state (connect): before/connect initialization
2017.05.04 12:41:14 LOG7[84]: TLS state (connect): SSLv2/v3 write client hello A
2017.05.04 12:41:14 LOG3[84]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2017.05.04 12:41:14 LOG5[84]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.05.04 12:41:14 LOG7[84]: Deallocating application specific data for addr index
2017.05.04 12:41:14 LOG7[84]: Remote descriptor (FD=304) closed
2017.05.04 12:41:14 LOG7[84]: Local descriptor (FD=484) closed
2017.05.04 12:41:14 LOG7[84]: Service [https] finished (0 left)

我正在寻找一个基本的基本配置。

谁能告诉我为什么它不起作用。我需要在幕后配置什么吗？

Answer 1

'client = yes' 使 stunnel 加密从客户端接收到的数据并解密从服务器接收到的数据。

通过将客户端设置为 'No' 来解决：

[https]
client= No
accept = 443
connect = 80
debug = 7
sslVersion = all
cert = D:\stunnel\config\cert.pfx

Answer 2

此错误是因为您没有在尝试连接的端口上运行 Stunnel 服务器。

Stunnel 需要客户端和服务器。他们使用的协议是 SSL 包装的 TCP。如果您尝试将 Stunnel 客户端指向 IIS 等 Web 服务器，则 Stunnel 客户端将无法与其通信。它期待另一个使用 Stunnel 服务器配置文件运行的 Stunnel 实例。

这就是为什么您会看到未知协议消息的原因——当 stunnel 发送一个 TCP 包装的数据包打招呼时，Web 服务器不理解它，因此它不会回复打招呼。

2017.05.04 12:41:14 LOG3[84]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2017.05.04 12:41:14 LOG5[84]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

但是，一旦设置了客户端和服务器，就可以通过 Stunnel 运行 HTTP 或 HTTPS。以下是Stunnel 客户端和Stunnel 服务器的示例配置文件，它们将在端口 8000 上创建 Stunnel 连接，并允许客户端使用端口 9999 访问在端口 9998 上运行在服务器上的 Web 服务器。