matthew patton wrote at about 00:01:04 +0000 on Friday, February 16, 2024:
 > can you turn stunnel debug up higher?also post your stunnel.conf?
It's already at debug=7 as you can see from the LOG7 in the snippet I
posted.

I will include the detailed client log below:

My client stunnel.conf is pretty simple
   pid = /var/run/stunnel.pid
   output = /var/log/stunnel.log

   # https://www.stunnel.org/faq.html
   # Potentially helps speed up connection
   socket = r:TCP_NODELAY=1
   socket = l:TCP_NODELAY=1

   debug = 7

   [ssh]
   client=yes
   accept = localhost:1234
   connect = mydomain.com:443
   verifyChain = yes
   CAfile = /etc/stunnel/stunnel.crt
   checkHost = mydomain.com


 > Beyond that, why something this convoluted when you could use ssh 
 > port-forwarding by way of the remote Stunnel endpoint? Or use Stunnel as a 
 > SOCKS proxy and configure SSH client to connect that 
 > way?https://hamy.io/post/0013/how-to-setup-an-encrypted-socks-proxy-using-stunnel/

Well, I want to tunnel SSH over SSL/port 443 since this helps me punch
through various corporate firewalls -- it works well and is widely
recommended in various online FAQs.
Not sure in what way it is convoluted... the path is...
        ssh -p 1234 ocalhost --> stunnel client -> remote:443 -> localhost:22 
(sshd)

Am I missing something here?

-----------------------------------------------------------------------
Here is the detailed debug=7 log

#### stunnel startup:
        2024.02.15 22:28:29 LOG6[ui]: Initializing inetd mode configuration
        2024.02.15 22:28:29 LOG7[ui]: Clients allowed=1562
        2024.02.15 22:28:29 LOG5[ui]: stunnel 5.71 on x86_64-pc-cygwin platform
        2024.02.15 22:28:29 LOG5[ui]: Compiled with OpenSSL 3.0.11 19 Sep 2023
        2024.02.15 22:28:29 LOG5[ui]: Running  with OpenSSL 3.0.12 24 Oct 2023
        2024.02.15 22:28:29 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 
TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
        2024.02.15 22:28:29 LOG7[ui]: errno: (*__errno())
        2024.02.15 22:28:29 LOG6[ui]: Initializing inetd mode configuration
        2024.02.15 22:28:29 LOG5[ui]: Reading configuration from file 
/etc/stunnel/stunnel.conf
        2024.02.15 22:28:29 LOG5[ui]: UTF-8 byte order mark not detected
        2024.02.15 22:28:29 LOG5[ui]: FIPS mode disabled
        2024.02.15 22:28:29 LOG6[ui]: Compression disabled
        2024.02.15 22:28:29 LOG7[ui]: No PRNG seeding was required
        2024.02.15 22:28:29 LOG6[ui]: Initializing service [ssh]
        2024.02.15 22:28:29 LOG7[ui]: Initializing context [ssh]
        2024.02.15 22:28:29 LOG6[ui]: stunnel default security level set: 2
        2024.02.15 22:28:29 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
        2024.02.15 22:28:29 LOG7[ui]: TLSv1.3 ciphersuites: 
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
        2024.02.15 22:28:29 LOG7[ui]: TLS options: 0x2100000 (+0x0, -0x0)
        2024.02.15 22:28:29 LOG6[ui]: Session resumption enabled
        2024.02.15 22:28:29 LOG7[ui]: No certificate or private key specified
        2024.02.15 22:28:29 LOG6[ui]: Configured trusted server CA: C=US, 
ST=MyState, L=MyCity, O=MyOrg, CN=mydomain.com, emailAddress=c...@mydomain.com
        2024.02.15 22:28:29 LOG7[ui]: OCSP: Client OCSP stapling enabled
        2024.02.15 22:28:29 LOG6[ui]: DH initialization skipped: client section
        2024.02.15 22:28:29 LOG7[ui]: ECDH initialization
        2024.02.15 22:28:29 LOG7[ui]: ECDH initialized with curves 
X25519:P-256:X448:P-521:P-384
        2024.02.15 22:28:29 LOG5[ui]: Configuration successful
        2024.02.15 22:28:29 LOG7[ui]: Deallocating deployed section defaults
        2024.02.15 22:28:29 LOG7[ui]: Cleaning up context [stunnel]
        2024.02.15 22:28:29 LOG7[ui]: Binding service [ssh]
        2024.02.15 22:28:29 LOG7[ui]: Listening file descriptor created (FD=8)
        2024.02.15 22:28:29 LOG7[ui]: Setting accept socket options (FD=8)
        2024.02.15 22:28:29 LOG7[ui]: Option SO_REUSEADDR set on accept socket
        2024.02.15 22:28:29 LOG6[ui]: Service [ssh] (FD=8) bound to ::1:1234
        2024.02.15 22:28:29 LOG7[ui]: Listening file descriptor created (FD=10)
        2024.02.15 22:28:29 LOG7[ui]: Setting accept socket options (FD=10)
        2024.02.15 22:28:29 LOG7[ui]: Option SO_REUSEADDR set on accept socket
        2024.02.15 22:28:29 LOG6[ui]: Service [ssh] (FD=10) bound to 
127.0.0.1:1234
        2024.02.15 22:28:29 LOG7[main]: Created pid file /var/run/stunnel.pid
        2024.02.15 22:28:29 LOG7[per-second]: Per-second thread initialized
        2024.02.15 22:28:29 LOG6[main]: Accepting new connections
        2024.02.15 22:28:29 LOG7[per-day]: Per-day thread initialized
        2024.02.15 22:28:29 LOG6[per-day]: Executing per-day jobs
        2024.02.15 22:28:29 LOG6[per-day]: Per-day jobs completed in 0 seconds
        2024.02.15 22:28:29 LOG7[per-day]: Waiting 86400 seconds
        
####First ssh connection
        2024.02.15 22:29:04 LOG7[main]: Found 1 ready file descriptor(s)
        2024.02.15 22:29:04 LOG7[main]: FD=4 events=0x1 revents=0x0
        2024.02.15 22:29:04 LOG7[main]: FD=8 events=0x1 revents=0x1
        2024.02.15 22:29:04 LOG7[main]: FD=10 events=0x1 revents=0x0
        2024.02.15 22:29:04 LOG7[main]: Service [ssh] accepted (FD=3) from 
::1:52049
        2024.02.15 22:29:04 LOG7[0]: Service [ssh] started
        2024.02.15 22:29:04 LOG7[0]: Setting local socket options (FD=3)
        2024.02.15 22:29:04 LOG7[0]: Option TCP_NODELAY set on local socket
        2024.02.15 22:29:04 LOG5[0]: Service [ssh] accepted connection from 
::1:52049
        2024.02.15 22:29:04 LOG6[0]: s_connect: connecting 123.123.123.123:443
        2024.02.15 22:29:04 LOG7[0]: s_connect: s_poll_wait 
123.123.123.123:443: waiting 10 seconds
        2024.02.15 22:29:04 LOG7[0]: FD=6 events=0x1 revents=0x0
        2024.02.15 22:29:04 LOG7[0]: FD=12 events=0x5 revents=0x0
        2024.02.15 22:29:04 LOG5[0]: s_connect: connected 123.123.123.123:443
        2024.02.15 22:29:04 LOG5[0]: Service [ssh] connected remote server from 
10.0.0.205:52050
        2024.02.15 22:29:04 LOG7[0]: Setting remote socket options (FD=12)
        2024.02.15 22:29:04 LOG7[0]: Option TCP_NODELAY set on remote socket
        2024.02.15 22:29:04 LOG7[0]: Remote descriptor (FD=12) initialized
        2024.02.15 22:29:04 LOG6[0]: SNI: sending servername: mydomain.com
        2024.02.15 22:29:04 LOG6[0]: Peer certificate required
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): before SSL 
initialization
        2024.02.15 22:29:04 LOG7[0]: Initializing application specific data for 
session authenticated
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS write 
client hello
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS write 
client hello
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS read server 
hello
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): TLSv1.3 read 
encrypted extensions
        2024.02.15 22:29:04 LOG7[0]: Verification started at depth=0: C=US, 
ST=MyState, L=MyCity, O=MyOrg, CN=mydomain.com, emailAddress=c...@mydomain.com
        2024.02.15 22:29:04 LOG7[0]: CERT: Pre-verification succeeded
        2024.02.15 22:29:04 LOG6[0]: CERT: Host name "mydomain.com" matched 
with "mydomain.com"
        2024.02.15 22:29:04 LOG7[0]: OCSP: Waiting for OCSP stapling response
        2024.02.15 22:29:04 LOG5[0]: Certificate accepted at depth=0: C=US, 
ST=MyState, L=MyCity, O=MyOrg, CN=mydomain.com, emailAddress=c...@mydomain.com
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS read server 
certificate
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): TLSv1.3 read server 
certificate verify
        2024.02.15 22:29:04 LOG7[0]: OCSP stapling: Client callback called
        2024.02.15 22:29:04 LOG7[0]: OCSP: Ignoring the root certificate
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS read 
finished
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS write 
change cipher spec
        2024.02.15 22:29:04 LOG7[0]: TLS state (connect): SSLv3/TLS write 
finished
        2024.02.15 22:29:04 LOG7[0]:      1 client connect(s) requested
        2024.02.15 22:29:04 LOG7[0]:      1 client connect(s) succeeded
        2024.02.15 22:29:04 LOG7[0]:      0 client renegotiation(s) requested
        2024.02.15 22:29:04 LOG7[0]:      0 session reuse(s)
        2024.02.15 22:29:04 LOG6[0]: TLS connected: new session negotiated
        2024.02.15 22:29:04 LOG6[0]: TLSv1.3 ciphersuite: 
TLS_AES_256_GCM_SHA384 (256-bit encryption)
        2024.02.15 22:29:04 LOG6[0]: Peer temporary key: X25519, 253 bits
        2024.02.15 22:29:04 LOG7[0]: Compression: null, expansion: null
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSL negotiation 
finished successfully
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSL negotiation 
finished successfully
        2024.02.15 22:29:05 LOG7[0]: Initializing application specific data for 
session authenticated
        2024.02.15 22:29:05 LOG7[0]: Deallocating application specific data for 
session connect address
        2024.02.15 22:29:05 LOG7[0]: New session callback
        2024.02.15 22:29:05 LOG7[0]: Peer certificate was cached (1444 bytes)
        2024.02.15 22:29:05 LOG6[0]: Session id: 
F676D7E3E5CF84E15EC518BB54BD78CA8C1F9D3770F12DEB3FAFD98E50AAAA1C
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSLv3/TLS read server 
session ticket
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSL negotiation 
finished successfully
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSL negotiation 
finished successfully
        2024.02.15 22:29:05 LOG7[0]: Initializing application specific data for 
session authenticated
        2024.02.15 22:29:05 LOG7[0]: New session callback
        2024.02.15 22:29:05 LOG7[0]: Deallocating application specific data for 
session connect address
        2024.02.15 22:29:05 LOG6[0]: Session id: 
117BD7B86EA5575EEC2591DE8D973075993999B912710C9C11E5E1C4973AA1E5
        2024.02.15 22:29:05 LOG7[0]: TLS state (connect): SSLv3/TLS read server 
session ticket

####First ssh exit
        2024.02.15 22:29:16 LOG6[0]: Read socket closed (readsocket)
        2024.02.15 22:29:16 LOG7[0]: Sending close_notify alert
        2024.02.15 22:29:16 LOG7[0]: TLS alert (write): warning: close notify
        2024.02.15 22:29:16 LOG6[0]: SSL_shutdown successfully sent 
close_notify alert
        2024.02.15 22:29:17 LOG7[0]: TLS alert (read): warning: close notify
        2024.02.15 22:29:17 LOG6[0]: TLS closed (SSL_read)
        2024.02.15 22:29:17 LOG7[0]: Sent socket write shutdown
        2024.02.15 22:29:17 LOG5[0]: Connection closed: 3097 byte(s) sent to 
TLS, 3001 byte(s) sent to socket
        2024.02.15 22:29:17 LOG7[0]: Remote descriptor (FD=12) closed
        2024.02.15 22:29:17 LOG7[0]: Local descriptor (FD=3) closed
        2024.02.15 22:29:17 LOG7[0]: Service [ssh] finished (0 left)

####Second ssh attempt
    2024.02.15 22:39:56 LOG7[main]: Found 1 ready file descriptor(s)
        2024.02.15 22:39:56 LOG7[main]: FD=4 events=0x1 revents=0x0
        2024.02.15 22:39:56 LOG7[main]: FD=8 events=0x1 revents=0x1
        2024.02.15 22:39:56 LOG7[main]: FD=10 events=0x1 revents=0x0
        2024.02.15 22:39:56 LOG7[main]: Service [ssh] accepted (FD=3) from 
::1:52079

The above is the last log message posted no matter how many times I
try to ssh again... so it seems frozen/hung

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to