APE + Stunnel + SSL
298 views
Skip to first unread message
Gino
Apr 3, 2012, 7:52:08 AM4/3/12
to APE Project
Hi,
I'm currently wrapping up a project but I'm now required to use SSL
for my APE server. Everything has been working fine until I've
implemented SSL on my web server (IIS).
I followed the instructions in http://www.ape-project.org/wiki/index.php/SSL_with_ape
I installed stunnel4 version 4.29-1
on the same server as my APE
my stunnel.conf has the following lines:
cert = /etc/stunnel/my_main_cert.pem
cert = /etc/stunnel/my_ape_cert.pem
cert = /etc/stunnel/my_wildcard_cert.pem
sslVersion = SSLv3
debug = 7
output = /var/log/stunnel4/stunnel.log
[ape]
accept = 443
connect = 6969
I've updated my APE JSF from the latest github version and added the
following lines in my apeClientJS.js
APE.Config.server = 'ape.my-domain.com:442';
APE.Config.secure = true;
Stunnel starts with no errors but when I run the Check tool bundled in
ape-jsf (which is also updated to support the secure parameter)
I fail at contacting https://ape.my-domain:442
When I check the stunnel logs I find the following:
2012.04.03 18:43:04 LOG3[2409:140692054951680]: SSL_accept: Peer
suddenly discon
nected
2012.04.03 18:43:04 LOG5[2409:140692054951680]: Connection reset: 0
bytes sent t
o SSL, 0 bytes sent to socket
2012.04.03 18:43:04 LOG7[2409:140692054951680]: ape finished (0 left)
I'm finding it difficult to find out what exactly is failing during
the test.
Could any one who successfully setup SSL with APE share their
experience?
Been going through the group but haven't been able to find anything.
Any help is greatly appreciated!
Thanks!
I'm currently wrapping up a project but I'm now required to use SSL
for my APE server. Everything has been working fine until I've
implemented SSL on my web server (IIS).
I followed the instructions in http://www.ape-project.org/wiki/index.php/SSL_with_ape
I installed stunnel4 version 4.29-1
on the same server as my APE
my stunnel.conf has the following lines:
cert = /etc/stunnel/my_main_cert.pem
cert = /etc/stunnel/my_ape_cert.pem
cert = /etc/stunnel/my_wildcard_cert.pem
sslVersion = SSLv3
debug = 7
output = /var/log/stunnel4/stunnel.log
[ape]
accept = 443
connect = 6969
I've updated my APE JSF from the latest github version and added the
following lines in my apeClientJS.js
APE.Config.server = 'ape.my-domain.com:442';
APE.Config.secure = true;
Stunnel starts with no errors but when I run the Check tool bundled in
ape-jsf (which is also updated to support the secure parameter)
I fail at contacting https://ape.my-domain:442
When I check the stunnel logs I find the following:
2012.04.03 18:43:04 LOG3[2409:140692054951680]: SSL_accept: Peer
suddenly discon
nected
2012.04.03 18:43:04 LOG5[2409:140692054951680]: Connection reset: 0
bytes sent t
o SSL, 0 bytes sent to socket
2012.04.03 18:43:04 LOG7[2409:140692054951680]: ape finished (0 left)
I'm finding it difficult to find out what exactly is failing during
the test.
Could any one who successfully setup SSL with APE share their
experience?
Been going through the group but haven't been able to find anything.
Any help is greatly appreciated!
Thanks!
Gino
Apr 10, 2012, 8:04:58 AM4/10/12
to APE Project
I realized in my previous post I placed the port as 443. That was just
a typo, my configuration has the port set to 442, same port that is
set in my apeClientJS.js
so my stunnel.conf should be:
cert = /etc/stunnel/my_main_cert.pem
cert = /etc/stunnel/my_ape_cert.pem
cert = /etc/stunnel/my_wildcard_cert.pem
sslVersion = SSLv3
debug = 7
output = /var/log/stunnel4/stunnel.log
[ape]
accept = 442
connect = 6969
and I still get an error with the Check tool - fail to contact
https://ape.my-domain.com:442
I still haven't been able to get stunnel to work with APE. I've been
reading what I could find in the internet, but no solution yet.
Could someone share what certificates they have installed in their web
server and stunnel server.
I'm thinking my problem may lie with the certificates I have. As of
now I'm using certificates made with OpenSSL.
I hope someone can help!
a typo, my configuration has the port set to 442, same port that is
set in my apeClientJS.js
so my stunnel.conf should be:
cert = /etc/stunnel/my_main_cert.pem
cert = /etc/stunnel/my_ape_cert.pem
cert = /etc/stunnel/my_wildcard_cert.pem
sslVersion = SSLv3
debug = 7
output = /var/log/stunnel4/stunnel.log
[ape]
connect = 6969
and I still get an error with the Check tool - fail to contact
https://ape.my-domain.com:442
I still haven't been able to get stunnel to work with APE. I've been
reading what I could find in the internet, but no solution yet.
Could someone share what certificates they have installed in their web
server and stunnel server.
I'm thinking my problem may lie with the certificates I have. As of
now I'm using certificates made with OpenSSL.
I hope someone can help!
Matija Hiti
Apr 10, 2012, 4:11:28 PM4/10/12
to ape-p...@googlegroups.com
First try if server replies anything through https. Open https://0.ape.your-domain.com:442 in your browser. You should get the same response as with http://0.ape.your-domain.com:6969
If this works, dig into the jsf settings. Otherwise, search for issues on server.
For the server certificate: you need two of them. One for the apache serving the files (yourdomain.com) and one wildcard for stunnel (*.ape.your-domain.com). Stunnel works with bundle file, which includes your certificate, ca certificate and intermediate certificates, if they exist. Add foreground=yes or check the stunnel error log for errors when you run it.
Matija
--
You received this message because you are subscribed to the Google
Groups "APE Project" group.
To post to this group, send email to ape-p...@googlegroups.com
To unsubscribe from this group, send email to
ape-project...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/ape-project?hl=en
---
APE Project (Ajax Push Engine)
Official website : http://www.ape-project.org/
Git Hub : http://github.com/APE-Project/
Gino
Apr 11, 2012, 12:37:50 AM4/11/12
to APE Project
Thanks Matija for the reply.
I tried opening my browser first to http://0.ape.my-domain.com:6969
and I immediately get the response from APE with the no command given
message.
Then I tried https://0.ape.your-domain.com:442, I get the same results
but it takes extremely long to get a response. It's probably around 1
min until I get the same result.
Based on the logs I see messages like ape connected remote server from
127.0.0.1:60001, and since I get a response I eventually get a
response I take it stunnel and APE is communicating?
But I also noticed the following in the logs:
2012.04.11 12:30:36 LOG7[2409:140692054951680]: Remote FD=15
initialized
2012.04.11 12:30:36 LOG7[2409:140692054951680]: TCP_NODELAY option set
on remote socket
2012.04.11 12:30:36 LOG7[2409:140692054951680]: Socket closed on read
2012.04.11 12:30:36 LOG7[2409:140692054951680]: SSL write shutdown
2012.04.11 12:30:36 LOG7[2409:140692054951680]: SSL alert (write):
warning: close notify
2012.04.11 12:30:36 LOG6[2409:140692054951680]: SSL_shutdown
successfully sent close_notify
2012.04.11 12:30:38 LOG3[2409:140692054882048]: SSL_accept: Peer
suddenly disconnected
2012.04.11 12:30:38 LOG5[2409:140692054882048]: Connection reset: 0
bytes sent to SSL, 0 bytes sent to socket
2012.04.11 12:30:38 LOG7[2409:140692054882048]: ape finished (1 left)
2012.04.11 12:31:36 LOG6[2409:140692054951680]: s_poll_wait timeout:
connectionclose
2012.04.11 12:31:36 LOG5[2409:140692054951680]: Connection closed: 395
bytes sent to SSL, 387 bytes sent to socket
It says that Peer is suddenly disconnected. Is that normal?
The web server I have to use is IIS. It currently has the my-
domain.com cert. In stunnel I placed 3 certs, my-domain.com, *.my-
domain.com, *.ape.my-domian.com.
The wild card certs I made using OpenSSL for now. Would this affect my
setup?
On Apr 11, 4:11 am, Matija Hiti <matija.h...@gmail.com> wrote:
> First try if server replies anything through https. Openhttps://0.ape.your-domain.com:442in your browser. You should get the same
> response as withhttp://0.ape.your-domain.com:6969
I tried opening my browser first to http://0.ape.my-domain.com:6969
and I immediately get the response from APE with the no command given
message.
Then I tried https://0.ape.your-domain.com:442, I get the same results
but it takes extremely long to get a response. It's probably around 1
min until I get the same result.
Based on the logs I see messages like ape connected remote server from
127.0.0.1:60001, and since I get a response I eventually get a
response I take it stunnel and APE is communicating?
But I also noticed the following in the logs:
2012.04.11 12:30:36 LOG7[2409:140692054951680]: Remote FD=15
initialized
2012.04.11 12:30:36 LOG7[2409:140692054951680]: TCP_NODELAY option set
on remote socket
2012.04.11 12:30:36 LOG7[2409:140692054951680]: Socket closed on read
2012.04.11 12:30:36 LOG7[2409:140692054951680]: SSL write shutdown
2012.04.11 12:30:36 LOG7[2409:140692054951680]: SSL alert (write):
warning: close notify
2012.04.11 12:30:36 LOG6[2409:140692054951680]: SSL_shutdown
successfully sent close_notify
2012.04.11 12:30:38 LOG3[2409:140692054882048]: SSL_accept: Peer
suddenly disconnected
2012.04.11 12:30:38 LOG5[2409:140692054882048]: Connection reset: 0
bytes sent to SSL, 0 bytes sent to socket
2012.04.11 12:30:38 LOG7[2409:140692054882048]: ape finished (1 left)
2012.04.11 12:31:36 LOG6[2409:140692054951680]: s_poll_wait timeout:
connectionclose
2012.04.11 12:31:36 LOG5[2409:140692054951680]: Connection closed: 395
bytes sent to SSL, 387 bytes sent to socket
It says that Peer is suddenly disconnected. Is that normal?
The web server I have to use is IIS. It currently has the my-
domain.com cert. In stunnel I placed 3 certs, my-domain.com, *.my-
domain.com, *.ape.my-domian.com.
The wild card certs I made using OpenSSL for now. Would this affect my
setup?
On Apr 11, 4:11 am, Matija Hiti <matija.h...@gmail.com> wrote:
> First try if server replies anything through https. Openhttps://0.ape.your-domain.com:442in your browser. You should get the same
> response as withhttp://0.ape.your-domain.com:6969
Michele Vezzoli
Apr 15, 2012, 6:17:00 AM4/15/12
to ape-p...@googlegroups.com
Hi gino,
I confirm your test,
I have the same problem :) on debian squeeze
Bye
2012/4/11 Gino <gin...@gmail.com>
Michele Vezzoli IT Manager
VarDump S.r.l. - www.var-dump.it
This e-mail message does not imply or cause any obligation, unless it is provided by a previous written agreement. This message is confidential: if you have received it by mistake, please advise immediately the sender by e-mail and destroy the message and its attachments. You are hereby notified that any unauthorized use of the content of this message could constitute a criminal offence. Thank you.
Matija Hiti
Apr 15, 2012, 8:43:37 AM4/15/12
to ape-p...@googlegroups.com
Try to add the following line to your stunnel.conf:
delay = no
TIMEOUTclose = 0
Matija
Michele Vezzoli
Apr 16, 2012, 6:11:49 AM4/16/12
to ape-p...@googlegroups.com
Thank you very much!!
this configuration works perfectly!!!
Now I have ape under ssl!!!
Michele Vezzoli
Apr 16, 2012, 6:22:16 AM4/16/12
to ape-p...@googlegroups.com
Matija Hiti
Apr 16, 2012, 7:11:22 AM4/16/12
to ape-p...@googlegroups.com
Hey Michele,
Great to hear you got it working. And thanks for the wiki update.
Matija
CCC Jr.
Jan 9, 2013, 12:48:08 AM1/9/13
to ape-p...@googlegroups.com
Hi... is the wiki page down? no main content as per checking. tnx
Reply all
Reply to author
Forward
0 new messages