带有 SNI 的 Stunnel:部分 *名称*:未找到 SNI 部分名称

tag-icon tag-icon ssl sni stunnel
带有 SNI 的 Stunnel:部分 *名称*:未找到 SNI 部分名称

我正在尝试在同一个 IP 上使用带有 2 个域的 stunnel。

我的配置是这样的:

;key = /etc/ssl/private/namecheap/server.key

# See this link http://www.sysadminworld.com/2011/how-do-i-use-an-intermediate-certificate-with-stunnel/
# The intermediatev.pem is comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
# Restart /etc/init.d/stunnel4 restart 

cert = /etc/ssl/private/namecheap/stunnel.pem

;CApath = /etc/ssl/private/namecheap/www_soinfit_com.ca-bundle

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel4/stunnel.log

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; no, we don't want SSLv2
;options = NO_SSLv2

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

[paleo-dating]
sni = https:www.paleo-dating.com
cert = /etc/ssl/private/namecheap/stunnel-dating.pem
accept = 5555
connect = localhost:5556


[shoptprod]
accept = 6676
connect = localhost:6060

[shoptest]
accept = 7676
connect = localhost:7070

[chatprod]
accept = 8686
connect = localhost:8080

[chattest]
accept = 9676
connect = localhost:9090

[groupchattest]
accept = 5656
connect = localhost:5050

[groupchatprd]
accept = 4646
connect = localhost:4040

当我跑步时 /etc/init.d/stunnel4 restart

我收到此错误:

Restarting SSL tunnels: Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running  with OpenSSL 1.0.1t  3 May 2016
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from file /etc/stunnel/stunnel.conf
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service section [paleo-dating]
Section paleo-dating: SNI section name not found
str_stats: 39 block(s), 7369 data byte(s), 2262 control byte(s)
[Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file

答案1

我希望你已经解决了困扰你四年的问题。然而,我带着同样的问题来到这里,答案如下:

Stunnel 尝试将 SNI 密钥的第一部分与命名部分进行匹配。如果配置中没有这样的部分,它将失败并出现给定的错误。

查看上面的配置,该行sni = https:www.paleo-dating.com指的是缺失的[https]块。您可以随意命名它,只要两个字符串相等即可。此外,密钥也accept属于那里:

[paleo-dating]
sni = https:www.paleo-dating.com
cert = /etc/ssl/private/namecheap/stunnel-dating.pem
; accept = 5555 <-- This goes below
connect = localhost:5556

[https]
accept = 5555

; Fallback
connect = fallback:1234
cert = fallback-cert.pem

这将接受端口上的安全连接5555并转发至本地主机:5556当(且仅当)客户端使用服务器名称指示扩展,其值为www.paleo-dating.com.否则后备证书.pem证书被提供给客户端,并且连接被转发到端口1234在主机上倒退

相关内容