2

I have build a anonymous stunnel 5.29 + squid 3.3 SSL proxy server for few purpose and I want to enable PSK authorization. The configuration of the stunnel server:

pid = /run/stunnel.pid
chroot  = /var/lib/stunnel
client  = no
setuid  = stunnel
setgid  = stunnel
cert    = /etc/stunnel/stunnel.pem

debug   = 7
;output = stunnel.log
foreground = yes

[server_psk]
accept = 443
accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt

[server_proxy]
accept = 8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE

But I discover I can't connect the internet and I receive this message at client side:

LOG5[676]: Service [squid] accepted connection from 127.0.0.1:60216
LOG3[676]: s_connect: s_poll_wait 192.169.169.152:443: TIMEOUTconnect exceeded
LOG5[676]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

The browser(Firefox 43) report two errors, SSL Error when I access Google with HTTPS and Connection Reset when I access a non-HTTPS enabled site. Here's the client side configuration:

client = yes

[local_proxy]
accept = 127.0.0.1:8089
connect = 192.169.169.152:443
PSKsecrets = psk.txt
CAfile = ca-certs.pem
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

I have confirmed squid configuration is good and it's working, so I'm sure the problem occurs on stunnel. Is there anyone experienced in stunnel can help me?

Hartman
  • 151

1 Answers1

1

After a day to research, I finally discover the way to solve the problem. The tip is: client side must separate in two sections like server side. So I change the client side configuration to this:

[local_psk]
client = yes
accept = 127.0.0.1:8443
connect = 192.168.169.152:443
PSKsecrets = psk.txt

[local_proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

So the process is act like this:

browser <--> [local_proxy] <--> [local_psk] <==> [server_psk] <--> [server_proxy] <==> website

where - means local traffic, = means internet traffic, and [] means the configure sections in stunnel

And I update the server configuration [squid] section accept option from 8443 to 127.0.0.1:8443. This tell stunnel only accept the connection from localhost, otherwise the [PSK] section turn useless. Here's how is look like after change:

[server_proxy]
accept = 127.0.0.1:8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE

NOTE

These configurations are for development/test only. If you want a highly secure anonymous proxy server, you have to set the debug = 0 to disable the logging and foreground = no for daemon in stunnel configuration file, with a proper setup of squid configuration and iptables rules.

Hartman
  • 151