[stunnel-users] stunnel tls wrapper/proxy for xmpp

Brian Hatch bri at ifokr.org
Wed Feb 4 21:09:26 CET 2009


In the neighborhood of Wed, Feb 4, 2009 at 11:49 AM, C.J.
Adams-Collier <cjac at colliertech.org> mouthed:

> 19:39 < darkrain42> cj: Also, for the record, I think stunnel just isn't the
>                              thing you want to be using. What it seemed to be doing was
>                              opening a SSL connectoin to talk.google.com and then
>                              writing the raw data from your socket to the server (so
>                              Pidgin tries to open an SSL connection and the raw SSL
>                              handshake is written to talk.google.com)
>
> Is this correct?   I would have expected it to terminate the SSL
> connection with finch on one port and originate another SSL connection
> with talk.google.com on another.   If I read what he's writing
> correctly, he's saying that the connection from finch is not
> terminated, but instead passed through unaltered.



Stunnel does SSL on one side, and cleartext on the other.

If you want to be able to sniff cleartext, while both finch
and the jabber server are talking ssl, you need two stunnels:

finch ==ssl==> stunnel_server ==cleartext==> stunnel_client ==ssl==>
jabberserver

then sniff on that cleartext loopback port.

Effectively, that makes a no-op - finch talks SSL to the
jabber server.  You can do that without using Stunnel.
Stunnel is not a MITM attack vector.  ;-)

--
Brian Hatch                  A small town that cannot
   Systems and                support one lawyer can
   Security Engineer          always support two.
http://www.ifokr.org/bri/



More information about the stunnel-users mailing list