[stunnel-users] stunnel transparent mode

• Previous message (by thread): [stunnel-users] SIP encryption with stunnel
• Next message (by thread): [stunnel-users] stunnel transparent mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi List,

I have a little issue trying to get stunnel running for encapsulating an
existing service with SSL. We are running a really old legacy ircd
service and would like to provide SSL for the users without having to
actually hack that into the really old code base. (Yes we could just use
another more modern software but let's just say there are "political"
reasons as to why this is not an option) For an ircd we need
transparency as in "the ircd should think the connection is not coming
from localhost")
ANYWAY... so I am working with stunnel 4.39 right now.

First a question if I understand it correctly how stunnel will work.
I have the ircd running on IP1:6667. I created a service section like this.

[ircd]
accept = 7000
connect = 6667
transparent = source

(And applied the iptables/routing related stuff mentioned in the
documentation)
Should this already work? Will stunnel "manipulate" packets so that the
IRCD "sees" connections from the Peers IP's? And will the Answers the
ircd sends to the peers get "intercepted" by stunnel so it can
"remanipulate" the answers into the SSL connection?
If I try it like I get "local_bind (original port): Cannot assign
requested address (99) stunnel" and clients get connection abort.

Or is this what "transparent = both" is for? With 4.39 I had an issue
trying to use "transparent = both". Stunnel always displayed an error
message saying "Each service must define two endpoints" (more or less).
I got it to compile by commenting out the one line in options.c causing
the error...
#### snip ####
    } else { /* standalone mode checks */
        if((unsigned int)section->option.accept
                + (unsigned int)section->option.program
                + (unsigned int)section->option.remote
                + (unsigned int)section->option.sni
#ifndef USE_WIN32
                + (unsigned int)section->option.transparent_dst
#endif /* USE_WIN32 */
                !=2) {
            section_error(last_line, section->servname,
                "Each service must define two endpoints");
            return 0;
        }
### snap ###
Commented out the line within the ifndef.

Anyway... I hope somebody can clarify for me how stunnel works and what
transparent mode is the one I need. (I want to transparently provide the
ircd service with connections so it seems they are directly from the
peers and not from stunnel(localhost))

regards,

  Julian Seifert

-- I hate mondays...

• Previous message (by thread): [stunnel-users] SIP encryption with stunnel
• Next message (by thread): [stunnel-users] stunnel transparent mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]