[stunnel-users] RFC: purge use of keyword 'transparent'

• Previous message (by thread): [stunnel-users] RFC: purge use of keyword 'transparent'
• Next message (by thread): [stunnel-users] FreeBSD syndrome (was Re: RFC: purge use of keyword 'transparent')
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mike,

Your reponse was in my spam folder, and I just realized it :-). It is good to hear that this configuration is ultimately possible -- but just not with out of the box configurations as far as my testing has shown. Therefore it is better if the documentation stated this.  

> Could you please try to be a bit more specific (e.g. in terms of your stunnel and kernel versions, configuration, logs, packet captures, etc.)?


I am using the most current versions to date for each software stacks. All use the same stunnel.conf file.



foreground = yes
cert = /etc/stunnel/stunnel.pem
sslVersion = all
setuid = root
setgid = root
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/stunnel.log


[http]
accept = 443
connect = 80
transparent = yes





FreeBSD 8.1: 



rpminit# stunnel -version
stunnel 4.33 on amd64-portbld-freebsd8.1 with OpenSSL 0.9.8n 24 Mar 2010

rpminit# uname -a
FreeBSD hostname 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri Jul 30 12:55:14 UTC 2010     root at hostname:/usr/obj/usr/src/sys/generic  amd64



This stunnel version has been patched to support 'non-local bind'ng, see http://marc.info/?l=stunnel-users&m=129415990930730&w=2


CentOS : CentOS-5.5-x86_64-netinstall.iso:



[foo at localhost ~]$ uname -a
Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root at localhost ~]# stunnel -version
stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
 
Global options
debug           = 5
pid             = /var/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
 
Service-level options
cert            = /etc/stunnel/stunnel.pem
ciphers         = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key             = /etc/stunnel/stunnel.pem
session         = 300 seconds
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none
[root at localhost ~]# 



[root at localhost ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables v1.3.5: Couldn't load match `socket':/lib64/iptables/libipt_socket.so: cannot open shared object file: No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
[root at localhost ~]# 



Ubuntu : mini.iso Ubuntu 10.10 "Maverick Meerkat" Minimal CD 15.6MB (MD5: 3d9f096398991ed1eaa9ff32128e199a, SHA1: ea621a169b55d4c759f19600fea78e4ba7b83ba4) https://help.ubuntu.com/community/Installation/MinimalCD



foo at ubuntu:~$ uname -a
Linux ubuntu 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 02:41:37 UTC 2010 x86_64 GNU/Linux
foo at ubuntu:~$ dpkg -s stunnel

Package: stunnel
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 56
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Architecture: all
Source: stunnel4
Version: 3:4.29-1
Depends: stunnel4 (>= 3:4.20-3)
Description: dummy upgrade package
 stunnel version 3 has been removed from Debian. This is a dummy package
 to ease upgrading to stunnel4.
 .
 You may safely remove this package after the upgrade.
Original-Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo at debian.org>
Homepage: http://www.stunnel.org/







root at ubuntu:~# tcpdump -i any port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes




13:29:34.794295 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46696 ecr 0,nop,wscale 6], length 0
13:29:37.801619 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46997 ecr 0,nop,wscale 6], length 0
13:29:43.811568 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 47598 ecr 0,nop,wscale 6], length 0
...

root at ubuntu:/etc/stunnel#  iptables -t mangle -N DIVERT
root at ubuntu:/etc/stunnel#     iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
root at ubuntu:/etc/stunnel#     iptables -t mangle -A DIVERT -j MARK --set-mark 1
root at ubuntu:/etc/stunnel#     iptables -t mangle -A DIVERT -j ACCEPT
root at ubuntu:/etc/stunnel#     ip rule add fwmark 1 lookup 100
root at ubuntu:/etc/stunnel#     ip route add local 0.0.0.0/0 dev lo table 100
root at ubuntu:/etc/stunnel#     echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
root at ubuntu:/etc/stunnel# /etc/init.d/stunnel4 start
2011.01.07 13:29:34 LOG7[990:140669015152384]: http accepted FD=14 from 192.168.103.69:40886

2011.01.07 13:29:34 LOG7[990:140669015144192]: http started
2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 14 in non-blocking mode
2011.01.07 13:29:34 LOG7[990:140669015144192]: TCP_NODELAY option set on local socket
2011.01.07 13:29:34 LOG7[990:140669015144192]: Waiting for a libwrap process
2011.01.07 13:29:34 LOG7[990:140669015144192]: Acquired libwrap process #0
2011.01.07 13:29:34 LOG7[990:140669015144192]: Releasing libwrap process #0
2011.01.07 13:29:34 LOG7[990:140669015144192]: Released libwrap process #0
2011.01.07 13:29:34 LOG7[990:140669015144192]: http permitted by libwrap from 192.168.103.69:40886
2011.01.07 13:29:34 LOG5[990:140669015144192]: http accepted connection from 192.168.103.69:40886
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): before/accept initialization
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client hello A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server hello A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write certificate A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server done A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client key exchange A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read finished A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write change cipher spec A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write finished A
2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data
2011.01.07 13:29:34 LOG7[990:140669015144192]:    2 items in the session cache
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 client connects (SSL_connect())
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 client connects that finished
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 client renegotiations requested
2011.01.07 13:29:34 LOG7[990:140669015144192]:    2 server connects (SSL_accept())
2011.01.07 13:29:34 LOG7[990:140669015144192]:    2 server connects that finished
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 server renegotiations requested
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 session cache hits
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 external session cache hits
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 session cache misses
2011.01.07 13:29:34 LOG7[990:140669015144192]:    0 session cache timeouts
2011.01.07 13:29:34 LOG6[990:140669015144192]: SSL accepted: new session negotiated
2011.01.07 13:29:34 LOG6[990:140669015144192]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 15 in non-blocking mode
2011.01.07 13:29:34 LOG6[990:140669015144192]: local_bind succeeded on the original port
2011.01.07 13:29:34 LOG6[990:140669015144192]: connect_blocking: connecting 127.0.0.1:80
2011.01.07 13:29:34 LOG7[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: waiting 10 seconds
2011.01.07 13:29:44 LOG3[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: timeout
2011.01.07 13:29:44 LOG5[990:140669015144192]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2011.01.07 13:29:44 LOG7[990:140669015144192]: http finished (0 left)






 > Did you use any of those 80 hours to RTFM at http://stunnel.mirt.net/static/stunnel.html ?


Yes. FYI as a test case, if it was as easy as reading the above document, there would be no RFC. In regards to, http://www.stunnel.org/faq/transparent.html


"References for 2.4 kernel that say it's not possible..."


"Reference for 2.4 kernel that say it is possible..."


Would it be of best use to update this document for only the current state of the art kernel versions, and therefore remove references to 2.4 kernels? The confusion led me to hope that I could possibly get it working.


If out of the box transparent mode does not function, but requires non - portable modification, can you provide this code? One possible option is to upload a VM image that demonstrates. 


If it is non-trivial and out of scope, it would be better to update the document with this information or provide further clarification as to this effect. Given that someone has accomplished the goal, a complete end to end solution is what really needs to be explained.


Best regards,
OSC


-----Original Message-----
From: Michal Trojnara <Michal.Trojnara at mirt.net>
To: stunnel-users at mirt.net
Sent: Fri, Jan 7, 2011 3:41 am
Subject: Re: [stunnel-users] RFC: purge use of keyword 'transparent'



Dear Oscar,


"Oscar Usifer" <oscaruser at programmer.net> wrote:

After searching, installing various  (in the 2.6 family), e.g. CentOS, Ubuntu, and so on, I have not been able to get transparent proxy working at all.



LOL: http://catb.org/~esr/faqs/smart-questions.html#id479555


Could you please try to be a bit more specific (e.g. in terms of your stunnel and kernel versions, configuration, logs, packet captures, etc.)?



 As such since it the function does not work, and there is great debate as to whether it ever worked, I would like to propose that this keyword and reference to its function be discarded entirely. This will save many folks a great deal of time and effort attempting to try and get it to work, myself having spent over 80 hours (including my precious holiday time) trying to dig, scratch, research up old posts that say it works or someone has it working under such and such a configuration!



Did you use any of those 80 hours to RTFM at http://stunnel.mirt.net/static/stunnel.html ?



 The documentation itself has folks claiming that it works and does not, which is really a bad practice. Why did you perpetuate this option in the first place?!


I hope you see the importance and reason with my request and act immediately.
 ... Unless someone really really does have it working. 



LOL: http://catb.org/~esr/faqs/smart-questions.html#id478549



Please make sure to read the whole http://catb.org/~esr/faqs/smart-questions.html before sending another post to a mailing list.


Best regards,
 Mike
=
 
_______________________________________________


stunnel-users mailing list


stunnel-users at mirt.net


http://stunnel.mirt.net/mailman/listinfo/stunnel-users



 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110107/9f7a64ce/attachment.html>

• Previous message (by thread): [stunnel-users] RFC: purge use of keyword 'transparent'
• Next message (by thread): [stunnel-users] FreeBSD syndrome (was Re: RFC: purge use of keyword 'transparent')
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]