[stunnel-users] stunnel and TLS1.2 for IE

Peter Pentchev roam at ringlet.net
Fri Oct 20 13:04:44 CEST 2017

On Thu, Oct 19, 2017 at 08:58:17PM +0200, Thomas GMX wrote:
> Hello.
> I have successfully configured my email client (Outlook 2010) to my provider
> with TLS1.2 via stunnel running as a service.
> config:
[snip working secure POP3 and SMTP config]
> That was no problem.
> But at this point I am wondering if it is possible and how I can configure
> stunnel so that "all" https traffic from Internet Explorer is going through
> stunnel and connect to internet with highest secure level supported.
> Not only to one specific server (connect = xyz.net) but to all servers given
> in IE address.
> By now I guess that I have to set IE so that it uses a https-proxy at
> "localhost:xxx" with stunnel config "accept = localhost:xxx".
> But how is stunnel config for "connect x.x.x.x:443" that it connect to the
> right server in internet I specified in IE address line?
> Can someone give me a hint?
> Or impossible?

You can't really do that for two reasons.  The first one is that stunnel
does not support it :)

The second one is that there's no way to do it; that's not how the HTTPS
protocol (or TLS itself) works.  One of the two major goals of TLS is
the certainty that you're talking to the right server (authentication) -
that's what the whole trouble with certificates (and the whole paid
certificate scam) is all about.  The other goal is data encryption, but
it is secondary for this discussion.

So let's talk about authentication.  The main idea here is that the
endpoint of the connection - your browser - talks directly to the other
endpoint of the connection - the webserver, so that the browser can see
the server's certificate, make sure that it is valid, make sure that it
is issued by a trusted certificate authority, and make sure that it is
actually issued to this server (by hostname).  If you want to use
stunnel to get "the highest secure level supported", you would need to
have it (stunnel) establish the TLS connection to the server.  So if you
try to get your browser to establish an HTTPS connection to stunnel and
then have stunnel establish a second, separate, HTTPS connection to the
server, your browser will never see the TLS handshake of stunnel's
connection to the server, so your browser cannot really be sure that
stunnel (and, by extension, your browser) is talking to the correct
server - and the whole point of TLS is rendered moot.

That's why HTTPS proxying is done in a different way: the browser
connects to the proxy and tells it "CONNECT address:port"; the proxy
verifies that the browser is allowed to go through it and then
establishes a normal TCP connection to the remote host and forwards
*everything* - it doesn't try to manage that connection in any way, it
lets the browser talk directly to the server.  (Yeah, yeah, I'm very
much and very painfully aware of the whole deep packet inspection
mess... let's not talk about it at all, mmkay?)  In this case, of
course, the TLS connection is fully managed by the browser and stunnel,
even if it did support some kind of dynamic proxying, would not be able
to choose encryption algorithms.

Hope that helps!


Peter Pentchev  roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20171020/465332d9/attachment.sig>

More information about the stunnel-users mailing list