<html><head></head><body><div class="ydp20cae2ffyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">[https client] --https-->[stunnel client a] --http-->[ stunnel client b]--https--> <whatever>-->[stunnel server b]--http--> [stunnel server a]--https--> [https server]<br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div><div dir="ltr">Date: Tue, 9 Jul 2019 16:08:47 -0300<br></div><div dir="ltr">From: Hugo Marello <<a href="mailto:hugo.marello@gmail.com" style="color: rgb(25, 106, 212); text-decoration-line: underline;" rel="nofollow" target="_blank">hugo.marello@gmail.com</a>><br></div><div dir="ltr">To: <a href="mailto:stunnel-users@stunnel.org" style="color: rgb(25, 106, 212); text-decoration-line: underline;" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr"><br></div><div dir="ltr">I was thinking something more simple like the first scenario.<br></div><div dir="ltr">[HTTP?CLIENT] -->[STUNNEL CLIENT]--><whatever>-->[STUNNEL SERVER]-->[HTTP Server]</div><div dir="ltr"><br></div><div dir="ltr">But the end would be an HTTPS server, which would require a CONNECT to get things going.</div><div dir="ltr"><br></div><div dir="ltr">So:<br></div><div dir="ltr">[HTTP Client] -->[STUNNEL CLIENT]--> <whatever>-->[STUNNEL SERVER]-->[REVERSE-PROXY server]--> [HTTPS SERVER]</div><div dir="ltr"><br style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"></div></div><br></div><div><br></div>
</div><div id="yahoo_quoted_3464753794" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Monday, July 8, 2019, 12:42:39 p.m. EDT, Brent Kimberley <brent_kimberley@rogers.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="yiv0959899908"><div><div class="yiv0959899908ydpda87757byahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr"><div dir="ltr"><div><div dir="ltr" style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">Which scenario did you have in mind?<br></div><div dir="ltr" style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">[HTTP <span><span style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;">CLIENT</span></span>] -->[STUNNEL CLIENT]--><whatever>-->[STUNNEL SERVER]-->[HTTP <span><span style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;">Server</span></span>]</div></div><div dir="ltr"> OR</div><div><div dir="ltr" style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;">[HTTP Client] --><span><span style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;">[Forward-proxy client]-> </span></span>[STUNNEL CLIENT]--> <span><span style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><whatever></span></span>-->[STUNNEL SERVER]-->[REVERSE-PROXY server]--><span><span style="color:rgb(38, 40, 42);font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><whatever>--> [</span></span>HTTP SERVER ]</div></div></div></div></div><div id="yiv0959899908ydpc66cfac9yahoo_quoted_3062428253" class="yiv0959899908ydpc66cfac9yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">From: Hugo Marello <<a rel="nofollow" ymailto="mailto:hugo.marello@gmail.com" target="_blank" href="mailto:hugo.marello@gmail.com">hugo.marello@gmail.com</a>><br></div><div dir="ltr">To: <a rel="nofollow" ymailto="mailto:stunnel-users@stunnel.org" target="_blank" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br></div><div dir="ltr"><br></div><div dir="ltr">Hello guys,<br></div><div dir="ltr">I'm new to using stunnel but I find it quite a powerful tool. I'm doing a<br></div><div dir="ltr">POC on how we can bypass our firewall even with DPI, and chose to use<br></div><div dir="ltr">stunnel for an extra layer of cryptography. You don't have to worry about<br></div><div dir="ltr">access to any VM mentioned here. Here is my scenario:<br></div><div dir="ltr"><br></div><div dir="ltr">[CLIENT BROWSER] -->[STUNNEL CLIENT]-->[FIREWALL]-->[STUNNEL<br></div><div dir="ltr">SERVER]-->[REVERSE PROXY]-->[FREE INTERNET]<br></div><div dir="ltr"><br></div><div dir="ltr">So far I succeeded in getting HTTP working using stunnel CONNECT protocol<br></div><div dir="ltr">to the firewall and going all the way through. The problem is when I try to<br></div><div dir="ltr">access HTTPS, the connection get set to the stunnel server but it keeps<br></div><div dir="ltr">waiting for something. Double checked all the logs, firewall can't discern,<br></div><div dir="ltr">stunnel server get the connection, reverse proxy also get the socket<br></div><div dir="ltr">connection. My hypothesis is that stunnel client gets the CONNECT from the<br></div><div dir="ltr">browser and discard it, it uses its own way to connect to the firewall,<br></div><div dir="ltr">instead of encrypting the CONNECT all the way through. As it may seems, I<br></div><div dir="ltr">need a way to send 2 CONNECT packages. Does anyone know how can I proceed?<br></div><div dir="ltr"><br></div><div dir="ltr">Follow my configs:<br></div><div dir="ltr">client = yes<br></div><div dir="ltr">output = /var/log/stunnel4/stunnel.log<br></div><div dir="ltr">debug = 7<br></div><div dir="ltr"><br></div><div dir="ltr">[bypassclient]<br></div><div dir="ltr">accept = 4000<br></div><div dir="ltr">connect = firewall.example:3128<br></div><div dir="ltr">protocolHost = destination.com:443<br></div><div dir="ltr">protocol = connect<br></div><div dir="ltr">requireCert = no<br></div><div dir="ltr">verifyChain = no<br></div><div dir="ltr">verifyPeer = no<br></div><div dir="ltr">--------------------------------------------------------------------------------------------------------------------<br></div><div dir="ltr">[bypassserver]<br></div><div dir="ltr">accept = 0.0.0.0:443<br></div><div dir="ltr">connect = reverseproxy.com:8888<br></div><div dir="ltr">cert = /etc/ssl/cert.pem<br></div><div dir="ltr">key = /etc/ssl/key.pem<br></div><div dir="ltr">-----------------------------------------------------------------------------------------------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">Thank you all in advance, already digging throw the source code (quite lost<br></div><div dir="ltr">tough),<br></div><div dir="ltr">Hugo</div></div>
</div>
</div></div></div></div>
</div>
</div></body></html>