Hello,

I was trying MITM on a windows application (which talks to a M$ server). Stunnel was running on my windows xp machine.

windows-client-app  -> stunnel server ---> stunnel client --> M$ Server

What I found is that stunnel server sends close notify alert to the windows client app which causes the client to suspend all further communication (busted windows-client of course!). I tried setting the TimeoutClose option to high values but I always saw the server sending close notify alert (is the timeout close only a client-side parameter?)

Is there a way to configure server to not send close notify?


stullen logs:

2012.11.28 18:32:12 LOG7[3908:5904]: SSL socket closed on SSL_read
2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown
2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read
2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901 byte(s) sent to SSL, 38020 byte(s) sent to socket
2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert
2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning: close notify
2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully sent close_notify alert
2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356) closed


I finally ended up making this one line code-change to stop server from sending close alert that helped my MITM progress.

src/client.c:

        if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && !sock_open_rd && !c->sock_ptr) {
            s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending close_notify alert");
!            if(0 && SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3, TLSv1 */
                s_log(LOG_DEBUG, "Sending close_notify alert");
                shutdown_wants_write=1;
            } else { /* no alerts in SSLv2, including the close_notify alert */
                s_log(LOG_DEBUG, "Closing SSLv2 socket");
                if(c->ssl_rfd->is_socket)
                    shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the kernel */
                if(c->ssl_wfd->is_socket)
                    shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */
                /* notify the OpenSSL library */
                SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
            }
        }


Is there a way to prevent server from sending close notify alert by means of stunel.conf parameters?


stunnel.conf:

debug = 7
output = stunnel.log

cert = fakecert.pem
key = fakecert.key

options = DONT_INSERT_EMPTY_FRAGMENTS

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[https]
sslVersion = TLSv1
accept  = 0.0.0.0:443
connect = 127.0.0.1:446


[https-client]
client = yes
sslVersion = TLSv1
accept = 127.0.0.1:446
connect = 172.24.244.11:443


TIMEOUTclose = 300