[stunnel-users] Relaying OOB data [Was: A series of minor patchesfrom Debian]

Richard's Hotmail maher_rj at hotmail.com
Mon Sep 24 00:14:39 CEST 2007

Hi Luis,

Thanks for the detailed reply!

> Ok, been reading. The short answer is no.

Oh well :-( I guess that's what IPsec's for.

> The longer answer is SSL doesn't support OOB data, so that's why
> not. I did read your post saying you've read specs where it says it
> does, but I could find no such. Take a look at RFC4346, section 6.2
>  http://tools.ietf.org/html/rfc4346#page-14

> Take a look also at this thread:
>  http://www1.ietf.org/mail-archive/web/tls/current/msg01041.html

Doesn't that thread suggest that OOB functionality is part of the SSLv3
standard? Is version three one of those "yet to be" standards that is still
a long way off? Renamed TLS? (I found several RFCs dealing with this, anyone
know which is the relevant one? I couldn't find "Urgent", "OOB" or "band" in

My understanding (imagination maybe) is that the OOB character is to be
packaged up as a single byte record surrounded with the SSL wrapper with a
bit set that says it's the OOB character. I would now like stunnel just to
dequeue it from SSL and then set the MSG_OOB flag and replay it to the
application port. So it's sort of quasi-OOB to Stunnel and then true-OOB to
the receiving port.

> The argument (almost) in full:
> - SSL doesn't define anything like OOB data in its streams, so
> anything we did in stunnel would be an extension, and not
> interoperable. And, anyways, would have to be done in openssl and not
> in stunnel, I think.

I must be confused  about what's available (the only SSL code I've cut is
simple Java client stuff) 'cos I'm sure I've seen patch-comments that say
something like "make sure stunnel handles OOB data correctly" and isn't
there some sort of OOB INLINE configuration parameter. Is there really
northing available after the SSL_Read that identifies the data as an OOB

Anyway, thanks again for the reply.

Cheers Richard Maher

PS. Does anyone out there know of a lower-level version of Stunnel (or
something else) that spoofs the originating host-address when replaying the
connection on the local server? It sure would be useful for client
identification, and for reducing DoS attacks!

----- Original Message ----- 
From: "Luis Rodrigo Gallardo Cruz" <rodrigo at nul-unu.com>
To: <stunnel-users at mirt.net>
Sent: Tuesday, September 18, 2007 9:14 AM
Subject: [stunnel-users] Relaying OOB data [Was: A series of minor
patchesfrom Debian]

> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20070924/48eee84f/attachment.html>

More information about the stunnel-users mailing list