[stunnel-users] misconfiguration of transparent proxy

• Previous message (by thread): [stunnel-users] misconfiguration of transparent proxy
• Next message (by thread): [stunnel-users] misconfiguration of transparent proxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Your configuration still requires an SSL enabled client. That's the reason you are getting the unknown protocol error. I think you might achieve what you want by configuring two stunnel services in the same machine for each appserv, one in server mode and the other in client mode linked together. No transparent should be needed. This could be considered an ugly hack :), like this:


[Appsrv01c]
Client=yes
Accept=6776
Connect=5776

[Appsrvo1]
Client=no
Accept=5776
Connect=4776


This assumes your app listens on port 4776 and you connect from your client to port 6776 and you use port 5776 to link the two stunnel stanzas. Of course, you need a certificate and set verify=0

Regards,

Jose
-----Original Message-----
From: Marco Strullato <marco.strullato at gmail.com>
Sender: stunnel-users-bounces at stunnel.org
Date: Wed, 6 Jul 2011 11:28:08 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] misconfiguration of transparent proxy

Hi all,
is there any way to use stunnel to proxy a connection without using encryption?
I have an application that is listening on 0.0.0.0:port but which
refuses connection if not coming from localhost:port and that
application is reachable only with telnet, with no encryption.

I have found a possible configuration that is the following:

chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/stunnel.log
transparent=yes
[AppSrv01]
accept = 5776
connect = 4776
[AppSrv02]
accept = 5777
connect = 4777

but it seems not working: that is the log.

2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on
x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD
SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024
(can be changed with 'ulimit -n')
2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no
FD_SETSIZE limit for file descriptors
2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option
set on accept socket
2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option
set on accept socket
2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777
2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid
2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8
from 10.0.1.11:41922
2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on
local socket
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe
2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384
finished with code 0
2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from
10.0.1.11:41922 permitted by libwrap
2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from
10.0.1.11:41922
2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept):
before/accept initialization
2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)


and from the standard out I get:
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random
bytes from /home/user/.rnd
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random
bytes to /home/user/.rnd
2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims
sufficient entropy for the PRNG
2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context
initialized for service AppSrv01
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context
initialized for service AppSrv02


What happens connecting with telnet is:
Trying 10.0.2.140...
Connected to server.
Escape character is '^]'.

It seems the connection is successful but with tcpdump I see nothing
and moreover I see nothing also in the application log. If I type
something nothing happens.
It seems that the flow is not passed to the destination port.

Do you have any hint?


Thanks!

-- 
Marco
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

• Previous message (by thread): [stunnel-users] misconfiguration of transparent proxy
• Next message (by thread): [stunnel-users] misconfiguration of transparent proxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]