[stunnel-users] Question : prevent close-nofity alerts from stunnel-server

• Previous message (by thread): [stunnel-users] WinCE link errors
• Next message (by thread): [stunnel-users] Patch to fix: Wildcard SSL certificates + SNI broken on Firefox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I was trying MITM on a windows application (which talks to a M$ server). 
Stunnel was running on my windows xp machine.

windows-client-app  -> stunnel server ---> stunnel client --> M$ Server

What I found is that stunnel server sends close notify alert to the 
windows client app which causes the client to suspend all further 
communication (busted windows-client of course!). I tried setting the 
TimeoutClose option to high values but I always saw the server sending 
close notify alert (is the timeout close only a client-side parameter?)

Is there a way to configure server to not send close notify?


stullen logs:

2012.11.28 18:32:12 LOG7[3908:5904]: SSL socket closed on SSL_read
2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown
2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read
2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901 byte(s) sent 
to SSL, 38020 byte(s) sent to socket
2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert
2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning: close 
notify
2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully sent 
close_notify alert
2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356) closed 
<mailto:stunnel-users at stunnel.org>


I finally ended up making this one line code-change to stop server from 
sending close alert that helped my MITM progress.

src/client.c:

         if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && 
!sock_open_rd && !c->sock_ptr) {
             s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending 
close_notify alert");
*!            if(0 && SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3, 
TLSv1 */*
                 s_log(LOG_DEBUG, "Sending close_notify alert");
                 shutdown_wants_write=1;
             } else { /* no alerts in SSLv2, including the close_notify 
alert */
                 s_log(LOG_DEBUG, "Closing SSLv2 socket");
                 if(c->ssl_rfd->is_socket)
                     shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the 
kernel */
                 if(c->ssl_wfd->is_socket)
                     shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */
                 /* notify the OpenSSL library */
                 SSL_set_shutdown(c->ssl, 
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
             }
         }


Is there a way to prevent server from sending close notify alert by 
means of stunel.conf parameters?


stunnel.conf:

debug = 7
output = stunnel.log

cert = fakecert.pem
key = fakecert.key

options = DONT_INSERT_EMPTY_FRAGMENTS

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[https]
sslVersion = TLSv1
accept  = 0.0.0.0:443
connect = 127.0.0.1:446


[https-client]
client = yes
sslVersion = TLSv1
accept = 127.0.0.1:446
connect = 172.24.244.11:443


TIMEOUTclose = 300


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121129/1688d32a/attachment.html>

• Previous message (by thread): [stunnel-users] WinCE link errors
• Next message (by thread): [stunnel-users] Patch to fix: Wildcard SSL certificates + SNI broken on Firefox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]