[stunnel-users] Username and Password in Clear Text
Peter K. O'Connor
peter.k.oconnor at gmail.com
Thu Oct 24 07:22:39 CEST 2013
I am using stunnel 4.56 Windows verison.
I thought the username and password will *only* be sent to SERVER2, *after*
the SSL handshake, with each request.
However, the truth is that the Proxy-Authorization header is attached to
the request to SERVER1 "CONNECT SERVER2:433 HTTP/1.1", as well.
So SERVER1 can see username and password. It is not necessary and safe.
Am I missing anything here?
client = yes
accept = 127.0.0.1:8080
connect = SERVER1:3128
protocol = connect
protocolHost = SERVER2:443
protocolUsername = username
protocolPassword = password
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users