[stunnel-users] Access to Packet Content

Michael Carlino (RIT Student) mac9951 at rit.edu
Wed Mar 26 13:23:59 CET 2014

Hi Brian,
I am looking to have my two stunnel's (client and server) work together to
determine if an SSL connection should be closed.  The client stunnel will
send some data to the server stunnel.  The server stunnel will make the
decision to close the session.  I want to send the extra data in an HTTP
GET method request, and I am thinking an additional HTTP request header
should do the trick.  If I had unlimited time I'd try to make these changes
to the SSL code in my browser (Firefox) and the web server (Tomcat) and not
use stunnel.  I chose to work with stunnel because it's easier than trying
to obtain and master the code used in Firefox and Tomcat.

The problem I am seeing is that stunnel is a "dumb" proxy, and as such
works quite well with a lot of protocols, because it does not care about
the protocol.  Getting it to do some protocol specific work is the key.


On Wed, Mar 26, 2014 at 8:13 AM, Brian Wilkins <bwilkins at gmail.com> wrote:

> I am a little confused by your question. If you control the
> unencrypted side, you should be able to use Wireshark to sniff the
> connection between your network application's unencrypted channel to
> stunnel. Nothing really fancy. Off the top of my head, you could
> replay captured packets after you have modified them.
> On Wed, Mar 26, 2014 at 8:05 AM, Michael Carlino (RIT Student)
> <mac9951 at rit.edu> wrote:
> > Hello stunnel users,
> > I am working with what seems to be the standard stunnel HTTPS
> configuration.
> > I have two instances of stunnel, one as a client and one as a server.
>  The
> > client accepts connections from a browser.  The server sits in front of
> > tomcat.  If works like a charm (of course!).
> >
> > What I need to do seems simple, and I will try to keep my description of
> it
> > generic.  In the client stunnel I need to make a small change to the HTTP
> > packet.  I need to add some data to it.  At the server side I need to
> access
> > that added data.  The server stunnel may close the SSL session based on
> that
> > data.
> >
> > So, my question is: can I obtain access to the packet before it's
> encrypted
> > and sent out over SSL?  Can I get access to the decrypted packet before
> it's
> > sent on to tomcat?
> >
> > I know that as a proxy stunnel has to be and tries to be general in
> nature.
> > I am not concerned (right now) with developing a feature that will become
> > available to others later.  I don't mind if my changes make my
> development
> > version of stunnel single-purpose.  My work is academic and
> proof-of-concept
> > in it's nature.
> >
> > I have collected references and a text book (Network Security with
> OpenSSL
> > by Viega et al).  I will continue to walk through and explore the code.
>  Are
> > there any programmer resources I can obtain?  I see the occasional URL in
> > the stunnel source code.  I will have to check these URLs.
> >
> > ---
> >
> > I just now pursued
> > http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt, and I see
> that
> > there is a patch that allows stunnel to do an initial modification to the
> > HTTP request to insert a X-Forwarded-For header.  This sounds like what I
> > need to do!  I am going to look for that patch.  I hope the source code
> for
> > the patch is available.
> >
> > Please, if anyone has any advice, war stories, criticism, whatever... I
> > would very much appreciate it.
> >
> > Regards.
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at stunnel.org
> > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140326/85aac921/attachment.html>

More information about the stunnel-users mailing list