[stunnel-users] Man in the middle attack possibility

Abhinav Srivastava absrivas at gmail.com
Tue Jul 19 12:37:30 CEST 2016

I'm trying to use stunnel to provide encryption for my application to
server communication. Server is already ssl aware. I configured my app to
talk to localhost:xyz, and configured stunnel in client mode to relay
traffic from localhost:<xyz> to actual service.  The stunnel to service ssl
protocol would use the server certificate, as server is already ssl aware.

For any reason if stunnel is not running it would become possible for a
non-elevated attacker/malware to spin up a tcp server listening to xyz,
essentially taking advantage of my re-configuration of app to talk to
localhost:xyz, and spoof the actual server.

Even if my app to server protocol had some anti-spoofing mechanism say
e.g., reverse CHAP, the malware can easily relay the challenge and response
by using the actual service.

In my case the actual app is iscsi initiator software that is not in my
control and cant be modified, while the server is an iscsi tcp server which
I am free to modify.

Are there any guidance/best practices around preventing this attack with

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160719/ae22327b/attachment.html>

More information about the stunnel-users mailing list