[stunnel-users] Mixed cert/PSKsecrets & TLS/SSL before proxy

Varda Zklir v20z at yahoo.com
Thu Feb 2 13:16:40 CET 2017

Hello Gentlemen.

Needs help in configuration or negative clarifications on two issues. 

1) First question whether is mixed use of cert/PSKsecrets auth possible? 

The same method (ether cert or PSKsecrets explicitly) serverside trough the parent [TLS] and inherited services works properly. But mixed cert/PSKsecrets like in config snippet below doesn't work. 

client = no 
accept = 
connect = localhost:http 
cert = /etc/opt/stunnel/stunnel.pem 

client = no 
sni = TLS:ssh 
connect = localhost:ssh 

client = no
sni = TLS:socks
protocol = socks
PSKsecrets = /etc/opt/stunnel/auth/passwd

The idea is to pass insensibly all incorrect or non-SNI aware requests to main http server and hide other multiplexed services. And at the same time to establish encryption and password access control to [socks] service.

2) And the second question is it possible proxy CONNECT after establishing SSL/TLS encryption?

The configuration section: 

accept  = 22222 
protocol = connect 
protocolHost = server.tld:443 
protocolUsername = usernamehere 
protocolPassword = passwordhere 
connect = proxy.tld:8080 

Say to establish unencrypted connection with proxy, pass username and password, tell proxy to establish CONNECT to target 443 and then transmit SSL/TLS to it. 

Goal is if I have SSL/TLS termination server/proxy on port 443 so we at first speak SSL/TLS with proxy and only then proceed to proxy requests phase. 

Thanks for future explanations.

More information about the stunnel-users mailing list