[stunnel-users] HTTP to HTTPS

Peter Pentchev roam at ringlet.net
Wed Dec 26 16:40:21 CET 2018

On Wed, Dec 26, 2018 at 04:54:34PM +0300, Константин Кручинин wrote:
> Good day!
> Is it possible to realize the means of Stunnel, the following functionality?
> There is an application that is not able to SSL, I need to send data to the
> server over HTTPS.

As I noted in a recent message, stunnel may be used as a client for
an HTTPS service; the configuration is pretty much what you have shown
below, but there are several more details to configure.  See

First off, do you have control over the source code of your application -
the one that sends the HTTP query that actually needs to reach
an HTTPS server?  If you do, is it possible to modify the source so that
it establishes a TCP connection to a specified IP address and port and
*then* sends an HTTP request over that connection, with the actual server's
hostname in the HTTP request?  Some HTTP client libraries do give you
this opportunity, although it is rare.  If you can do that, then it may
not be necessary to do the hosts file trickery and chase the server's
IP address - specify the server by name in stunnel's configuration and
let the client connect to the address stunnel listens to and send
an HTTP request containing the real server's name.

If you cannot do that, or if it would be too much hassle, then there is
always the solution that I outlined in my message - specify a numeric IP
address in stunnel's configuration and put the server's name in your
system's hosts file (/etc/hosts on Unix, %WINDIR%\system32\drivers\etc\hosts
on Windows) entry for the IP address that stunnel listens on.

One more thing that I forgot to mention in my previous message: with HTTPS
it might be good to specify the "sni" option so that stunnel asks the server
for the correct virtual host to connect to.

> How can this be implemented without installing an instance of Stunnel on
> the server side?

If there is an HTTPS server on the server side, you should be able to
do this with stunnel as a client, with pretty much the configuration that
you have shown.

> Do I need to specify the certificate when implementing the above, if so,
> what kind of certificates are needed?

Stunnel will want - and for good reasons, it will really be a good idea -
to verify the certificate of the server that it is connecting to, so that
it (stunnel) does not mislead your application by saying "here, this is
a connection to the server you requested" and handing it a connection to
a man-in-the-middle server controlled by an attacker.  So you will need to
obtain the certificate of the HTTPS server and either point stunnel to it
directly or point stunnel to a directory containing the certificate of
the entity that issued the server's certificate (e.g. Let's Encrypt or
your organization's internal CA or something).

> At the moment I have the following config.
> sslVersion = all
> options = NO_SSLv2
> options = NO_SSLv3
> fips = no
> [https]
> client = yes
> connect = externalhost:9443
> accept = localhost:54321
> TIMEOUTclose = 0
> TIMEOUTconnect = 200
> TIMEOUTidle = 86400

If there is already an HTTPS server listening on externalhost:9443, then
this is very close to what you will need.  The modifications may need to
include specifying an IP address instead of a hostname in the "connect"
directive (see the discussion about the hosts file above), then adding
an "sni = serverhostname" line so that stunnel asks for the correct
virtual host to connect to, then adding a "checkHost = serverhostname"
line (or a similar line; in some cases the server that responds may
have a slightly different common name, but this should be rare), and
then adding some "verify" and "CAfile" or "CApath" lines to point stunnel
to the certificate of the server or the certificate of the CA that
issued the server's certificate.

If all of this is making your head spin, let me know and I may try to
explain it step by step in more detail :)  We've all been there, just
thrown into the deep by some "you have to learn how to do this *now*"
task that comes out of nowhere...

Hope at least some of this helps! :)


Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20181226/b4c0d247/attachment.sig>

More information about the stunnel-users mailing list