[stunnel-users] HTTP to HTTPS

Wed Dec 26 21:00:14 CET 2018

There once was an open source libcsoap to do SOAP.  It appeared abandoned 5-10 years ago but was available on line.  

I downloaded that ages ago and made a fully functional libcsoap -- this includes "nanohttp" which will POST via HTTP, HTTPS, 1.0, 1.1, etc.  

I only use this on AIX -- and my inability to do the craziness that the open source community does so well to make it work on all platforms and a lack of a real place to put it -- it never really got out.

You are welcome to the code.  It is in C.  You can build nanohttp apart from libcsoap.  If it has a few gotchas because of your O/S they should be easy to fix (I did make a couple AIX changes).

The code is small and easy to link into C (or anything else that links to a .a or .so) -- and it can be set up as a server (never tried it).

It DOES require openssl be installed (for the HTTPS I think).

If you want it, email me and I'll put it on my FTP site.

Eric

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Peter Pentchev
Sent: Wednesday, December 26, 2018 8:40 AM
To: Константин Кручинин <kruchinin.c at gmail.com>
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] HTTP to HTTPS

On Wed, Dec 26, 2018 at 04:54:34PM +0300, Константин Кручинин wrote:
> Good day!
> Is it possible to realize the means of Stunnel, the following functionality?
> There is an application that is not able to SSL, I need to send data 
> to the server over HTTPS.

As I noted in a recent message, stunnel may be used as a client for an HTTPS service; the configuration is pretty much what you have shown below, but there are several more details to configure.  See https://www.stunnel.org/pipermail/stunnel-users/2018-December/006233.html

First off, do you have control over the source code of your application - the one that sends the HTTP query that actually needs to reach an HTTPS server?  If you do, is it possible to modify the source so that it establishes a TCP connection to a specified IP address and port and
*then* sends an HTTP request over that connection, with the actual server's hostname in the HTTP request?  Some HTTP client libraries do give you this opportunity, although it is rare.  If you can do that, then it may not be necessary to do the hosts file trickery and chase the server's IP address - specify the server by name in stunnel's configuration and let the client connect to the address stunnel listens to and send an HTTP request containing the real server's name.

If you cannot do that, or if it would be too much hassle, then there is always the solution that I outlined in my message - specify a numeric IP address in stunnel's configuration and put the server's name in your system's hosts file (/etc/hosts on Unix, %WINDIR%\system32\drivers\etc\hosts
on Windows) entry for the IP address that stunnel listens on.

One more thing that I forgot to mention in my previous message: with HTTPS it might be good to specify the "sni" option so that stunnel asks the server for the correct virtual host to connect to.

> How can this be implemented without installing an instance of Stunnel 
> on the server side?

If there is an HTTPS server on the server side, you should be able to do this with stunnel as a client, with pretty much the configuration that you have shown.

> Do I need to specify the certificate when implementing the above, if 
> so, what kind of certificates are needed?

Stunnel will want - and for good reasons, it will really be a good idea - to verify the certificate of the server that it is connecting to, so that it (stunnel) does not mislead your application by saying "here, this is a connection to the server you requested" and handing it a connection to a man-in-the-middle server controlled by an attacker.  So you will need to obtain the certificate of the HTTPS server and either point stunnel to it directly or point stunnel to a directory containing the certificate of the entity that issued the server's certificate (e.g. Let's Encrypt or your organization's internal CA or something).

> At the moment I have the following config.
> 
> sslVersion = all
> options = NO_SSLv2
> options = NO_SSLv3
> fips = no
> 
> [https]
> client = yes
> connect = externalhost:9443
> accept = localhost:54321
> TIMEOUTclose = 0
> TIMEOUTconnect = 200
> TIMEOUTidle = 86400

If there is already an HTTPS server listening on externalhost:9443, then this is very close to what you will need.  The modifications may need to include specifying an IP address instead of a hostname in the "connect"
directive (see the discussion about the hosts file above), then adding an "sni = serverhostname" line so that stunnel asks for the correct virtual host to connect to, then adding a "checkHost = serverhostname"
line (or a similar line; in some cases the server that responds may have a slightly different common name, but this should be rare), and then adding some "verify" and "CAfile" or "CApath" lines to point stunnel to the certificate of the server or the certificate of the CA that issued the server's certificate.

If all of this is making your head spin, let me know and I may try to explain it step by step in more detail :)  We've all been there, just thrown into the deep by some "you have to learn how to do this *now*"
task that comes out of nowhere...

Hope at least some of this helps! :)

G'luck,
Peter

--
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13