<html><head></head><body><div class="ydp5537b522yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">>><span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">there is no reason to connect to localhost with any security</span></span></div><div dir="ltr" data-setdir="false"><span><span style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;"><br></span></span></div><div dir="ltr" data-setdir="false"><span><span style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;">Should server/interface consolidation trigger functional/technical rework prior to go live?</span></span><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><span style="color: rgb(38, 40, 42);">As per the diagram: </span></div><div dir="ltr" data-setdir="false"><span style="color: rgb(38, 40, 42);"> the </span><span style="color: rgb(38, 40, 42);">app server node x TLS engine node interface is wrapped in SSL </span></div><div dir="ltr" data-setdir="false"><span style="color: rgb(38, 40, 42);"><span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;"> the internal localhost x localhost interface is in the clear</span></span><br></span></div><div dir="ltr" data-setdir="false"><span style="color: rgb(38, 40, 42);"> the TLS engine node x punchout-vendor node is wrapped in TLSv1.2</span></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">>> SNI flag (RFC 3546)</div><div dir="ltr" data-setdir="false">Good catch. </div><div dir="ltr" data-setdir="false"><div><div><br></div></div></div><div dir="ltr" data-setdir="false"><br></div></div><div id="ydp8b198da9yahoo_quoted_6588234430" class="ydp8b198da9yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div>----------------------------------------------------------------------<br></div><div><div dir="ltr"><br></div><div dir="ltr">Message: 1<br></div><div dir="ltr">Date: Wed, 21 Aug 2019 08:01:08 -0700<br></div><div dir="ltr">From: "Eric Eberhard" <<a href="mailto:flash@vicsmba.com" rel="nofollow" target="_blank">flash@vicsmba.com</a>><br></div><div dir="ltr">To: "'Brent Kimberley'" <<a href="mailto:brent_kimberley@rogers.com" rel="nofollow" target="_blank">brent_kimberley@rogers.com</a>>,<br></div><div dir="ltr"> <<a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a>><br></div><div dir="ltr"><br></div><div dir="ltr">Thank you -- what I had in mind but I am not that fancy with the setups as we use one. We go from our application in clear text to stunnel TLSv1.2 which is clearly easier. I did make this work for a short while a long time ago and did not save the files. Plus no may people's horror we use inetd. Of course we only transfer 4 million XML docs per day and handle 10 million Web calls and another million connections for credit cards, etc. I have been told that if I had serious volume inetd is slower -:) but I have not noticed enough of a slowdown to matter. And inetd (at least on an IBM AIX server) is dead reliable and easy.<br></div><div dir="ltr"><br></div><div dir="ltr">As a curiosity -- as I often see people coding unnecessarily -- there is no reason to connect to localhost with any security at all unless your app can only output SSLv3 which would imply a 3rd party vendor. The traffic never hits the network in any way -- not even the network card -- it goes directly to/from the TCP/IP stack which is why I mentioned just making the app send clear text to one stunnel that outputs TLSv1.2 ... if possible (may not be if it is something you don't have source to).<br></div><div dir="ltr"><br></div><div dir="ltr">Eric<br></div><div dir="ltr"><br></div><div dir="ltr">-----Original Message-----<br></div><div dir="ltr">From: Brent Kimberley [mailto:<a href="mailto:brent_kimberley@rogers.com" rel="nofollow" target="_blank">brent_kimberley@rogers.com</a>] <br></div><div dir="ltr">Sent: Tuesday, August 20, 2019 6:42 AM<br></div><div dir="ltr">To: <a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr">Cc: <a href="mailto:daniel.trickett@milliporesigma.com" rel="nofollow" target="_blank">daniel.trickett@milliporesigma.com</a>; <a href="mailto:flash@vicsmba.com" rel="nofollow" target="_blank">flash@vicsmba.com</a><br></div><div dir="ltr">Subject: Re: stunnel-users Digest, Vol 181, Issue 1<br></div><div dir="ltr"><br></div><div dir="ltr">Your mileage may vary.<br></div><div dir="ltr"><br></div><div dir="ltr"> ###############################################################################<br></div><div dir="ltr"># From internal application to external host ###############################################################################<br></div><div dir="ltr"># [Int_Init] -> [Int_Term] -> [Ext_Init] -> [Ext_Term] ###############################################################################<br></div><div dir="ltr"># [internal_initiator] ---ssl---> [Internal terminator] # [Internal terminator] ---http---> [external Initiator] # [external Initiator] ---tls---> [external terminator] ###############################################################################<br></div><div dir="ltr"># <a href="https://www.stunnel.org/static/stunnel.html " rel="nofollow" target="_blank">https://www.stunnel.org/static/stunnel.html </a>############################################################################### <br></div><div dir="ltr"><br></div><div dir="ltr">[Internal_Terminator]<br></div><div dir="ltr">options = SSLv3<br></div><div dir="ltr">client = no<br></div><div dir="ltr">accept = host_ip:443<br></div><div dir="ltr">connect = localhost:54321<br></div><div dir="ltr">CAfile = int_init_wallet.pem<br></div><div dir="ltr">cert = int_term_pub.pem<br></div><div dir="ltr">key = int_term_priv.pem<br></div><div dir="ltr"><br></div><div dir="ltr">[External_Initiator]<br></div><div dir="ltr">options = SINGLE_ECDH_USE<br></div><div dir="ltr">options = SINGLE_DH_USE<br></div><div dir="ltr">ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256<br></div><div dir="ltr">verify = 3?<br></div><div dir="ltr">client = yes<br></div><div dir="ltr">options = TLSv1.2<br></div><div dir="ltr">accept = localhost:54321<br></div><div dir="ltr">connect = externalhostname:443<br></div><div dir="ltr">verifyChain = yes<br></div><div dir="ltr">renegotiation = no<br></div><div dir="ltr">CAfile = ext_term_wallet.pem<br></div><div dir="ltr">cert = ext_init_pub.pem<br></div><div dir="ltr">key = ext_init_priv.pem<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">----------------------------------------------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Date: Mon, 19 Aug 2019 18:21:18 +0000<br></div><div dir="ltr">From: Daniel Trickett <<a href="mailto:daniel.trickett@milliporesigma.com" rel="nofollow" target="_blank">daniel.trickett@milliporesigma.com</a>><br></div><div dir="ltr">To: "<a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a>" <<a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a>><br></div><div dir="ltr">Subject: [stunnel-users] https to https proxy<br></div><div dir="ltr"><br></div><div dir="ltr">Hi,<br></div><div dir="ltr"><br></div><div dir="ltr">Our punchout vendor switched their site to only accept tls 1.2 over the weekend. Unfortunately our application will only support SSL.<br></div><div dir="ltr"><br></div><div dir="ltr">We are using stunnel with other vendors but can control the inbound host name. This recent one is one we can't manage as it is the software provider.<br></div><div dir="ltr"><br></div><div dir="ltr">I found a solution for doing https to https. I'm unclear how I get the first https traffic to route to stunnel as the initial call will be from the application will be to the external host..<br></div><div dir="ltr">Any thoughts on whether this would work for my situation? Appreciate any thoughts..<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">[Tunnel_in]<br></div><div dir="ltr">client = yes<br></div><div dir="ltr">accept = host_ip:443<br></div><div dir="ltr">connect = localhost:54321<br></div><div dir="ltr"><br></div><div dir="ltr">[Tunnel_out]<br></div><div dir="ltr">client = no<br></div><div dir="ltr">accept = localhost:54321<br></div><div dir="ltr">connect = externalhostname:443<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">Best regards,<br></div><div dir="ltr"><br></div><div dir="ltr">Dan<br></div><div dir="ltr"><br></div></div>
</div>
</div></body></html>