Re: [stunnel-users] RFC: purge use of keyword 'transparent'

Hi Mike,

Your reponse was in my spam folder, and I just realized it :-). It is good to hear that this configuration is ultimately possible -- but just not with out of the box configurations as far as my testing has shown. Therefore it is better if the documentation stated this.

Could you please try to be a bit more specific (e.g. in terms of your stunnel and kernel versions, configuration, logs, packet captures, etc.)?

I am using the most current versions to date for each software stacks. All use the same stunnel.conf file.

foreground = yes cert = /etc/stunnel/stunnel.pem sslVersion = all setuid = root setgid = root pid = /tmp/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log

[http] accept = 443 connect = 80 transparent = yes

FreeBSD 8.1:

rpminit# stunnel -version stunnel 4.33 on amd64-portbld-freebsd8.1 with OpenSSL 0.9.8n 24 Mar 2010

rpminit# uname -a FreeBSD hostname 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri Jul 30 12:55:14 UTC 2010 root@hostname:/usr/obj/usr/src/sys/generic amd64

This stunnel version has been patched to support 'non-local bind'ng, see http://marc.info/?l=stunnel-users&m=129415990930730&w=2

CentOS : CentOS-5.5-x86_64-netinstall.iso:

[foo@localhost ~]$ uname -a Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# stunnel -version stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

Global options debug = 5 pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes

Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none [root@localhost ~]#

[root@localhost ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables v1.3.5: Couldn't load match `socket':/lib64/iptables/libipt_socket.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information. [root@localhost ~]#

Ubuntu : mini.iso Ubuntu 10.10 "Maverick Meerkat" Minimal CD 15.6MB (MD5: 3d9f096398991ed1eaa9ff32128e199a, SHA1: ea621a169b55d4c759f19600fea78e4ba7b83ba4) https://help.ubuntu.com/community/Installation/MinimalCD

foo@ubuntu:~$ uname -a Linux ubuntu 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 02:41:37 UTC 2010 x86_64 GNU/Linux foo@ubuntu:~$ dpkg -s stunnel

Package: stunnel Status: install ok installed Priority: extra Section: net Installed-Size: 56 Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com Architecture: all Source: stunnel4 Version: 3:4.29-1 Depends: stunnel4 (>= 3:4.20-3) Description: dummy upgrade package stunnel version 3 has been removed from Debian. This is a dummy package to ease upgrading to stunnel4. . You may safely remove this package after the upgrade. Original-Maintainer: Luis Rodrigo Gallardo Cruz rodrigo@debian.org Homepage: http://www.stunnel.org/

root@ubuntu:~# tcpdump -i any port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

13:29:34.794295 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46696 ecr 0,nop,wscale 6], length 0 13:29:37.801619 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46997 ecr 0,nop,wscale 6], length 0 13:29:43.811568 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 47598 ecr 0,nop,wscale 6], length 0 ...

root@ubuntu:/etc/stunnel# iptables -t mangle -N DIVERT root@ubuntu:/etc/stunnel# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT root@ubuntu:/etc/stunnel# iptables -t mangle -A DIVERT -j MARK --set-mark 1 root@ubuntu:/etc/stunnel# iptables -t mangle -A DIVERT -j ACCEPT root@ubuntu:/etc/stunnel# ip rule add fwmark 1 lookup 100 root@ubuntu:/etc/stunnel# ip route add local 0.0.0.0/0 dev lo table 100 root@ubuntu:/etc/stunnel# echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter root@ubuntu:/etc/stunnel# /etc/init.d/stunnel4 start 2011.01.07 13:29:34 LOG7[990:140669015152384]: http accepted FD=14 from 192.168.103.69:40886

2011.01.07 13:29:34 LOG7[990:140669015144192]: http started 2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 14 in non-blocking mode 2011.01.07 13:29:34 LOG7[990:140669015144192]: TCP_NODELAY option set on local socket 2011.01.07 13:29:34 LOG7[990:140669015144192]: Waiting for a libwrap process 2011.01.07 13:29:34 LOG7[990:140669015144192]: Acquired libwrap process #0 2011.01.07 13:29:34 LOG7[990:140669015144192]: Releasing libwrap process #0 2011.01.07 13:29:34 LOG7[990:140669015144192]: Released libwrap process #0 2011.01.07 13:29:34 LOG7[990:140669015144192]: http permitted by libwrap from 192.168.103.69:40886 2011.01.07 13:29:34 LOG5[990:140669015144192]: http accepted connection from 192.168.103.69:40886 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): before/accept initialization 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client hello A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server hello A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write certificate A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server done A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client key exchange A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read finished A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write change cipher spec A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write finished A 2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data 2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 items in the session cache 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client connects (SSL_connect()) 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client connects that finished 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client renegotiations requested 2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 server connects (SSL_accept()) 2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 server connects that finished 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 server renegotiations requested 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache hits 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 external session cache hits 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache misses 2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache timeouts 2011.01.07 13:29:34 LOG6[990:140669015144192]: SSL accepted: new session negotiated 2011.01.07 13:29:34 LOG6[990:140669015144192]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 15 in non-blocking mode 2011.01.07 13:29:34 LOG6[990:140669015144192]: local_bind succeeded on the original port 2011.01.07 13:29:34 LOG6[990:140669015144192]: connect_blocking: connecting 127.0.0.1:80 2011.01.07 13:29:34 LOG7[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: waiting 10 seconds 2011.01.07 13:29:44 LOG3[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: timeout 2011.01.07 13:29:44 LOG5[990:140669015144192]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.01.07 13:29:44 LOG7[990:140669015144192]: http finished (0 left)

Did you use any of those 80 hours to RTFM at http://stunnel.mirt.net/static/stunnel.html ?

Yes. FYI as a test case, if it was as easy as reading the above document, there would be no RFC. In regards to, http://www.stunnel.org/faq/transparent.html

"References for 2.4 kernel that say it's not possible..."

"Reference for 2.4 kernel that say it is possible..."

Would it be of best use to update this document for only the current state of the art kernel versions, and therefore remove references to 2.4 kernels? The confusion led me to hope that I could possibly get it working.

If out of the box transparent mode does not function, but requires non - portable modification, can you provide this code? One possible option is to upload a VM image that demonstrates.

If it is non-trivial and out of scope, it would be better to update the document with this information or provide further clarification as to this effect. Given that someone has accomplished the goal, a complete end to end solution is what really needs to be explained.

Best regards, OSC

-----Original Message----- From: Michal Trojnara Michal.Trojnara@mirt.net To: stunnel-users@mirt.net Sent: Fri, Jan 7, 2011 3:41 am Subject: Re: [stunnel-users] RFC: purge use of keyword 'transparent'

Dear Oscar,

"Oscar Usifer" oscaruser@programmer.net wrote:

After searching, installing various (in the 2.6 family), e.g. CentOS, Ubuntu, and so on, I have not been able to get transparent proxy working at all.

LOL: http://catb.org/~esr/faqs/smart-questions.html#id479555

Could you please try to be a bit more specific (e.g. in terms of your stunnel and kernel versions, configuration, logs, packet captures, etc.)?

As such since it the function does not work, and there is great debate as to whether it ever worked, I would like to propose that this keyword and reference to its function be discarded entirely. This will save many folks a great deal of time and effort attempting to try and get it to work, myself having spent over 80 hours (including my precious holiday time) trying to dig, scratch, research up old posts that say it works or someone has it working under such and such a configuration!

Did you use any of those 80 hours to RTFM at http://stunnel.mirt.net/static/stunnel.html ?

The documentation itself has folks claiming that it works and does not, which is really a bad practice. Why did you perpetuate this option in the first place?!

I hope you see the importance and reason with my request and act immediately. ... Unless someone really really does have it working.

LOL: http://catb.org/~esr/faqs/smart-questions.html#id478549

Please make sure to read the whole http://catb.org/~esr/faqs/smart-questions.html before sending another post to a mailing list.

Best regards, Mike =

_______________________________________________

stunnel-users mailing list

stunnel-users@mirt.net

http://stunnel.mirt.net/mailman/listinfo/stunnel-users