I’m currently tunneling SSH over SSL using stunnel.

 

I thought that stunneled ssh data was safe.  However, recently I’ve read that if going through a sophisticated http/https proxy, it’s possible to be hacked by a “legitimate” mitm attack to fool an SSL client.

 

Is it still possible to configure stunnel so that ssl can’t be compromised between both ends?

 

I’m going to take a wild guess here; which I’m sure I’m probably wrong.  But, could I just install stunnel; and, let it create automatically a self-signed (stunnel.pem) certificate file… then just copy that file to the stunnel install on the other end?  That way both sides are already aware of each other’s public keys; and, wouldn’t be vulnerable during the initial unencrypted handshake?

 

I’m sure I’m probably way off; and, there’s more I need to do in stunnel’s configuration to further ensure the SSL won’t be compromised.. such as the stunnel “verify” setting.  I’m not sure which setting to have it; and, what it actually does.

 

I’m hoping someone could shed some light on this with simple suggested clientà server configs that would keep ssl uncompromised as much as possible.

 

Thanks in advance!