Hi all, is there any way to use stunnel to proxy a connection without using encryption? I have an application that is listening on 0.0.0.0:port but which refuses connection if not coming from localhost:port and that application is reachable only with telnet, with no encryption.
I have found a possible configuration that is the following:
chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log transparent=yes [AppSrv01] accept = 5776 connect = 4776 [AppSrv02] accept = 5777 connect = 4777
but it seems not working: that is the log.
2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no FD_SETSIZE limit for file descriptors 2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777 2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid 2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8 from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on local socket 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe 2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384 finished with code 0 2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from 10.0.1.11:41922 permitted by libwrap 2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept): before/accept initialization 2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)
and from the standard out I get: 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random bytes from /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random bytes to /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims sufficient entropy for the PRNG 2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv01 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv02
What happens connecting with telnet is: Trying 10.0.2.140... Connected to server. Escape character is '^]'.
It seems the connection is successful but with tcpdump I see nothing and moreover I see nothing also in the application log. If I type something nothing happens. It seems that the flow is not passed to the destination port.
Do you have any hint?
Thanks!