Dear patient users,
It seems that stunnel does not encrypt outward traffic from my pc. I was able to get stunnel to work in the first place by having different proxies for each protocol. However, to test if my 8196 bit + x509 certificate keys actually encrypted my traffic I decided to do a test. I had sniffed my own computer using Cain and Able while logging in to my home router. To my disappointment, the sniffer picked up my username and password in plain text through HTTP protocol several times. Either that or Able can crack 256bit level encryption (256 x 32 = 8196) rather quickly.
My stunnel.conf file:
; Sample stunnel configuration file by Michal Trojnara 2002-2005 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode cert = C:\Program Files\stunnel\stunnel.pem key = C:\Program Files\stunnel\stunnel.pem
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath; CApath is located inside chroot jail: ;CApath = certs ; It's often easier to use CAfile: ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail: ;CRLpath = crls ; Alternatively you can use CRLfile: ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;dutput = C:\Program Files\stunnel\stunnel.log
; Use it for client mode client = yes
; Service-level configuration
client = yes verify = 0
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
[ssmtp] accept = 127.0.0.1:465 connect = httpsupportingproxy4:3124 TIMEOUTclose = 0
[http] accept = 127.0.0.1:444 connect = httpsupportingproxy3:6588 TIMEOUTclose = 0
[https] accept = 127.0.0.1:443 connect = httpsupportingproxy2:6588 TIMEOUTclose = 0
[ftps] accept = 127.0.0.1:21 connect = httpsupportingproxy1:6588 TIMEOUTclose = 0
; vim:ft=dosini
And my bat file used to generate keys:
openssl req -new -x509 -days 365 -nodes -config C:\OpenSSL\bin\openssl.cnf -out stunnel.pem -keyout stunnel.pem
;requirements: ;OpensSSL.exe in C:\windows directory ;Installation of Win32OpenSSL-v0.9.8.mis to C:\ ;Edit C:\OpenSSL\bin\openssl.cnf strings ;[ req ] ;default_bits = 8196 ;default_keyfile = stunnel.pem ;distinguished_name = req_distinguished_name ;attributes = req_attributes ;x509_extensions = v3_ca # The extentions to add to the self signed cert
Cain Log:
================================================================== = Cain's MAC Scanner/Promiscuous-mode Detector = ================================================================== IP Address: (Router) MAC Address: (RouterMAC) OUI Fingerprint: Cisco-Linksys, LLC Hostname: ARP Test (Broadcast 31-bit): * ARP Test (Broadcast 16-bit): * ARP Test (Broadcast 8-bit): * ARP Test (Group bit): * ARP Test (Multicast group 0): * ARP Test (Multicast group 1): * ARP Test (Multicast group 3): *
Am I doing something wrong here?