Dear patient users,

           

            It seems that stunnel does not encrypt outward traffic from my pc. I was able to get stunnel to work in the first place by having different proxies for each protocol. However, to test if my 8196 bit + x509 certificate keys actually encrypted my traffic I decided to do a test. I had sniffed my own computer using Cain and Able while logging in to my home router. To my disappointment, the sniffer picked up my username and password in plain text through HTTP protocol several times. Either that or Able can crack 256bit level encryption (256 x 32 = 8196) rather quickly.

 

My stunnel.conf file:

 

; Sample stunnel configuration file by Michal Trojnara 2002-2005

; Some options used here may not be adequate for your particular configuration

 

; Certificate/key is needed in server mode and optional in client mode

cert = C:\Program Files\stunnel\stunnel.pem

key = C:\Program Files\stunnel\stunnel.pem

 

; Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

 

; Workaround for Eudora bug

options = DONT_INSERT_EMPTY_FRAGMENTS

 

; Authentication stuff

;verify = 2

; Don't forget to c_rehash CApath;  CApath is located inside chroot jail:

;CApath = certs

; It's often easier to use CAfile:

;CAfile = certs.pem

; Don't forget to c_rehash CRLpath;  CRLpath is located inside chroot jail:

;CRLpath = crls

; Alternatively you can use CRLfile:

;CRLfile = crls.pem

 

; Some debugging stuff useful for troubleshooting

;debug = 7

;dutput = C:\Program Files\stunnel\stunnel.log

 

; Use it for client mode

client = yes

 

; Service-level configuration

 

client = yes

verify = 0

 

;[pop3s]

;accept  = 995

;connect = 110

 

;[imaps]

;accept  = 993

;connect = 143

 

[ssmtp]

accept  = 127.0.0.1:465

connect = httpsupportingproxy4:3124

TIMEOUTclose = 0

 

[http]

accept  = 127.0.0.1:444

connect = httpsupportingproxy3:6588

TIMEOUTclose = 0

 

[https]

accept  = 127.0.0.1:443

connect = httpsupportingproxy2:6588

TIMEOUTclose = 0

 

[ftps]

accept  = 127.0.0.1:21

connect = httpsupportingproxy1:6588

TIMEOUTclose = 0

 

; vim:ft=dosini

 

 

 

 

And my bat file used to generate keys:

 

openssl req -new -x509 -days 365 -nodes -config C:\OpenSSL\bin\openssl.cnf -out stunnel.pem -keyout stunnel.pem

 

;requirements:

;OpensSSL.exe in C:\windows directory

;Installation of Win32OpenSSL-v0.9.8.mis to C:\

;Edit C:\OpenSSL\bin\openssl.cnf strings

;[ req ]

;default_bits       = 8196

;default_keyfile    = stunnel.pem

;distinguished_name = req_distinguished_name

;attributes         = req_attributes

;x509_extensions    = v3_ca      # The extentions to add to the self signed cert

 

Cain Log:

 

==================================================================

= Cain's MAC Scanner/Promiscuous-mode Detector                   =

==================================================================

IP Address: (Router)

MAC Address: (RouterMAC)

OUI Fingerprint: Cisco-Linksys, LLC

Hostname:

ARP Test (Broadcast 31-bit): *

ARP Test (Broadcast 16-bit): *

ARP Test (Broadcast 8-bit): *

ARP Test (Group bit): *

ARP Test (Multicast group 0): *

ARP Test (Multicast group 1): *

ARP Test (Multicast group 3): *

 

Am I doing something wrong here?