Dear patient users,
It seems that stunnel does not encrypt outward traffic from my pc. I was able to get stunnel to work in the first place by having different proxies for each protocol. However, to test if my 8196 bit + x509 certificate keys actually encrypted my traffic I decided to do a test. I had sniffed my own computer using Cain and Able while logging in to my home router. To my disappointment, the sniffer picked up my username and password in plain text through HTTP protocol several times. Either that or Able can crack 256bit level encryption (256 x 32 = 8196) rather quickly.
My stunnel.conf file:
; Sample stunnel configuration file by Michal Trojnara 2002-2005
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
cert = C:\Program Files\stunnel\stunnel.pem
key = C:\Program Files\stunnel\stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath; CApath is located inside chroot jail:
;CApath = certs
; It's often easier to use CAfile:
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail:
;CRLpath = crls
; Alternatively you can use CRLfile:
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
;dutput = C:\Program Files\stunnel\stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
client = yes
verify = 0
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
[ssmtp]
accept = 127.0.0.1:465
connect = httpsupportingproxy4:3124
TIMEOUTclose = 0
[http]
accept = 127.0.0.1:444
connect = httpsupportingproxy3:6588
TIMEOUTclose = 0
[https]
accept = 127.0.0.1:443
connect = httpsupportingproxy2:6588
TIMEOUTclose = 0
[ftps]
accept = 127.0.0.1:21
connect = httpsupportingproxy1:6588
TIMEOUTclose = 0
; vim:ft=dosini
And my bat file used to generate keys:
openssl req -new -x509 -days 365 -nodes -config C:\OpenSSL\bin\openssl.cnf -out stunnel.pem -keyout stunnel.pem
;requirements:
;OpensSSL.exe in C:\windows directory
;Installation of Win32OpenSSL-v0.9.8.mis to C:\
;Edit C:\OpenSSL\bin\openssl.cnf strings
;[ req ]
;default_bits = 8196
;default_keyfile = stunnel.pem
;distinguished_name = req_distinguished_name
;attributes = req_attributes
;x509_extensions = v3_ca # The extentions to add to the self signed cert
Cain Log:
==================================================================
= Cain's MAC Scanner/Promiscuous-mode Detector =
==================================================================
IP Address: (Router)
MAC Address: (RouterMAC)
OUI Fingerprint: Cisco-Linksys, LLC
Hostname:
ARP Test (Broadcast 31-bit): *
ARP Test (Broadcast 16-bit): *
ARP Test (Broadcast 8-bit): *
ARP Test (Group bit): *
ARP Test (Multicast group 0): *
ARP Test (Multicast group 1): *
ARP Test (Multicast group 3): *
Am I doing something wrong here?