Hi
Luis,
Thanks for the detailed reply!
> Ok, been reading. The
short answer is no.
Oh well :-( I guess that's what IPsec's
for.
> The longer answer is SSL doesn't support OOB data, so that's
why
> not. I did read your post saying you've read specs where it says
it
> does, but I could find no such. Take a look at RFC4346, section
6.2
> http://tools.ietf.org/html/rfc4346#page-14
> Take a look also at this
thread:
> http://www1.ietf.org/mail-archive/web/tls/current/msg01041.html
Doesn't that thread suggest that OOB functionality
is part of the SSLv3
standard? Is version three one of those "yet to be"
standards that is still
a long way off? Renamed TLS? (I found several RFCs
dealing with this, anyone
know which is the relevant one? I couldn't find
"Urgent", "OOB" or "band" in
4346)
My understanding (imagination
maybe) is that the OOB character is to be
packaged up as a single byte record
surrounded with the SSL wrapper with a
bit set that says it's the OOB
character. I would now like stunnel just to
dequeue it from SSL and then set
the MSG_OOB flag and replay it to the
application port. So it's sort of
quasi-OOB to Stunnel and then true-OOB to
the receiving port.
> The
argument (almost) in full:
> - SSL doesn't define anything like OOB data
in its streams, so
> anything we did in stunnel would be an extension, and
not
> interoperable. And, anyways, would have to be done in openssl and
not
> in stunnel, I think.
I must be confused about what's
available (the only SSL code I've cut is
simple Java client stuff) 'cos I'm
sure I've seen patch-comments that say
something like "make sure stunnel
handles OOB data correctly" and isn't
there some sort of OOB INLINE
configuration parameter. Is there really
northing available after the
SSL_Read that identifies the data as an OOB
character?
Anyway, thanks
again for the reply.
Cheers Richard Maher
PS. Does anyone out
there know of a lower-level version of Stunnel (or
something else) that
spoofs the originating host-address when replaying the
connection on the
local server? It sure would be useful for client
identification, and for
reducing DoS attacks!
----- Original Message -----
From: "Luis
Rodrigo Gallardo Cruz" <rodrigo@nul-unu.com>
To: <stunnel-users@mirt.net>
Sent: Tuesday, September 18, 2007 9:14 AM
Subject:
[stunnel-users] Relaying OOB data [Was: A series of minor
patchesfrom
Debian]
> _______________________________________________
>
stunnel-users mailing list
> stunnel-users@mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users