Hi List,
I have a little issue trying to get stunnel running for encapsulating an existing service with SSL. We are running a really old legacy ircd service and would like to provide SSL for the users without having to actually hack that into the really old code base. (Yes we could just use another more modern software but let's just say there are "political" reasons as to why this is not an option) For an ircd we need transparency as in "the ircd should think the connection is not coming from localhost") ANYWAY... so I am working with stunnel 4.39 right now.
First a question if I understand it correctly how stunnel will work. I have the ircd running on IP1:6667. I created a service section like this.
[ircd] accept = 7000 connect = 6667 transparent = source
(And applied the iptables/routing related stuff mentioned in the documentation) Should this already work? Will stunnel "manipulate" packets so that the IRCD "sees" connections from the Peers IP's? And will the Answers the ircd sends to the peers get "intercepted" by stunnel so it can "remanipulate" the answers into the SSL connection? If I try it like I get "local_bind (original port): Cannot assign requested address (99) stunnel" and clients get connection abort.
Or is this what "transparent = both" is for? With 4.39 I had an issue trying to use "transparent = both". Stunnel always displayed an error message saying "Each service must define two endpoints" (more or less). I got it to compile by commenting out the one line in options.c causing the error... #### snip #### } else { /* standalone mode checks */ if((unsigned int)section->option.accept + (unsigned int)section->option.program + (unsigned int)section->option.remote + (unsigned int)section->option.sni #ifndef USE_WIN32 + (unsigned int)section->option.transparent_dst #endif /* USE_WIN32 */ !=2) { section_error(last_line, section->servname, "Each service must define two endpoints"); return 0; } ### snap ### Commented out the line within the ifndef.
Anyway... I hope somebody can clarify for me how stunnel works and what transparent mode is the one I need. (I want to transparently provide the ircd service with connections so it seems they are directly from the peers and not from stunnel(localhost))
regards,
Julian Seifert
-- I hate mondays...