Hello,
I was trying MITM on a windows application (which talks to a M$ server). Stunnel was running on my windows xp machine.
windows-client-app -> stunnel server ---> stunnel client --> M$ Server
What I found is that stunnel server sends close notify alert to the windows client app which causes the client to suspend all further communication (busted windows-client of course!). I tried setting the TimeoutClose option to high values but I always saw the server sending close notify alert (is the timeout close only a client-side parameter?)
Is there a way to configure server to not send close notify?
stullen logs:
2012.11.28 18:32:12 LOG7[3908:5904]: SSL socket closed on SSL_read 2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown 2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read 2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901 byte(s) sent to SSL, 38020 byte(s) sent to socket 2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert 2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning: close notify 2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully sent close_notify alert 2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356) closed mailto:stunnel-users@stunnel.org
I finally ended up making this one line code-change to stop server from sending close alert that helped my MITM progress.
src/client.c:
if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && !sock_open_rd && !c->sock_ptr) { s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending close_notify alert"); *! if(0 && SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3, TLSv1 */* s_log(LOG_DEBUG, "Sending close_notify alert"); shutdown_wants_write=1; } else { /* no alerts in SSLv2, including the close_notify alert */ s_log(LOG_DEBUG, "Closing SSLv2 socket"); if(c->ssl_rfd->is_socket) shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the kernel */ if(c->ssl_wfd->is_socket) shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */ /* notify the OpenSSL library */ SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); } }
Is there a way to prevent server from sending close notify alert by means of stunel.conf parameters?
stunnel.conf:
debug = 7 output = stunnel.log
cert = fakecert.pem key = fakecert.key
options = DONT_INSERT_EMPTY_FRAGMENTS
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[https] sslVersion = TLSv1 accept = 0.0.0.0:443 connect = 127.0.0.1:446
[https-client] client = yes sslVersion = TLSv1 accept = 127.0.0.1:446 connect = 172.24.244.11:443
TIMEOUTclose = 300