Hi, Brian.
 
You know, I probably did not ask this question clearly enough. I understood that the purpose of "starttls" is to negotiate an (higher level) encrypted connection on the same port. No problem with this much. What I am really trying to get at is this: how does stunnel go about requesting the negotiation from the server? I am wanting to make a connection to a remote SMTP server using stunnel on port 587. So, if I use this setting
 
[my SMTP connection]
Accept = 127.0.0.1:<some port>
Connect = <SMTP server IP>:587
 
I am assuming that with this my connection would start out SSL, but where is the part that makes it begin to negotiate from SSL to the TLS? Based on my impression of what I read, I was expecting also to see something along these lines
 
protocol = starttls 
 
This assumption may very well be a misconception, but how so? Thanks.
 
Or is my understanding of this process faulty, incomplete, all of the above?  :(
 
 
John 
 
 
Knowledge counts.  
 
On 12/05/12, Brian Wilkins<bwilkins@gmail.com> wrote:
 
From protocol.c in the stunnel source:

static const struct {
    char *name;
    struct {
        PROTOCOL_PHASE type;
        FUNCTION func;
    } handlers[2];
} protocols[]={
    {"proxy",   {{PROTOCOL_PRE_SSL,     proxy_server},      {PROTOCOL_PRE_SSL, NULL}}},
    {"cifs",    {{PROTOCOL_PRE_CONNECT, cifs_server},       {PROTOCOL_PRE_SSL, cifs_client}}},
    {"pgsql",   {{PROTOCOL_PRE_CONNECT, pgsql_server},      {PROTOCOL_PRE_SSL, pgsql_client}}},
    {"smtp",    {{PROTOCOL_PRE_SSL,     smtp_server},       {PROTOCOL_PRE_SSL, smtp_client}}},
    {"pop3",    {{PROTOCOL_PRE_SSL,     pop3_server},       {PROTOCOL_PRE_SSL, pop3_client}}},
    {"imap",    {{PROTOCOL_PRE_SSL,     imap_server},       {PROTOCOL_PRE_SSL, imap_client}}},
    {"nntp",    {{PROTOCOL_NONE,        NULL},              {PROTOCOL_PRE_SSL, nntp_client}}},
    {"connect", {{PROTOCOL_PRE_CONNECT, connect_server},    {PROTOCOL_PRE_SSL, connect_client}}},
    {NULL,      {{PROTOCOL_NONE,        NULL},              {PROTOCOL_NONE,    NULL}}}
};

STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

stunnel will use one port to communicate the encrypted information. That's what it is telling you. No need to initiate a separate port when STARTTLS is sent.



On Wed, Dec 5, 2012 at 1:27 PM, John A. Wallace <jw72253@verizon.net> wrote:

The Service Level Options of the manual includes the following points:

protocol = proto

      application protocol to negotiate SSL (e.g. starttls or stls)

      protocol option should not be used with SSL encryption on a separate port.

      Currently supported protocols:

CIFS

Connect

Etc..

However, in the listed protocols supported neither starttls or stls appears, even though they appear to be options as far as I can see from the above explanation.  Am I missing something here, or should they be among those in the list, and can one use this setting:

Protocol=starttls


Also, I dont really understand what this statement is telling me: protocol option should not be used with SSL encryption on a separate port.

John A. Wallace


_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users