Hi all,
I was able to setup stunnel between two hosts successfully but the only problem I am facing is that, the SSL connection between the two hosts is not persistent. For every connection I make to the stunnel client, a new SSL connection is established by the stunnel client to the stunnel server.
Is there a configuration variable in stunnel which can make the SSL connection between stunnel client and server persistent ?
Thanks,
-Dorai.
On Fri, Mar 13, 2009 at 01:28:56PM -0700, Dorai Ashok wrote:
Hi all,
I was able to setup stunnel between two hosts successfully but the only problem I am facing is that, the SSL connection between the two hosts is not persistent. For every connection I make to the stunnel client, a new SSL connection is established by the stunnel client to the stunnel server.
Is there a configuration variable in stunnel which can make the SSL connection between stunnel client and server persistent ?
I don't think there's a way to do that. SSL *is* a connection-oriented protocol - it is meant to authenticate and/or encrypt a single session between a client and a server. I don't think that the protocol allows both the "client" and "server" instances of stunnel (or, for that matter, any other program that speaks SSL) to negotiate and maintain a multiplex connection and differentiate between messages from different sessions that are to be sent to different clients.
Of course, I could be wrong :)
G'luck, Peter
Dorai Ashok wrote: [Fri Mar 13 2009, 04:28:56PM EDT]
I was able to setup stunnel between two hosts successfully but the only problem I am facing is that, the SSL connection between the two hosts is not persistent. For every connection I make to the stunnel client, a new SSL connection is established by the stunnel client to the stunnel server.
Is there a configuration variable in stunnel which can make the SSL connection between stunnel client and server persistent ?
stunnel always builds a new SSL connection for every connection it accepts on the client side. This is normally the right thing because the server might be an SSL application rather than another instance of stunnel.
It would be possible for stunnel to build a persistent SSL connection to the server if the server is known to be another stunnel instance, in which case every connection accepted on the client side would spawn a new "exec" or "connect" on the server, and the connections would be multiplexed over the single SSL connection. That would be a very nice feature to add to stunnel, but AFAIK it's not there right now.
It is, however, in openssh. This is what ssh -L port:remote:port does. That is probably where you need to look if you depend on this feature.
Regards, Aron
Pierre, Peter, Aron,
Thanks for all the responses.
I now have a better understanding of the main usecase for stunnel. In our particular case, We need the connection multiplexing since we cannot maintain a persistent connection to the stunnel client and we cannot afford to create a new SSL connection for every new connection to stunnel client.
So, we will probably go with SSH tunneling.
-Dorai
PS: My emails to the mailing list get blocked by a spam blocker so you might not see this message in the mailing list archives.
On Mon, Mar 16, 2009 at 8:27 AM, Aron Griffis aron@hp.com wrote:
Dorai Ashok wrote: [Fri Mar 13 2009, 04:28:56PM EDT]
I was able to setup stunnel between two hosts successfully but the only problem I am facing is that, the SSL connection between the two hosts is not persistent. For every connection I make to the stunnel client, a new SSL connection is established by the stunnel client to the stunnel server.
Is there a configuration variable in stunnel which can make the SSL connection between stunnel client and server persistent ?
stunnel always builds a new SSL connection for every connection it accepts on the client side. This is normally the right thing because the server might be an SSL application rather than another instance of stunnel.
It would be possible for stunnel to build a persistent SSL connection to the server if the server is known to be another stunnel instance, in which case every connection accepted on the client side would spawn a new "exec" or "connect" on the server, and the connections would be multiplexed over the single SSL connection. That would be a very nice feature to add to stunnel, but AFAIK it's not there right now.
It is, however, in openssh. This is what ssh -L port:remote:port does. That is probably where you need to look if you depend on this feature.
Regards, Aron
-
Aron Griffis -
Dorai Ashok -
Peter Pentchev