Everyone,
It goes to show that even after having used stunnel forever there is more to learn.
I have a weird problem. A remote site that has always used SSLv3 wants to use TLSv1.2 - normally that takes 5 seconds in the config file.
However, the remote site supplied the software that sends to them . and does not supply a version we can use unless we upgrade O/S and JAVA and who knows what else for hundreds of customers. In four days.
Normally stunnel takes in clear text and sends it out in whatever you like (TLSv1.2 in this case). And the reverse.
Can it take in SSLv3 and convert to TLSv1.2? Of course conceptually this is easy and just a logical extension of stunnel - in practice, if not there, it would be a job. Which I might tackle - but I first wanted to get community input.
And if anyone wants to get paid to do this for me, we can talk :)
Thanks All,
Eric
Eric S Eberhard
VICS (Vertical Integrated Computer Systems)
Voice: 928 567 3529
Cell : 928 301 7537 (not reliable except for text or if not home)
2933 W Middle Verde Rd
Camp Verde, AZ 86322
Oh - help me out and please join this group. I need to get large numbers of members to take to the politicians. https://www.facebook.com/groups/286143052248115/
This might work to just join?
<table border="0" width="100%" cellspacing="0" cellpadding="0" style="border-collapse:collapse;"><tr style=""><td height="28" style="line-height:28px;"> </td></tr><tr><td style=""><table border="0" width="280" cellspacing="0" cellpadding="0" style="border-collapse:separate;background-color:#ffffff;border:1px solid #dddfe2;border-radius:3px;font-family:Helvetica, Arial, sans-serif;margin:0px auto;"><tr style="padding-bottom: 8px;"><td style=""><img class="img" src="https://scontent.fhhr1-1.fna.fbcdn.net/v/t1.0-0/c0.0.584.305a/p320x320/ 50521766_10218655229077782_1167298564032823296_n.jpg?_nc_cat=101&_nc_ht= scontent.fhhr1-1.fna&oh=d725734d9126b706d402e635740dcd29&oe=5D00A5A4 " width="280" height="146" alt="" /></td></tr><tr><td style="font-size:14px;font-weight:bold;padding:8px 8px 0px 8px;text-align:center;">Save The Middle Verde</td></tr><tr><td style="color:#90949c;font-size:12px;font-weight:normal;text-align:center;">P ublic group . 228 members</td></tr><tr><td style="padding:8px 12px 12px 12px;"><table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:100%;"><tr><td style="background-color:#4267b2;border-radius:3px;text-align:center;"><a style="color:#3b5998;text-decoration:none;cursor:pointer;width:100%;" href="https://www.facebook.com/plugins/group/join/popup/?group_id=2861430522 48115&source=email_campaign_plugin" target="_blank" rel="noopener"><table border="0" cellspacing="0" cellpadding="3" align="center" style="border-collapse:collapse;"><tr><td style="border-bottom:3px solid #4267b2;border-top:3px solid #4267b2;color:#FFF;font-family:Helvetica, Arial, sans-serif;font-size:12px;font-weight:bold;">Join Group</td></tr></table></a></td></tr></table></td></tr><tr><td style="border-top:1px solid #dddfe2;font-size:12px;padding:8px 12px;">This group is to help preserve the Middle Verde River, the Middle Verde Character area as defined in the Town of Camp Verde's General Plan, the 260 co...</td></tr></table></td></tr><tr style=""><td height="28" style="line-height:28px;"> </td></tr></table>
Eric,
On 6/7/19 13:53, Eric Eberhard wrote:
I have a weird problem. A remote site that has always used SSLv3 wants to use TLSv1.2 – normally that takes 5 seconds in the config file.
However, the remote site supplied the software that sends to them … and does not supply a version we can use unless we upgrade O/S and JAVA and who knows what else for hundreds of customers. In four days.
If this is Java, then the problem is likely with the JVM only and they might be able to get away with just upgrading the version of Java. They are probably using Java 6. If they move up to Java 8 (which is just about to be relegated to the digital dustbin!), then they get TLS 1.2 and, most likely, they won't see any compatibility issues.
Most outfits won't upgrade their Java version because they are scared., ignorant, and/or don't have a good testing process. I've never had a problem upgrading Java. Not even to the later weirdo "modular" ones.
Normally stunnel takes in clear text and sends it out in whatever you like (TLSv1.2 in this case). And the reverse.
Can it take in SSLv3 and convert to TLSv1.2?
I do not believe you can do this with a single stunnel. stunnel connects cleartext to encrypted or vice-versa, depending on the value of the "client" setting.
But, the solution is simple: use two stunnels.
So, let's say that you need to "proxy" a connection incoming on port 443 out to another server on port 8443. The 443 traffic requires TLSv1.2 and the 8443 traffic can only handle SSLv3. Do something like this:
[incoming] protocol=TLSv1.2 accept=localhost:443 connect=localhost:444 client=false
[outgoing] protocol=SSLv3 accept=localhost:444 connect=remote:8443 client=true
(The above are obviously not exact. You can't specify a protocol for a specific service, you can't specify both client=true and client=false in the same file, etc. Finally, you probably don't want to LIMIT the outgoing connection to SSLv3. You want it to handshake whatever it can get its hands on.)
Of course conceptually this is easy and just a logical extension of stunnel – in practice, if not there, it would be a job. Which I might tackle – but I first wanted to get community input.
I think configuring two tunnels gets the job done without writing any new software.
-chris
-
Christopher Schultz -
Eric Eberhard