I am using stunnel4 to build a secure connection between two ubuntu hosts. One of the hosts (sender) will send "hello world" to another host (receiver).
When I am using tcpdump in receiver to capture the packets sending from sender, I find out that one of the packets contains "hello world" in plaintext. From my understanding, stunnel will encrypt the content of "hello world" if everything is correct, so I shouldn't be able to see "hello world" in plaintext among any incoming packets. Any ideas about what is going wrong here?
Here I will put my stunnel.config for your reference:
cert = /home/ubuntu/client_server/stunnel.pem key = /home/ubuntu/client_server/stunnel.key debug = 7 output = /home/ubuntu/client_server/stunnel.log socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 options = ALL [services] accept = 6667 connect = some_ip_address:6666 TIMEOUTclose = 0
1. Are you sure you are getting plain text on port 6666 of server with IP some_ip_address ? 2.Are you sure you are inyecting the plain text on port 6667 of the sending Ip? Also your sending stanza [services] should have client=yes and your receiving side should have client=no
Regards, Jose
On Apr 22, 2021, at 3:08 PM, yfmao@seas.upenn.edu wrote:
I am using stunnel4 to build a secure connection between two ubuntu hosts. One of the hosts (sender) will send "hello world" to another host (receiver).
When I am using tcpdump in receiver to capture the packets sending from sender, I find out that one of the packets contains "hello world" in plaintext. From my understanding, stunnel will encrypt the content of "hello world" if everything is correct, so I shouldn't be able to see "hello world" in plaintext among any incoming packets. Any ideas about what is going wrong here?
Here I will put my stunnel.config for your reference:
cert = /home/ubuntu/client_server/stunnel.pem key = /home/ubuntu/client_server/stunnel.key debug = 7 output = /home/ubuntu/client_server/stunnel.log socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 options = ALL [services] accept = 6667 connect = some_ip_address:6666 TIMEOUTclose = 0 _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Thanks for your reply Jose.
As for your first question, I receive the plaintext packets in port 6666 on the server side. I print it out by tcpdump -A. About the second question, I think adding client=yes to sender's config file and client=no to receiver's config file is not helpful. I tried this before and nothing changes.
Also, I am kind of confused how to run stunnel between server and client. Currently what I am doing is run command "sudo stunnel stunnel.config" in my server side, and run another "sudo stunnel stunnel.config" with slight difference in the configuration file. Is that correct?
See comments below: On Thursday, April 22, 2021, 06:15:33 PM GMT-5, yfmao@seas.upenn.edu wrote:
Thanks for your reply Jose.
As for your first question, I receive the plaintext packets in port 6666 on the server side. I print it out by tcpdump -A. About the second question, I think adding client=yes to sender's config file and client=no to receiver's config file is not helpful. I tried this before and nothing changes.
JAD: Of course, it has effect. To create a TLS tunnel you need a TLS client and a TLS server.
Also, I am kind of confused how to run stunnel between server and client. Currently what I am doing is run command "sudo stunnel stunnel.config" in my server side, and run another "sudo stunnel stunnel.config" with slight difference in the configuration file. Is that correct? JAD: You may have running instances of stunnel. Your configuration changes or command line invocations may not be executing. You need to take a look at the location you define for your logs, to see what's happening. Check your active processes and the active TCP binds. Examples: ps -ef | egrep [s]tunnelnetstat -an | grep :6666netstat -an | grep :6667 If you get nothing from this commands, you're good to go. Otherwise, you have to kill the running process first. Also check your logs: less /home/ubuntu/client_server/stunnel.log Also, check the file permissions of your keys and certificate files. Unsecure permissions for a private key will not work. Also, if you don't find your logs or there's no information in them, the user you are running may not have permissions to write. You can can do a trace running stunnel under strace, like this. strace /usr/bin/stunnel /etc/stunnel.conf Ýou'll get a lot of outpt in your screen, but if you know how to read it will show what's wrong,
And finally, How are you pushing the clear text into the tunnel? I think I gave you all information to put you on track of solving your problems. regards, Jose _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
On Thu, 22 Apr 2021 23:15:19 -0000 yfmao@seas.upenn.edu wrote:
Also, I am kind of confused how to run stunnel between server and client.
Hi,
App connects to port 123 ---> plain text ---> Stunnel *client* *accepts* on port 123 ---> *connects* to port 456 ---> encrypted traffic ---> Stunnel *server* *accepts* on 456 ---> Stunnel *connects* to port 789 ---> plain text ---> App listening on port 789
If there is a reply from the server is "the same" backwards (openned sockets ports from clients will differ, of course, but nothing you should care).
Regards.
Thanks for your help Javier. Your instructions really help me building the simple stunnel.
I am wondering whether it is possible to build a bi-directional stunnel. Here I have two applications running on two seperate hosts. One of the application uses port 10 to send and receive packets, while another application uses port 11.
Until now, I try to modify the configuration like this: Host 1: [services] client = no accept = 100 connect = 10 (sending to app using port 10) TIMEOUTclose = 0 [services] client = yes accept = 10 (receiving from app using port 10) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Host 2: [services] client = no accept = 100 connect = 11 (sending to app using port 11) TIMEOUTclose = 0 [services] client = yes accept = 11 (receiving from app using port 11) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Is that the correct config settings?
On Sat, 24 Apr 2021 03:08:48 -0000 yfmao@seas.upenn.edu wrote:
Thanks for your help Javier. Your instructions really help me building the simple stunnel.
I am wondering whether it is possible to build a bi-directional stunnel.
Hi,
in every connection there is already a bi-directional connection, and, talking about stunnel, already encrypted.
Unless you mean that app on host 1 connects independently to app in host 2 and vice versa, when host 1 establishes a connection to host 2, host 2 can already reply back without opening a new connection to reply (is what I tried to say in the previous mail in parenthesis).
So, with the config example you show us, you are actually creating a loop.
Here I have two applications running on two seperate hosts. One of the application uses port 10 to send and receive packets, while another application uses port 11.
Until now, I try to modify the configuration like this: Host 1: [services] client = no accept = 100 connect = 10 (sending to app using port 10) TIMEOUTclose = 0 [services] client = yes accept = 10 (receiving from app using port 10) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Host 2: [services] client = no accept = 100 connect = 11 (sending to app using port 11) TIMEOUTclose = 0 [services] client = yes accept = 11 (receiving from app using port 11) connect = ip_of_another_host_:100 TIMEOUTclose = 0
Is that the correct config settings?
Some app on host 1 connects to stunnel client on host 1 port 10, then connects to host 2 stunnel server port 100 (encrypted traffic), which connects to listening stunnel client on host 2 on port 11 (decrypted), that then connects to stunnel server on host 1 port 100 (encrypted), that, again, connects to stunnel client listening on port 10 (decrypted). And start over and over and over.
Note that the same port means nothing, but as you have stunnel listening on all addresses (you only specified a port, so means 0.0.0.0, or all addresses in the interface) you are actually creating a loop. There is no other app listening on 10 and 11 ports but stunnel clients.
To have a bi-directional communication, and by bi-directional I mean that one or the other can start the connection, the apps on both hosts must be client and a server. Or in other words an initiator and a receiver. On one port listen and on other talks (that is one given by the system).
Stunnel is just the secure tunnel. On client mode helps a non-secure app to establish a secure channel. As server mode helps a non-secure app to listen on a secure channel.
An example of bi-directional encrypted talk that does need only a server and a client are a mail client and the mail server. The mail server has the stunnel server. The mail client uses the stunnel client.
The server doesn't need to connect to the client. So there isn't the need of a server on the client.
An example of bi-directional app could be a LAN chat program.
It listens on port 10 for other people messages. It connects to other people to send message to their 10 ports.
Stunnel acts as servers on both sides at the port 10 (but different address than the app), as each program will establish an independent connection when needed.
Stunnel clients will help to connect to the other people stunnel servers to encrypt the connection.
Here you'll have 4 stunnel services, as you intend. Two on both sides (client+server).
Regards.
-
Javier -
Jose Alf. -
Josealf.rm
-
yfmao@seas.upenn.edu