Which scenario did you have in mind? [HTTP CLIENT] -->[STUNNEL CLIENT]--><whatever>-->[STUNNEL SERVER]-->[HTTP Server] OR[HTTP Client] -->[Forward-proxy client]-> [STUNNEL CLIENT]--> <whatever>-->[STUNNEL SERVER]-->[REVERSE-PROXY server]--><whatever>--> [HTTP SERVER ]
From: Hugo Marello hugo.marello@gmail.com To: stunnel-users@stunnel.org
Hello guys, I'm new to using stunnel but I find it quite a powerful tool. I'm doing a POC on how we can bypass our firewall even with DPI, and chose to use stunnel for an extra layer of cryptography. You don't have to worry about access to any VM mentioned here. Here is my scenario:
[CLIENT BROWSER] -->[STUNNEL CLIENT]-->[FIREWALL]-->[STUNNEL SERVER]-->[REVERSE PROXY]-->[FREE INTERNET]
So far I succeeded in getting HTTP working using stunnel CONNECT protocol to the firewall and going all the way through. The problem is when I try to access HTTPS, the connection get set to the stunnel server but it keeps waiting for something. Double checked all the logs, firewall can't discern, stunnel server get the connection, reverse proxy also get the socket connection. My hypothesis is that stunnel client gets the CONNECT from the browser and discard it, it uses its own way to connect to the firewall, instead of encrypting the CONNECT all the way through. As it may seems, I need a way to send 2 CONNECT packages. Does anyone know how can I proceed?
Follow my configs: client = yes output = /var/log/stunnel4/stunnel.log debug = 7
[bypassclient] accept = 4000 connect = firewall.example:3128 protocolHost = destination.com:443 protocol = connect requireCert = no verifyChain = no verifyPeer = no -------------------------------------------------------------------------------------------------------------------- [bypassserver] accept = 0.0.0.0:443 connect = reverseproxy.com:8888 cert = /etc/ssl/cert.pem key = /etc/ssl/key.pem -----------------------------------------------------------------------------------------------------------------------
Thank you all in advance, already digging throw the source code (quite lost tough), Hugo
[https client] --https-->[stunnel client a] --http-->[ stunnel client b]--https--> <whatever>-->[stunnel server b]--http--> [stunnel server a]--https--> [https server]
Date: Tue, 9 Jul 2019 16:08:47 -0300 From: Hugo Marello hugo.marello@gmail.com To: stunnel-users@stunnel.org
I was thinking something more simple like the first scenario. [HTTP?CLIENT] -->[STUNNEL CLIENT]--><whatever>-->[STUNNEL SERVER]-->[HTTP Server] But the end would be an HTTPS server, which would require a CONNECT to get things going. So: [HTTP Client] -->[STUNNEL CLIENT]--> <whatever>-->[STUNNEL SERVER]-->[REVERSE-PROXY server]--> [HTTPS SERVER]
On Monday, July 8, 2019, 12:42:39 p.m. EDT, Brent Kimberley brent_kimberley@rogers.com wrote:
Which scenario did you have in mind? [HTTP CLIENT] -->[STUNNEL CLIENT]--><whatever>-->[STUNNEL SERVER]-->[HTTP Server] OR[HTTP Client] -->[Forward-proxy client]-> [STUNNEL CLIENT]--> <whatever>-->[STUNNEL SERVER]-->[REVERSE-PROXY server]--><whatever>--> [HTTP SERVER ]
From: Hugo Marello hugo.marello@gmail.com To: stunnel-users@stunnel.org
Hello guys, I'm new to using stunnel but I find it quite a powerful tool. I'm doing a POC on how we can bypass our firewall even with DPI, and chose to use stunnel for an extra layer of cryptography. You don't have to worry about access to any VM mentioned here. Here is my scenario:
[CLIENT BROWSER] -->[STUNNEL CLIENT]-->[FIREWALL]-->[STUNNEL SERVER]-->[REVERSE PROXY]-->[FREE INTERNET]
So far I succeeded in getting HTTP working using stunnel CONNECT protocol to the firewall and going all the way through. The problem is when I try to access HTTPS, the connection get set to the stunnel server but it keeps waiting for something. Double checked all the logs, firewall can't discern, stunnel server get the connection, reverse proxy also get the socket connection. My hypothesis is that stunnel client gets the CONNECT from the browser and discard it, it uses its own way to connect to the firewall, instead of encrypting the CONNECT all the way through. As it may seems, I need a way to send 2 CONNECT packages. Does anyone know how can I proceed?
Follow my configs: client = yes output = /var/log/stunnel4/stunnel.log debug = 7
[bypassclient] accept = 4000 connect = firewall.example:3128 protocolHost = destination.com:443 protocol = connect requireCert = no verifyChain = no verifyPeer = no -------------------------------------------------------------------------------------------------------------------- [bypassserver] accept = 0.0.0.0:443 connect = reverseproxy.com:8888 cert = /etc/ssl/cert.pem key = /etc/ssl/key.pem -----------------------------------------------------------------------------------------------------------------------
Thank you all in advance, already digging throw the source code (quite lost tough), Hugo
-
Brent Kimberley