Is there something missing ?
Can you please elaborate? https://www.stunnel.org/auth.html
Subject: Using STunnel4 with both SSL/TLS proxy AND PSK authentication
Hi, all.
We've got a specific use case where we need to implement an stunnel4 'tunnel' in the following format:
Client <---> client-side stunnel4 <---> server-side stunnel4 <---> server
The specific case for this is because of a server that does NOT support SSL on the remote side nor client side, and we need to use two stunnel4 instances to establish the "secure" tunnel.
We can get it working with straight SSL/TLS certificates for a secure connection between the two but can't seem to add authentication to this, we want to get the stunnel4 on the client side and the stunnel4 on the server side to have to have some kind of authentication/exchange between them.
Whenever we add the PSK options or client certs to the thing, we immediately get SSL/TLS problems, as it doesn't seem to support SSL/TLS handshakes properly at that point.
Is there something I'm missing within the STunnel4 documentation about establishing the SSL/TLS tunnel AND adding an authentication component, or is this not possible?? It doesn't currently seem possible based on my testing...
Thomas
Looks like the problem I'm seeing is it doesn't like the PSK protocol for some reason and TLS1.3 breaks this because of how PSK is now in TLS1.3. Doing more testing...
On 6/15/19 3:48 PM, Brent Kimberley wrote:
Is there something missing ?
Can you please elaborate? https://www.stunnel.org/auth.html
Subject: Using STunnel4 with both SSL/TLS proxy AND PSK authentication
Hi, all.
We've got a specific use case where we need to implement an stunnel4 'tunnel' in the following format:
Client <---> client-side stunnel4 <---> server-side stunnel4 <---> server
The specific case for this is because of a server that does NOT support SSL on the remote side nor client side, and we need to use two stunnel4 instances to establish the "secure" tunnel.
We can get it working with straight SSL/TLS certificates for a secure connection between the two but can't seem to add authentication to this, we want to get the stunnel4 on the client side and the stunnel4 on the server side to have to have some kind of authentication/exchange between them.
Whenever we add the PSK options or client certs to the thing, we immediately get SSL/TLS problems, as it doesn't seem to support SSL/TLS handshakes properly at that point.
Is there something I'm missing within the STunnel4 documentation about establishing the SSL/TLS tunnel AND adding an authentication component, or is this not possible?? It doesn't currently seem possible based on my testing...
Thomas
Please let me know what you discover. The code base looks faily accessible. :-)
https://github.com/mtrojnar/stunnel/tree/stunnel-5.55/src
On Saturday, June 15, 2019, 10:29:25 p.m. EDT, Thomas Ward teward@thomas-ward.net wrote:
Looks like the problem I'm seeing is it doesn't like the PSK protocol for some reason and TLS1.3 breaks this because of how PSK is now in TLS1.3. Doing more testing...
On 6/15/19 3:48 PM, Brent Kimberley wrote:
Is there something missing ?
Can you please elaborate? https://www.stunnel.org/auth.html
Subject: Using STunnel4 with both SSL/TLS proxy AND PSK authentication
Hi, all.
We've got a specific use case where we need to implement an stunnel4 'tunnel' in the following format:
Client <---> client-side stunnel4 <---> server-side stunnel4 <---> server
The specific case for this is because of a server that does NOT support SSL on the remote side nor client side, and we need to use two stunnel4 instances to establish the "secure" tunnel.
We can get it working with straight SSL/TLS certificates for a secure connection between the two but can't seem to add authentication to this, we want to get the stunnel4 on the client side and the stunnel4 on the server side to have to have some kind of authentication/exchange between them.
Whenever we add the PSK options or client certs to the thing, we immediately get SSL/TLS problems, as it doesn't seem to support SSL/TLS handshakes properly at that point.
Is there something I'm missing within the STunnel4 documentation about establishing the SSL/TLS tunnel AND adding an authentication component, or is this not possible?? It doesn't currently seem possible based on my testing...
Thomas
-
Brent Kimberley -
Thomas Ward