Hi all, is there any way to use stunnel to proxy a connection without using encryption? I have an application that is listening on 0.0.0.0:port but which refuses connection if not coming from localhost:port and that application is reachable only with telnet, with no encryption.
I have found a possible configuration that is the following:
chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log transparent=yes [AppSrv01] accept = 5776 connect = 4776 [AppSrv02] accept = 5777 connect = 4777
but it seems not working: that is the log.
2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no FD_SETSIZE limit for file descriptors 2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777 2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid 2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8 from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on local socket 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe 2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384 finished with code 0 2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from 10.0.1.11:41922 permitted by libwrap 2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept): before/accept initialization 2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)
and from the standard out I get: 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random bytes from /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random bytes to /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims sufficient entropy for the PRNG 2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv01 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv02
What happens connecting with telnet is: Trying 10.0.2.140... Connected to server. Escape character is '^]'.
It seems the connection is successful but with tcpdump I see nothing and moreover I see nothing also in the application log. If I type something nothing happens. It seems that the flow is not passed to the destination port.
Do you have any hint?
Thanks!
Your configuration still requires an SSL enabled client. That's the reason you are getting the unknown protocol error. I think you might achieve what you want by configuring two stunnel services in the same machine for each appserv, one in server mode and the other in client mode linked together. No transparent should be needed. This could be considered an ugly hack :), like this:
[Appsrv01c] Client=yes Accept=6776 Connect=5776
[Appsrvo1] Client=no Accept=5776 Connect=4776
This assumes your app listens on port 4776 and you connect from your client to port 6776 and you use port 5776 to link the two stunnel stanzas. Of course, you need a certificate and set verify=0
Regards,
Jose -----Original Message----- From: Marco Strullato marco.strullato@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Wed, 6 Jul 2011 11:28:08 To: stunnel-users@stunnel.org Subject: [stunnel-users] misconfiguration of transparent proxy
Hi all, is there any way to use stunnel to proxy a connection without using encryption? I have an application that is listening on 0.0.0.0:port but which refuses connection if not coming from localhost:port and that application is reachable only with telnet, with no encryption.
I have found a possible configuration that is the following:
chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log transparent=yes [AppSrv01] accept = 5776 connect = 4776 [AppSrv02] accept = 5777 connect = 4777
but it seems not working: that is the log.
2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no FD_SETSIZE limit for file descriptors 2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777 2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid 2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8 from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on local socket 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe 2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384 finished with code 0 2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from 10.0.1.11:41922 permitted by libwrap 2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept): before/accept initialization 2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)
and from the standard out I get: 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random bytes from /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random bytes to /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims sufficient entropy for the PRNG 2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv01 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv02
What happens connecting with telnet is: Trying 10.0.2.140... Connected to server. Escape character is '^]'.
It seems the connection is successful but with tcpdump I see nothing and moreover I see nothing also in the application log. If I type something nothing happens. It seems that the flow is not passed to the destination port.
Do you have any hint?
Thanks!
I think what Jose said will work ... but I don't know, seems like an "I have an stunnel hammer so everything looks like a nail" thing to me. I mean, encrypt then unencrypt just to change source IP to localhost> Wouldn't the following work -- add iptables rules on the server box (10.2.0.140) as follows:
iptables -t nat -A PREROUTING --dst 10.2.0.140 -p tcp --dport 6776 -j DNAT \ --to-destination 10.2.0.140:4776 iptables -t nat -A POSTROUTING -p tcp --dst 10.2.0.140 --dport 4776 -j SNAT \ --to-source 127.0.0.1
That makes port 6776 on that box be a proxy to 4776, with all packets that arrive at port 4776 appear to come from localhost. I'm pretty sure that'd work, SNATing the packets to 127.0.0.1, no? I mean, it's not like you're on a Windows box, where you don't have control of your own network stack :-P
(I didn't add an OUTPUT rule, because if you're already on the same box as your server process, I assume you'd just do a "telnet 127.0.0.1 4776")
But maybe you have a reason why you want to use stunnel for this.
-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of josealf@rocketmail.com Sent: Wednesday, July 06, 2011 7:12 AM To: Marco Strullato; stunnel-users-bounces@stunnel.org; stunnel-users@stunnel.org Subject: EXTERNAL: Re: [stunnel-users] misconfiguration of transparent proxy
Your configuration still requires an SSL enabled client. That's the reason you are getting the unknown protocol error. I think you might achieve what you want by configuring two stunnel services in the same machine for each appserv, one in server mode and the other in client mode linked together. No transparent should be needed. This could be considered an ugly hack :), like this:
[Appsrv01c] Client=yes Accept=6776 Connect=5776
[Appsrvo1] Client=no Accept=5776 Connect=4776
This assumes your app listens on port 4776 and you connect from your client to port 6776 and you use port 5776 to link the two stunnel stanzas. Of course, you need a certificate and set verify=0
Regards,
Jose -----Original Message----- From: Marco Strullato marco.strullato@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Wed, 6 Jul 2011 11:28:08 To: stunnel-users@stunnel.org Subject: [stunnel-users] misconfiguration of transparent proxy
Hi all, is there any way to use stunnel to proxy a connection without using encryption? I have an application that is listening on 0.0.0.0:port but which refuses connection if not coming from localhost:port and that application is reachable only with telnet, with no encryption.
I have found a possible configuration that is the following:
chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel.log transparent=yes [AppSrv01] accept = 5776 connect = 4776 [AppSrv02] accept = 5777 connect = 4777
but it seems not working: that is the log.
2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no FD_SETSIZE limit for file descriptors 2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776 2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option set on accept socket 2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777 2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid 2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8 from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on local socket 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode 2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe 2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384 finished with code 0 2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from 10.0.1.11:41922 permitted by libwrap 2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from 10.0.1.11:41922 2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept): before/accept initialization 2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)
and from the standard out I get: 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random bytes from /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random bytes to /home/user/.rnd 2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims sufficient entropy for the PRNG 2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv01 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file: /etc/stunnel/stunnel.pem 2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context initialized for service AppSrv02
What happens connecting with telnet is: Trying 10.0.2.140... Connected to server. Escape character is '^]'.
It seems the connection is successful but with tcpdump I see nothing and moreover I see nothing also in the application log. If I type something nothing happens. It seems that the flow is not passed to the destination port.
Do you have any hint?
Thanks!
Does anyone have version 4.39 RPM inst package or knows where to download it? Thank you!
Jack,
I sent you my RPMS (Source and Binaries) for CentOS 5 and alikes (RHES, Scientific, Oracle Linux 5 or later). Note that you should not blindingly accept software from untrusted sources. You could plant a trojan horse in your network. Anyway, my RPMS should work as drop-in replacements for the official RedHat RPMS, as they follow the same conventions: a) By default, Logs are sent to authpriv facility instead of daemon. b) The sample stunnel config file is changed so that certificates files are in the preferred locations for the distribution.
In addition, I add an init script to /etc/init.d/stunnel.
You can install the source RPM and verify that the pristine stunnel-4.39.tar.gz is used and the patches do only what I described above and then rebuild the binary RPM.
Regards, Jose
________________________________ From: Jack Liu jackliu92@hotmail.com To: stunnel-users@stunnel.org Sent: Wednesday, July 13, 2011 3:14 AM Subject: [stunnel-users] 4.39 RPM
Does anyone have version 4.39 RPM inst package or knows where to download it? Thank you!
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
David,
I completely agree. That's what I said it would be considered an ugly hack. Your solution using iptables is probably the most efficient on Linux. On other platforms, or if we want something portable, we could use one of several small daemons that can handle this task like rinetd or redir or if want to get into trouble, a swiss army knife like netcat or socat :)
http://www.boutell.com/rinetd/ http://www.bigsoft.co.uk/blog/index.php/2010/06/22/building-redir-redir-c-fr...
"Bucci, David G" david.g.bucci@lmco.com Wrote:
I think what Jose said will work ... but I don't know, seems like an "I have an stunnel hammer so everything looks like a nail" thing to me.
-
Bucci, David G -
Jack Liu -
Jose Alf. -
josealf@rocketmail.com
-
Marco Strullato