Hi Luis,
Thanks for the detailed reply!
Ok, been reading. The short answer is no.
Oh well :-( I guess that's what IPsec's for.
The longer answer is SSL doesn't support OOB data, so that's why not. I did read your post saying you've read specs where it says it does, but I could find no such. Take a look at RFC4346, section 6.2 http://tools.ietf.org/html/rfc4346#page-14
Take a look also at this thread: http://www1.ietf.org/mail-archive/web/tls/current/msg01041.html
Doesn't that thread suggest that OOB functionality is part of the SSLv3 standard? Is version three one of those "yet to be" standards that is still a long way off? Renamed TLS? (I found several RFCs dealing with this, anyone know which is the relevant one? I couldn't find "Urgent", "OOB" or "band" in 4346)
My understanding (imagination maybe) is that the OOB character is to be packaged up as a single byte record surrounded with the SSL wrapper with a bit set that says it's the OOB character. I would now like stunnel just to dequeue it from SSL and then set the MSG_OOB flag and replay it to the application port. So it's sort of quasi-OOB to Stunnel and then true-OOB to the receiving port.
The argument (almost) in full:
- SSL doesn't define anything like OOB data in its streams, so
anything we did in stunnel would be an extension, and not interoperable. And, anyways, would have to be done in openssl and not in stunnel, I think.
I must be confused about what's available (the only SSL code I've cut is simple Java client stuff) 'cos I'm sure I've seen patch-comments that say something like "make sure stunnel handles OOB data correctly" and isn't there some sort of OOB INLINE configuration parameter. Is there really northing available after the SSL_Read that identifies the data as an OOB character?
Anyway, thanks again for the reply.
Cheers Richard Maher
PS. Does anyone out there know of a lower-level version of Stunnel (or something else) that spoofs the originating host-address when replaying the connection on the local server? It sure would be useful for client identification, and for reducing DoS attacks!
----- Original Message ----- From: "Luis Rodrigo Gallardo Cruz" rodrigo@nul-unu.com To: stunnel-users@mirt.net Sent: Tuesday, September 18, 2007 9:14 AM Subject: [stunnel-users] Relaying OOB data [Was: A series of minor patchesfrom Debian]
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Richard's Hotmail