Hi, this may be a slightly unusual request, but I was curious if stunnel could be used for securing clients that do not support TLS, to connect to services that optionally support TLS.
So, really, stunnel already does almost everything that would be needed; except that in this use case, it would be listening for incoming unencrypted connections, and then serve as a proxy to an encrypted connection to the actual service. While it might be nice to offer certificate-based authentication options in this scenario, it wouldn't be necessary for my intended use case, so stunnel wouldn't need access to any private certificates. However, certificate pinning would be pretty essential to what I have in mind.
Best, Leon.
On Wed, 2015-01-07 09:12:39 -0500, Leon Smith wrote:
Hi, this may be a slightly unusual request, but I was curious if stunnel could be used for securing clients that do not support TLS, to connect to services that optionally support TLS.
So, really, stunnel already does almost everything that would be needed; except that in this use case, it would be listening for incoming unencrypted connections, and then serve as a proxy to an encrypted connection to the actual service. While it might be nice to offer certificate-based authentication options in this scenario, it wouldn't be necessary for my intended use case, so stunnel wouldn't need access to any private certificates. However, certificate pinning would be pretty essential to what I have in mind.
Leon,
I'm not sure I understood your request, but isn't 'client = yes' what you are looking for?
Ludolf
Actually, that may be it, thank you. I definitely overlooked this option when I browsed the man page. I'll pass on this information to some interested parties and give them a chance to make it work. And I'll probably try this myself at some point soon.
(Incidentally, it's an HTTP client that doesn't support HTTPS, even though the server does, so it appears I'll need protocol=connect and CAfile=... for certificate pinning as well.)
Best, Leon
On Wed, Jan 7, 2015 at 9:31 AM, Ludolf Holzheid <lholzheid@bihl-wiedemann.de
wrote:
On Wed, 2015-01-07 09:12:39 -0500, Leon Smith wrote:
Hi, this may be a slightly unusual request, but I was curious if
stunnel
could be used for securing clients that do not support TLS, to connect
to
services that optionally support TLS.
So, really, stunnel already does almost everything that would be
needed;
except that in this use case, it would be listening for incoming unencrypted connections, and then serve as a proxy to an encrypted connection to the actual service. While it might be nice to offer certificate-based authentication options in this scenario, it wouldn't
be
necessary for my intended use case, so stunnel wouldn't need access to
any
private certificates. However, certificate pinning would be pretty essential to what I have in mind.
Leon,
I'm not sure I understood your request, but isn't 'client = yes' what you are looking for?
Ludolf
--
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Wed, 2015-01-07 10:11:39 -0500, Leon Smith wrote:
Actually, that may be it, thank you. I definitely overlooked this option when I browsed the man page. I'll pass on this information to some interested parties and give them a chance to make it work. And I'll probably try this myself at some point soon.
(Incidentally, it's an HTTP client that doesn't support HTTPS, even though the server does, so it appears I'll need protocol=connect and CAfile=... for certificate pinning as well.)
I don't know your setup, but if there is no proxy involved, you don't need the 'protocol=...' option. For certificate pinning, you'll certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with LEVEL not below 2.
HTH,
Ludolf
On Wed, Jan 7, 2015 at 11:01 AM, Ludolf Holzheid < lholzheid@bihl-wiedemann.de> wrote:
I don't know your setup, but if there is no proxy involved, you don't
need the 'protocol=...' option. For certificate pinning, you'll certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with LEVEL not below 2
Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the source, wouldn't using stunnel essentially always be proxy?
To be even more explicit, the HTTP client is cabal-install, which is a program that downloads and compiles code from the Hackage public source code repository for Haskell. cabal-install is HTTP only, whereas Hackage supports both HTTP and HTTPS. I _could_ modify cabal-install, as it is free, libre, and open source software, but for reasons both good and bad, getting the changes pushed upstream is problematic. So I was curious about finding a quick workaround for those concerned about possible MITM attacks injecting malicious code into the packages, and came up with the idea of a stunnel or nginx proxy. (Some of the people who run Hackage are working on code signing, but who knows when that'll finally be available...)
Perhaps the man page would make a little bit more sense to me on this count if I had a better understanding of the TLS protocol and how it relates to https, but that's not something I honestly know all that much about. As it stands the man page is a bit opaque to me on this topic...
Best, Leon
On Wed, 2015-01-07 12:41:20 -0500, Leon Smith wrote:
[..]
Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the source, wouldn't using stunnel essentially always be proxy?
No. Stunnel does not mimic an HTTP proxy. It's rather something like an TCP port forwarder, with the addition of encrypting/decrypting while forwarding.
To be even more explicit, the HTTP client is cabal-install, which is a program that downloads and compiles code from the Hackage public source code repository for Haskell. cabal-install is HTTP only, whereas Hackage supports both HTTP and HTTPS.
This will be easy to set up if hackage.haskell.org uses relative URLs (this seems to be the case)¹ and you can tell cabal-install to use 'http://localhost:<stunnel port>' instead of 'http://hackage.haskell.org'.
HTH,
Ludolf
¹ That is, hackage.haskell.org links to e.g. clckwrks-0.22.4.tar.gz as <a href="/package/clckwrks-0.22.4/clckwrks-0.22.4.tar.gz"> instead of <a href="http://hackage.haskell.org/package/clckwrks-0.22.4/clckwrks-0.22.4.tar.gz">.
-
Leon Smith -
Ludolf Holzheid