Fwd: [stunnel-users] stunnel 'options' section of config file
I understand the security concerns... I was just trying different protocols because I was receiving weird error messages with some https proxies (using the mathias wald patch) about wrong version numbers, etc. Googling it seemed to indicate that enabling/disabling ssl2/ssl3/tls1 could do the trick. However, I can't even get 'openssl s_client...' to yield a successful connection with some of these proxies. Can stunnel handle incoming http or socks proxy requests/connections? If not, will you ever support that? For instance I want stunnel listening on a local port 8080 and connect to a remote https proxy, and I set the HTTP proxy server in gaim to localhost:8080. -Justin On Tue, 21 Dec 2004 15:20:19 +0100, Michal Trojnara <Michal.Trojnara@mobi-com.net> wrote:
Justin Miller wrote:
So all looks well ang good... But then when it sends the client hello message, one would expect an ssl2 message, but we get the following
Stunnel is not supposed to act as SSLv2 client. It uses SSLv3_client_method() in src/ssl.c file. If you really need SSLv2 - change it to SSLv2_client_method() and recompile stunnel. It's not recommended for security, anyway.
See SSL_CTX_new(3) manual for details.
Best regards, Mike
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Justin,
Can stunnel handle incoming http or socks proxy requests/connections?
No.
If not, will you ever support that?
I can support socks (it's on my TODO aka waiting-for-a-sponsor list). I prefer NOT to support HTTP protocol (unless someone will convince me a huge money).
For instance I want stunnel listening on a local port 8080 and connect to a remote https proxy, and I set the HTTP proxy server in gaim to localhost:8080.
Wound it be enough to add a CONNECT (RFC 2817 section 5.2) command to a constant IP and port? BTW: Here is the list: http://stunnel.mirt.net/todo_sdf.html Best regards, Mike
I can support socks (it's on my TODO aka waiting-for-a-sponsor list).
Gotcha.
Wound it be enough to add a CONNECT (RFC 2817 section 5.2) command to a constant IP and port?
Not to be selfish ;) but for my purposes, yes, I think adding support for the CONNECT command would be perfect. As far as I can tell from looking at the debug output of gaim when I use their regular http proxy setting, it appears to be sending a CONNECT command. So yes, if you added support for that then I think it would work - adding some nice encryption capabilities to gaim. -Justin
BTW: Here is the list: http://stunnel.mirt.net/todo_sdf.html
Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
participants (2)
-
Justin Miller -
Michal Trojnara