Hi,
I am newbie in stunnel world so sorry for my question if it was already answered earlier.
I have the following task to solve somehow :
We have 1 server with 2 stunnel connections (any kind). We have e.g. http communicatoin via tunnels. Is there any support in stunnel to connect them somehow. Probably we do not need bidirectional communication.
[client1]----- stunnel 1---> [server]------stunnel2 ----->[client2]
So [client1] --> [client2]
If there is no support in stunnel do you have any idea how to do it?
Kind regards, Gabor
On Wed, 2016-03-30 10:54:29 +0000, Juhasz Gabor wrote:
Hi,
I am newbie in stunnel world so sorry for my question if it was already answered earlier.
I have the following task to solve somehow :
We have 1 server with 2 stunnel connections (any kind). We have e.g. http communicatoin via tunnels. Is there any support in stunnel to connect them somehow. Probably we do not need bidirectional communication.
[client1]----- stunnel 1---> [server]------stunnel2 ----->[client2]
So [client1] --> [client2]
If there is no support in stunnel do you have any idea how to do it?
Gabor,
I'm not sure I understand what you are trying to accomplish.
Let's start with nomenclature:
o A server is a unit (hardware or software) that provides services, e.g. e-mail distribution.
o A client is a unit that uses services a server provides.
A client connects to a server if it wants to use a service. For that, the server listens on an address (e.g. IP host address and TCP port number) known to the client.
For instance, a mail client establishes a TCP connection to TCP port 25 on a host running an SMTP mail server if it wants to send an e-mail.
A server does not establish any connections to clients. It just listens on a known address and waits for clients to connect.
If, in your example, 'client2' is a server according to my definition and 'client1' is a real client, then yes, stunnel could be used to e.g. encrypt the traffic between 'client1' and 'client2'.
Ludolf
Hi Ludolf,
Thanks for you reply.
Yes, I mean how you wrote.
Could you write the name of this feature or doc to understand how it works.
Thanks & Kind regards, Gabor ________________________________________ From: stunnel-users [stunnel-users-bounces@stunnel.org] on behalf of Ludolf Holzheid [lholzheid@bihl-wiedemann.de] Sent: Wednesday, March 30, 2016 3:34 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Connecting stunnels
On Wed, 2016-03-30 10:54:29 +0000, Juhasz Gabor wrote:
Hi,
I am newbie in stunnel world so sorry for my question if it was already answered earlier.
I have the following task to solve somehow :
We have 1 server with 2 stunnel connections (any kind). We have e.g. http communicatoin via tunnels. Is there any support in stunnel to connect them somehow. Probably we do not need bidirectional communication.
[client1]----- stunnel 1---> [server]------stunnel2 ----->[client2]
So [client1] --> [client2]
If there is no support in stunnel do you have any idea how to do it?
Gabor,
I'm not sure I understand what you are trying to accomplish.
Let's start with nomenclature:
o A server is a unit (hardware or software) that provides services, e.g. e-mail distribution.
o A client is a unit that uses services a server provides.
A client connects to a server if it wants to use a service. For that, the server listens on an address (e.g. IP host address and TCP port number) known to the client.
For instance, a mail client establishes a TCP connection to TCP port 25 on a host running an SMTP mail server if it wants to send an e-mail.
A server does not establish any connections to clients. It just listens on a known address and waits for clients to connect.
If, in your example, 'client2' is a server according to my definition and 'client1' is a real client, then yes, stunnel could be used to e.g. encrypt the traffic between 'client1' and 'client2'.
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Wed, 2016-03-30 12:45:25 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for you reply.
Yes, I mean how you wrote.
Could you write the name of this feature or doc to understand how it works.
Hi Gabor,
I don't have a link to post, but you don't need any special feature of stunnel.
The idea is to have two instances of stunnel, one of them on the client's host and the other on the server's host.
The client connects to the local stunnel instance (which is to be run in client mode, 'client = yes'). This stunnel instance establishes an encrypted connection to the instance on the server's host, which in turn sets up a clear-text connection to the server (which is to be run in server mode, 'client = no').
For instance, to encrypt a telnet connection:
client's host server's host +---------------+ +----------------+ | | | | | telnet client | | telnet server | | 127.0.0.1:x | | 127.0.0.23 | | : | | ^ | | : | | : | | V | | : | | 127.0.0.1:23 | | 127.0.0.1:z | | stunnel | | stunnel | | 1.2.3.4:y ===============> 5.6.7.8:992 | | | | | +---------------+ +----------------+
The vertical connections (with colons) are clear-text, the horizontal connection (with equal signs) is encrypted.
Ludolf
Hi Ludolf,
Thanks for you reply.
Sorry, my first explanation was a bit fuzzy.
I modofied your picture a bit to explain what I want :
stunnel client stunnel server stunnel client +---------------+ +------------------+ +---------------+ | | | | | | | telnet client | | 5.6.7.8:993 <======== 4.5.6.7:y | | 127.0.0.1:x | | stunnel | | stunnel | | : | | 127.0.0.1:q | | 127.0.0.1:p | | : | | : | | : | | V | | : | | : | | 127.0.0.1:23 | | 127.0.0.1:z | | V | | stunnel | | stunnel | | 127.0.0.1:23 | | 1.2.3.4:y ===============> 5.6.7.8:992 | | telnetserver | | | | | | | +---------------+ +------------------+ +---------------+
In the stunnel server I'd like to connect the 2 tunnels in order that telnet client can connect to telnet server.
Does stunnel have some solution for it? Or Do you know some standard stable and easy solution for it in Linux?
Thanks & Kind regards, Gabor
________________________________________ From: stunnel-users [stunnel-users-bounces@stunnel.org] on behalf of Ludolf Holzheid [lholzheid@bihl-wiedemann.de] Sent: Wednesday, March 30, 2016 4:49 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Connecting stunnels
On Wed, 2016-03-30 12:45:25 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for you reply.
Yes, I mean how you wrote.
Could you write the name of this feature or doc to understand how it works.
Hi Gabor,
I don't have a link to post, but you don't need any special feature of stunnel.
The idea is to have two instances of stunnel, one of them on the client's host and the other on the server's host.
The client connects to the local stunnel instance (which is to be run in client mode, 'client = yes'). This stunnel instance establishes an encrypted connection to the instance on the server's host, which in turn sets up a clear-text connection to the server (which is to be run in server mode, 'client = no').
For instance, to encrypt a telnet connection:
client's host server's host +---------------+ +----------------+ | | | | | telnet client | | telnet server | | 127.0.0.1:x | | 127.0.0.23 | | : | | ^ | | : | | : | | V | | : | | 127.0.0.1:23 | | 127.0.0.1:z | | stunnel | | stunnel | | 1.2.3.4:y ===============> 5.6.7.8:992 | | | | | +---------------+ +----------------+
The vertical connections (with colons) are clear-text, the horizontal connection (with equal signs) is encrypted.
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, 2016-03-31 06:16:24 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for you reply.
Sorry, my first explanation was a bit fuzzy.
I modofied your picture a bit to explain what I want :
stunnel client stunnel server stunnel client +---------------+ +------------------+ +---------------+ | | | | | | | telnet client | | 5.6.7.8:993 <======== 4.5.6.7:y | | 127.0.0.1:x | | stunnel | | stunnel | | : | | 127.0.0.1:q | | 127.0.0.1:p | | : | | : | | : | | V | | : | | : | | 127.0.0.1:23 | | 127.0.0.1:z | | V | | stunnel | | stunnel | | 127.0.0.1:23 | | 1.2.3.4:y ===============> 5.6.7.8:992 | | telnetserver | | | | | | | +---------------+ +------------------+ +---------------+
Hi Gabor,
in your picture above, I don't understand who is supposed to establish the connection (i.e. who is to act as a client) and who is supposed to wait for connections (i.e. who is to act as a server).
An IP connection is similar to a telephone connection. The caller (acting as the client) is supposed to dial the number of the callee's phone and the callee (acting as the server) is supposed to sit next to this very phone, waiting for incoming connections.
In my picture, I tried to depict this by giving the connections 'a direction': The unit at the arrow head is the server, the unit at the arrow tail is the client.
/Maybe/ you are thinking of running the stunnel instance in server mode on a different host than the telnet server:
telnet client's host intermediate host telnet server's host +---------------+ +------------------+ +----------------+ | | | | | | | telnet client | | | | | | 127.0.0.1:x | | | | | | : | | | | | | : | | | | | | V | | | | | | 127.0.0.1:23 | | 5.6.7.8:z ............> 4.5.6.7:23 | | stunnel | | stunnel | | telnet | | 1.2.3.4:y ===============> 5.6.7.8:992 | | server | | | | | | | +---------------+ +------------------+ +----------------+
This is essentially the same as my first picture except for the 'connect' statement in the configuration file of the stunnel in server mode.
Ludolf
Hi Ludolf,
Thanks for your reply.
in your picture above, I don't understand who is supposed to establish the connection (i.e. who is to act as a client) and who is supposed to wait for connections (i.e. who is to act as a server).
There are 2 clients (left and right side) and the middle is the server
[host1] ------------- [host2] ------------ [host3] [stunnel client] ---> [stunnel server] <-- [stunnel client] [telnet client] ----> [tunnelserver] ----> [telnet server]
These arrows are on my original pictures.
The server has 2 instances of stunnel and I'd like to connect them somehow.
/Maybe/ you are thinking of running the stunnel instance in server mode on a different host than the telnet server:
No, I do not think it.
Kind regards, Gabor
________________________________________ From: stunnel-users [stunnel-users-bounces@stunnel.org] on behalf of Ludolf Holzheid [lholzheid@bihl-wiedemann.de] Sent: Thursday, March 31, 2016 11:19 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Connecting stunnels
On Thu, 2016-03-31 06:16:24 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for you reply.
Sorry, my first explanation was a bit fuzzy.
I modofied your picture a bit to explain what I want :
stunnel client stunnel server stunnel client +---------------+ +------------------+ +---------------+ | | | | | | | telnet client | | 5.6.7.8:993 <======== 4.5.6.7:y | | 127.0.0.1:x | | stunnel | | stunnel | | : | | 127.0.0.1:q | | 127.0.0.1:p | | : | | : | | : | | V | | : | | : | | 127.0.0.1:23 | | 127.0.0.1:z | | V | | stunnel | | stunnel | | 127.0.0.1:23 | | 1.2.3.4:y ===============> 5.6.7.8:992 | | telnetserver | | | | | | | +---------------+ +------------------+ +---------------+
Hi Gabor,
in your picture above, I don't understand who is supposed to establish the connection (i.e. who is to act as a client) and who is supposed to wait for connections (i.e. who is to act as a server).
An IP connection is similar to a telephone connection. The caller (acting as the client) is supposed to dial the number of the callee's phone and the callee (acting as the server) is supposed to sit next to this very phone, waiting for incoming connections.
In my picture, I tried to depict this by giving the connections 'a direction': The unit at the arrow head is the server, the unit at the arrow tail is the client.
/Maybe/ you are thinking of running the stunnel instance in server mode on a different host than the telnet server:
telnet client's host intermediate host telnet server's host +---------------+ +------------------+ +----------------+ | | | | | | | telnet client | | | | | | 127.0.0.1:x | | | | | | : | | | | | | : | | | | | | V | | | | | | 127.0.0.1:23 | | 5.6.7.8:z ............> 4.5.6.7:23 | | stunnel | | stunnel | | telnet | | 1.2.3.4:y ===============> 5.6.7.8:992 | | server | | | | | | | +---------------+ +------------------+ +----------------+
This is essentially the same as my first picture except for the 'connect' statement in the configuration file of the stunnel in server mode.
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, 2016-03-31 09:20:11 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for your reply.
in your picture above, I don't understand who is supposed to establish the connection (i.e. who is to act as a client) and who is supposed to wait for connections (i.e. who is to act as a server).
There are 2 clients (left and right side) and the middle is the server
[host1] ------------- [host2] ------------ [host3] [stunnel client] ---> [stunnel server] <-- [stunnel client] [telnet client] ----> [tunnelserver] ----> [telnet server]
These arrows are on my original pictures.
Gabor,
I still don't understand which unit you want to act as a server and which as a client for each connection.
The telnet client is a client at any case. On request of a user, the telnet client establishes a connection to e.g. the stunnel instance on host1.
The telnet server is a server at any case. A server doesn't establish connections, but waits for incoming connections. So who is supposed to establish the connection between the stunnel instance on host3 and the telnet server, and on whose request?
The server has 2 instances of stunnel and I'd like to connect them somehow.
What does the term 'server' refer to in this sentence?
Maybe it helps if you explain the application you are trying to set up. In a previous mail, you mentioned HTTP, so I think there is a web browser (e.g. Firefox) and a www server (e.g. Apache) you want to connect. Is that correct?
Ludolf
Hi Ludolf,
It's again :
3 hosts : [host1]----[host2]---[host3]
1) stunnel : host1 -> host2 2) stunnel : host3 -> host2 3) telnet : host1 -> host3 via stunnel and via host2
Kind regards, Gabor
________________________________________ From: stunnel-users [stunnel-users-bounces@stunnel.org] on behalf of Ludolf Holzheid [lholzheid@bihl-wiedemann.de] Sent: Thursday, March 31, 2016 2:09 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Connecting stunnels
On Thu, 2016-03-31 09:20:11 +0000, Juhasz Gabor wrote:
Hi Ludolf,
Thanks for your reply.
in your picture above, I don't understand who is supposed to establish the connection (i.e. who is to act as a client) and who is supposed to wait for connections (i.e. who is to act as a server).
There are 2 clients (left and right side) and the middle is the server
[host1] ------------- [host2] ------------ [host3] [stunnel client] ---> [stunnel server] <-- [stunnel client] [telnet client] ----> [tunnelserver] ----> [telnet server]
These arrows are on my original pictures.
Gabor,
I still don't understand which unit you want to act as a server and which as a client for each connection.
The telnet client is a client at any case. On request of a user, the telnet client establishes a connection to e.g. the stunnel instance on host1.
The telnet server is a server at any case. A server doesn't establish connections, but waits for incoming connections. So who is supposed to establish the connection between the stunnel instance on host3 and the telnet server, and on whose request?
The server has 2 instances of stunnel and I'd like to connect them somehow.
What does the term 'server' refer to in this sentence?
Maybe it helps if you explain the application you are trying to set up. In a previous mail, you mentioned HTTP, so I think there is a web browser (e.g. Firefox) and a www server (e.g. Apache) you want to connect. Is that correct?
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, 2016-03-31 11:39:55 +0000, Juhasz Gabor wrote:
Hi Ludolf,
It's again :
3 hosts : [host1]----[host2]---[host3]
- stunnel : host1 -> host2
- stunnel : host3 -> host2
- telnet : host1 -> host3 via stunnel and via host2
And again:
Who is supposed to establish the connection between the stunnel instance on host3 and the telnet server, and on whose request?
How would the setup look like if there was no encryption needed and thus no stunnel involved?
Sorry being that lamebrained.
Ludolf
-
Juhasz Gabor -
Ludolf Holzheid