First time user of Stunnel and I just wanted to check what I'm doing wrong.
I have two processes running: a TCP Listener that listens on port 13000 and a TCP client that sends it a message.
I'm running Stunnel on Windows 10 with the following config:
[myapp] client = yes accept = 13001 connect = 13000 cert = stunnel.pem TIMEOUTclose=0
I updated the TCP client to send the message to port 13001 but when I check Wireshark I can still see the contents of the message in plaintext. Shouldn't I no longer be able to see the unencrypted contents of this message?
Here are the relevant logs:
2021.01.27 20:57:26 LOG7[main]: Found 1 ready file descriptor(s) 2021.01.27 20:57:26 LOG7[main]: FD=588 ifds=r-x ofds=r-- 2021.01.27 20:57:26 LOG7[main]: FD=596 ifds=r-x ofds=--- 2021.01.27 20:57:26 LOG7[main]: Service [myapp] accepted (FD=924) from 127.0.0.1:9322 2021.01.27 20:57:26 LOG7[main]: Creating a new thread 2021.01.27 20:57:26 LOG7[main]: New thread created 2021.01.27 20:57:26 LOG7[2]: Service [myapp] started 2021.01.27 20:57:26 LOG7[2]: Setting local socket options (FD=924) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on local socket 2021.01.27 20:57:26 LOG5[2]: Service [myapp] accepted connection from 127.0.0.1:9322 2021.01.27 20:57:26 LOG6[2]: s_connect: connecting 127.0.0.1:13000 2021.01.27 20:57:26 LOG7[2]: s_connect: s_poll_wait 127.0.0.1:13000: waiting 10 seconds 2021.01.27 20:57:26 LOG7[2]: FD=940 ifds=rwx ofds=--- 2021.01.27 20:57:26 LOG5[2]: s_connect: connected 127.0.0.1:13000 2021.01.27 20:57:26 LOG5[2]: Service [myapp] connected remote server from 127.0.0.1:9323 2021.01.27 20:57:26 LOG7[2]: Setting remote socket options (FD=940) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on remote socket 2021.01.27 20:57:26 LOG7[2]: Remote descriptor (FD=940) initialized 2021.01.27 20:57:26 LOG6[2]: SNI: sending servername: localhost 2021.01.27 20:57:26 LOG6[2]: Peer certificate not required 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): before SSL initialization 2021.01.27 20:57:26 LOG7[2]: Initializing application specific data for session authenticated 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): SSLv3/TLS write client hello
Sorry, I replied to your address instead my mistake :S
On Wed, 27 Jan 2021 21:11:53 +0000 David Brower davidbrower@hotmail.com wrote:
I updated the TCP client to send the message to port 13001 but when I check Wireshark I can still see the contents of the message in plaintext. Shouldn't I no longer be able to see the unencrypted contents of this message?
Hi,
That is perfectly normal. Between the program and Stunnel all is sent in plain text. Then Stunnel sends it to a server already encrypted. Consider it as a road tunnel. You see the cars entering and exiting, but not on transit. S-tunnel. Secure-Tunnel.
Unless you have a malware locally capable to sniff loopback/assigned addresses or you are sending unencrypted to a Stunnel instance in another machine (sent to that machine in plain text until reach the Stunnel instance) in a vulnerable network, that shouldn't worry you.
Regards.
Dear All,
I find the root cause for the email ip address. Thank you for all suggestion.
Thanks, Alfred
From: David Brower davidbrower@hotmail.com Sent: Thursday, January 28, 2021 5:12 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] Seeing Message in Plain Text in Wireshark
[External email] Please be cautious when clicking on any links or attachments. ________________________________ First time user of Stunnel and I just wanted to check what I'm doing wrong.
I have two processes running: a TCP Listener that listens on port 13000 and a TCP client that sends it a message.
I'm running Stunnel on Windows 10 with the following config:
[myapp] client = yes accept = 13001 connect = 13000 cert = stunnel.pem TIMEOUTclose=0
I updated the TCP client to send the message to port 13001 but when I check Wireshark I can still see the contents of the message in plaintext. Shouldn't I no longer be able to see the unencrypted contents of this message?
Here are the relevant logs:
2021.01.27 20:57:26 LOG7[main]: Found 1 ready file descriptor(s) 2021.01.27 20:57:26 LOG7[main]: FD=588 ifds=r-x ofds=r-- 2021.01.27 20:57:26 LOG7[main]: FD=596 ifds=r-x ofds=--- 2021.01.27 20:57:26 LOG7[main]: Service [myapp] accepted (FD=924) from 127.0.0.1:9322 2021.01.27 20:57:26 LOG7[main]: Creating a new thread 2021.01.27 20:57:26 LOG7[main]: New thread created 2021.01.27 20:57:26 LOG7[2]: Service [myapp] started 2021.01.27 20:57:26 LOG7[2]: Setting local socket options (FD=924) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on local socket 2021.01.27 20:57:26 LOG5[2]: Service [myapp] accepted connection from 127.0.0.1:9322 2021.01.27 20:57:26 LOG6[2]: s_connect: connecting 127.0.0.1:13000 2021.01.27 20:57:26 LOG7[2]: s_connect: s_poll_wait 127.0.0.1:13000: waiting 10 seconds 2021.01.27 20:57:26 LOG7[2]: FD=940 ifds=rwx ofds=--- 2021.01.27 20:57:26 LOG5[2]: s_connect: connected 127.0.0.1:13000 2021.01.27 20:57:26 LOG5[2]: Service [myapp] connected remote server from 127.0.0.1:9323 2021.01.27 20:57:26 LOG7[2]: Setting remote socket options (FD=940) 2021.01.27 20:57:26 LOG7[2]: Option TCP_NODELAY set on remote socket 2021.01.27 20:57:26 LOG7[2]: Remote descriptor (FD=940) initialized 2021.01.27 20:57:26 LOG6[2]: SNI: sending servername: localhost 2021.01.27 20:57:26 LOG6[2]: Peer certificate not required 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): before SSL initialization 2021.01.27 20:57:26 LOG7[2]: Initializing application specific data for session authenticated 2021.01.27 20:57:26 LOG7[2]: TLS state (connect): SSLv3/TLS write client hello
-
David Brower -
Javier -
Wong Pui Hong Alfred (NCS)