[stunnel-users] some thoughts of add ftp server proxy support to stunnel4. comments required
ZHUANG YUYAO
zhuangyy at netease.com
Thu Jul 28 07:10:04 CEST 2005
Hi,
I am thinking about adding ftp protocol support to stunnel4. first, some
restrictions to simplify the implimentation:
1) only support for stunnel running in server mode, users can use ftp
clients which support ssl connection (ie. FlashFXP) to connect to the
real ftp server through stunnel daemon;
2) only support standalone service mode of stunnel. (inted support may
be added later, I've just read the source code related to standalone
service, and have not got any clue about how to support inetd.)
3) only support FTP implicit SSL and PASSIVE mode;
the code may look like this: (the real ftp server is at 192.168.10.254,
listening on port 21.)
1) start a stunnel daemon nonmally with accept = 990, remote =
192.168.10.254:21, protocol = ftp;
2) when a connection come in, parse the ftp server response, search for
"227 Entering Passive Mode (192,168,10,254,133,22)", then got the data
connection IP: 192.168.10.254 PORT: 34070;
3) plus 1 to the data connction port 34070, then we got 34071 which will
be used as stunnel accept port;
4) create a LOCAL_OPTIONS
structure instance opt (prototypes.h) dynamically, set opt->accept=1,
opt->local_addr same to the parent stunnel, change its port to 34071,
opt->remote_addr = real data connection (IP: 192.168.10.254 PORT:
34070); opt->fd = socket(), bind();
5) set local_option->next = opt;
6) s_poll_add (&fds, opt->fd, 1, 0); (stunnel.c) (the local variable fds
needs to be changed to a global variable, by the way, I think it is also
required if stunnel want real SIGHUP configuration-on-the-fly support)
7) changed server response to "227 Entering Passive Mode
(STUNNEL_LOCAL_HOST,133,23)", then send back to client.
8) the client will then connect to STUNNEL_LOCAL_HOST port = 34071,
negotiate SSL session and send/receive data;
9) after ftp session finished (How to know a ftp session is finished?),
free the dynamic LOCAL_OPTIONS opt, remove opt->fd from fds, close the
data sessoin.
There are only two source file (stunnel.c, protocol.c) need to be
modified to implement these functions.
Any suggestions will be appreciated.
Thank you.
Zhuang Yuyao
2005/7/28
More information about the stunnel-users
mailing list