[stunnel-users] No encryption?

Revelancefound at aol.com Revelancefound at aol.com
Tue Sep 27 03:06:43 CEST 2005


Dear patient users,
            
            It seems that stunnel does not encrypt outward traffic from my 
pc. I was able to get stunnel to work in the first place by having different 
proxies for each protocol. However, to test if my 8196 bit + x509 certificate 
keys actually encrypted my traffic I decided to do a test. I had sniffed my own 
computer using Cain and Able while logging in to my home router. To my 
disappointment, the sniffer picked up my username and password in plain text through 
HTTP protocol several times. Either that or Able can crack 256bit level 
encryption (256 x 32 = 8196) rather quickly. 
 
My stunnel.conf file:
 
; Sample stunnel configuration file by Michal Trojnara 2002-2005
; Some options used here may not be adequate for your particular configuration
 
; Certificate/key is needed in server mode and optional in client mode
cert = C:\Program Files\stunnel\stunnel.pem
key = C:\Program Files\stunnel\stunnel.pem
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
 
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
 
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath;  CApath is located inside chroot jail:
;CApath = certs
; It's often easier to use CAfile:
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath;  CRLpath is located inside chroot jail:
;CRLpath = crls
; Alternatively you can use CRLfile:
;CRLfile = crls.pem
 
; Some debugging stuff useful for troubleshooting
;debug = 7
;dutput = C:\Program Files\stunnel\stunnel.log
 
; Use it for client mode
client = yes
 
; Service-level configuration
 
client = yes
verify = 0
 
;[pop3s]
;accept  = 995
;connect = 110
 
;[imaps]
;accept  = 993
;connect = 143

[ssmtp]
accept  = 127.0.0.1:465
connect = httpsupportingproxy4:3124
TIMEOUTclose = 0
 
[http]
accept  = 127.0.0.1:444
connect = httpsupportingproxy3:6588
TIMEOUTclose = 0
 
[https]
accept  = 127.0.0.1:443
connect = httpsupportingproxy2:6588
TIMEOUTclose = 0
 
[ftps]
accept  = 127.0.0.1:21
connect = httpsupportingproxy1:6588
TIMEOUTclose = 0
 
; vim:ft=dosini
 
 
 
 
And my bat file used to generate keys:
 
openssl req -new -x509 -days 365 -nodes -config C:\OpenSSL\bin\openssl.cnf 
-out stunnel.pem -keyout stunnel.pem
 
;requirements:
;OpensSSL.exe in C:\windows directory
;Installation of Win32OpenSSL-v0.9.8.mis to C:\
;Edit C:\OpenSSL\bin\openssl.cnf strings
;[ req ]
;default_bits       = 8196
;default_keyfile    = stunnel.pem
;distinguished_name = req_distinguished_name
;attributes         = req_attributes
;x509_extensions    = v3_ca      # The extentions to add to the self signed 
cert
 
Cain Log:
 
==================================================================
= Cain's MAC Scanner/Promiscuous-mode Detector                   =
==================================================================
IP Address: (Router)
MAC Address: (RouterMAC)
OUI Fingerprint: Cisco-Linksys, LLC
Hostname: 
ARP Test (Broadcast 31-bit): *
ARP Test (Broadcast 16-bit): *
ARP Test (Broadcast 8-bit): *
ARP Test (Group bit): *
ARP Test (Multicast group 0): *
ARP Test (Multicast group 1): *
ARP Test (Multicast group 3): *
 
Am I doing something wrong here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20050926/75114145/attachment.html>


More information about the stunnel-users mailing list