[stunnel-users] HTTPS hardcoded redirects

Ezio Ostorero ezio.ostorero at gmail.com
Mon Dec 10 16:22:35 CET 2007 

All,

  I have a problem similar to the one described in
http://mirt.net/pipermail/stunnel-users/2006-October/001324.html i.e. I
***wish*** to use the recording functionalities of JMeter while accessing an
apache-SSL-secured Tomcat web server.

  JMeter does not allow recording on SSL so I have to ... un-cipher my HTTPS
sessions, stunnel looks like the right choice.

  Being an stunnel newbie, I started here:
http://www.stunnel.org/examples/https_client.html , this HOWTO looks quite
close to my configuration.

  We have a plain-vanilla tomcat server behind an apache/SSL, and I want to
access this web application from an HTTP-only browser.

  So, I configure stunnel as a "client", I run it on my PC, with the
following configuration:

[psuedo-https]
accept  = 8080
connect = <server>:443
TIMEOUTclose = 0

I read it as follows: stunnel talk cleartext HTTP on the local 8080 port and
forwards in crypted HTTPS on the <server> port 443

I set the URL in my browser to  http://localhost:8080/oi/ and this happens:

1) Ethereal sez that my PC and <server> start an SSLv3 conversation, good,
we're on track

2) I have an HTTP analyzer plugged in my browser that shows me the content
of the first GET
    that is a redirect to an SSO server (on the same <server>:443 port) for
user authentication

         https://<server>/ssoserver/login?service=......

3) My browser then issue a GET to
https://<server>/ssoserver/login?service=......
    and is GAME OVER, my beloved stunnel is cleanly bypassed by the
    hardcoded https://<server>/ string

Any suggestion? Is it a dead end?
Any dirty trick I could play with? Such as running multiple stunnel
instances, setting <server> = localhost in my hosts file etc.?

Thanks,

                  Ezio

-- 
Ezio Ostorero, Catania
Seltz e limone col sale. Arriminatu, non annacatu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20071210/ac9ff10e/attachment.html>

More information about the stunnel-users mailing list