[stunnel-users] How is it working?

Craig Retief stunnel at rsw.co.za
Wed Nov 7 08:32:17 CET 2007


Algol has explained it quite nicely for you.

I would like to add that Stunnel will hide the service running behind the
stunnel port if you use the certificate for authentication in the verify 3
mode (verify = 3) as stunnel verifies the certificate before allowing the
remote host to connect. If the certificate is invalid, stunnel will drop the
connection before any further information is revealed.

So if you want the connection as secure as possible, use mode 3.

>From the manual:
verify = level
    verify peer certificate 

        level 1 - verify peer certificate if present
        level 2 - verify peer certificate
        level 3 - verify peer with locally installed certificate
        default - no verify


My 2 ped :)

Cheers

Craig  

> -----Original Message-----
> From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-
> bounces at mirt.net] On Behalf Of Algol Tradent
> Sent: 06 November 2007 04:29 AM
> To: stunnel-users at mirt.net
> Subject: Re: [stunnel-users] How is it working?
> 
> 
> Hello,
> 
> If I remember correctly the VNC server will listen for
> connections on _all_ available interfaces on the
> server. You might want to make sure that port 5900 is
> not accessible from the internet, and maybe use the
> "Loopback Only" connections options on the VNC server
> to ensure that no connections are going directly
> without the tunnel.
> 
> You might want to take a look at this document for the
> nmap documentation
> http://insecure.org/nmap/vscan/vscan-post-processors.html
> It describes how nmap tries to identify services that
> use SSL as well.
> 
> Other user metioned before of the use of certificates
> for client-server authentication... You should
> consider this option. Basically, the server and client
> will check if the connection should be allowed based
> on the certificate presented by each peer. In this
> way, the only way people can connect is to have an
> authorized certificate.
> 
> :)
> 
> 
> --- fuzzy_4711 <fuzzy_4711 at gmx.de> wrote:
> 
> > Hello list.
> >
> > After a few tries, my stunnel configuration is
> > working well. I am using
> > it to tunnel my vnc connections to my winXP box.
> >
> > Now I have a question about how the software is
> > working.
> >
> > In the past, when I was using VNC at port 5900 and I
> > did a telnet to
> > that box with port 5900, VNC was answering with
> > something like 003005
> > which was the VNC protocol version the server was
> > able to communicate.
> >
> > Now because of the tunneling effect, my vnc server
> > still listens at
> > 127.0.0.1:5900 but is expecting ssled connections at
> > xxx.xxx.xxx.xxx:9999.
> >
> > When I do a telnet at xxx.xxx.xxx.xxx at port 9999
> > my box is answering
> > something like: Connected to xxx.xxx.xxx.xxx Escape
> > character is ...
> >
> > Now if enter something like "test" the telnet window
> > shows me that the
> > connection is closed by foreign host (means: my xp
> > box).
> >
> > Lets assume, someone is trying to hack my computer
> > and doing a port
> > scan. She/he will find out for sure, that my port
> > 9999 is opened.
> > Usually the server listening behind the port is
> > sending something the
> > attacker could use to point to the software running
> > behind the port. In
> > this case, as far as I can see nothing is sent to
> > give a hint that
> > stunnel is waiting there to route my connection
> > attempt to 127.0.0.1:5900.
> >
> > Is it right, that this is the magic - for sure
> > besides encryption and
> > all the algorithms necessary to do the port
> > forwarding - stunnel
> > provides? I mean as long as an attacker doesnt know
> > what is hiding
> > behind the port he/she also doesnt know how to
> > attack or how to get
> > through. Is that conclusion right?
> >
> > Please tell me, if my conclusions are wrong or if I
> > got something wrong.
> >
> > Stefan
> >
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at mirt.net
> >
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users




More information about the stunnel-users mailing list