[stunnel-users] Relaying OOB data [Was: A series of minor patchesfrom Debian]
Richard's Hotmail
maher_rj at hotmail.com
Mon Sep 24 00:14:39 CEST 2007
Hi Luis,
Thanks for the detailed reply!
> Ok, been reading. The short answer is no.
Oh well :-( I guess that's what IPsec's for.
> The longer answer is SSL doesn't support OOB data, so that's why
> not. I did read your post saying you've read specs where it says it
> does, but I could find no such. Take a look at RFC4346, section 6.2
> http://tools.ietf.org/html/rfc4346#page-14
> Take a look also at this thread:
> http://www1.ietf.org/mail-archive/web/tls/current/msg01041.html
Doesn't that thread suggest that OOB functionality is part of the SSLv3
standard? Is version three one of those "yet to be" standards that is still
a long way off? Renamed TLS? (I found several RFCs dealing with this, anyone
know which is the relevant one? I couldn't find "Urgent", "OOB" or "band" in
4346)
My understanding (imagination maybe) is that the OOB character is to be
packaged up as a single byte record surrounded with the SSL wrapper with a
bit set that says it's the OOB character. I would now like stunnel just to
dequeue it from SSL and then set the MSG_OOB flag and replay it to the
application port. So it's sort of quasi-OOB to Stunnel and then true-OOB to
the receiving port.
> The argument (almost) in full:
> - SSL doesn't define anything like OOB data in its streams, so
> anything we did in stunnel would be an extension, and not
> interoperable. And, anyways, would have to be done in openssl and not
> in stunnel, I think.
I must be confused about what's available (the only SSL code I've cut is
simple Java client stuff) 'cos I'm sure I've seen patch-comments that say
something like "make sure stunnel handles OOB data correctly" and isn't
there some sort of OOB INLINE configuration parameter. Is there really
northing available after the SSL_Read that identifies the data as an OOB
character?
Anyway, thanks again for the reply.
Cheers Richard Maher
PS. Does anyone out there know of a lower-level version of Stunnel (or
something else) that spoofs the originating host-address when replaying the
connection on the local server? It sure would be useful for client
identification, and for reducing DoS attacks!
----- Original Message -----
From: "Luis Rodrigo Gallardo Cruz" <rodrigo at nul-unu.com>
To: <stunnel-users at mirt.net>
Sent: Tuesday, September 18, 2007 9:14 AM
Subject: [stunnel-users] Relaying OOB data [Was: A series of minor
patchesfrom Debian]
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20070924/48eee84f/attachment.html>
More information about the stunnel-users
mailing list