[stunnel-users] Safest suggested client/server stunnel configurations to prevent MITM attacks

Brian Wilkins bwilkins at gmail.com
Sat Oct 20 13:04:37 CEST 2012


How do you plan on copying it to the other end?

On Friday, October 19, 2012, Michael K. Avanessian wrote:

>  I’m currently tunneling SSH over SSL using stunnel.****
>
> ** **
>
> I thought that stunneled ssh data was safe.  However, recently I’ve read
> that if going through a sophisticated http/https proxy, it’s possible to be
> hacked by a “legitimate” mitm attack to fool an SSL client.****
>
> ** **
>
> Is it still possible to configure stunnel so that ssl can’t be compromised
> between both ends?****
>
> ** **
>
> I’m going to take a wild guess here; which I’m sure I’m probably wrong.
> But, could I just install stunnel; and, let it create automatically a
> self-signed (stunnel.pem) certificate file… then just copy that file to the
> stunnel install on the other end?  That way both sides are already aware of
> each other’s public keys; and, wouldn’t be vulnerable during the initial
> unencrypted handshake?****
>
> ** **
>
> I’m sure I’m probably way off; and, there’s more I need to do in stunnel’s
> configuration to further ensure the SSL won’t be compromised.. such as the
> stunnel “verify” setting.  I’m not sure which setting to have it; and, what
> it actually does.****
>
> ** **
>
> I’m hoping someone could shed some light on this with simple suggested
> clientà server configs that would keep ssl uncompromised as much as
> possible.****
>
> ** **
>
> Thanks in advance!****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121020/24364144/attachment.html>


More information about the stunnel-users mailing list