[stunnel-users] Stunnel as an "HTTPS to HTTPS" proxy

[Javier]

On Tue, 05 Mar 2013 09:04:41 +0200
"jmwb at webmail.co.za" <jmwb at webmail.co.za> wrote:

> Thank you for your response Javier.
> 
> I now understand how to phrase what I am looking for. What I am looking for is
> effectively an SSL Man-in-The-Middle (but please be assured that I am not
> looking to build malware). However, I am still not certain from your response
> that Stunnel can do this. Can the client-side handle SSL or does it only
> support clear-text on the client side?
> 
> jmwb


Hi, in the example I gave to you is like this.
Hope this can help you to understand how stunnel works in such 
scenario.

1. Web browser without SSL support.
2. It sends clear text to the IP:port where stunnel client is 
listening.
3. Stunnel in the client machine send ciphered text to the machine 
with Stunnel acting as server.
4. Stunnel in the server machine sends clear text  to the web 
server.
5. The web server hasn't SSL support.
6. The communication is reversed to reply to the client side.

With a diagram.

Browser <> clear text <> stunnel<> ciphered <> stunnel <> clear 
text <> web server

Of course, it is possible to make a MiTM attack between browser and 
stunnel and stunnel and web server at both sides, but not in 
between. To accomplish such attack you'll first need to access one 
of the machines and find such scenario. If both sides support SSL 
you don't need stunnel (unless one of the sides doesn't support SSL) 
and, therefore, all communications are ciphered P2P. No clear text. 
Except keyboard/mouse loggers in the client side.

As said, is a secure tunnel, an SSL proxy. As you wish.

Regards.