[stunnel-users] Username and Password in Clear Text

Peter K. O'Connor peter.k.oconnor at gmail.com
Thu Oct 24 07:22:39 CEST 2013


Hi,

I am using stunnel 4.56 Windows verison.

I thought the username and password will *only* be sent to SERVER2, *after*
the SSL handshake, with each request.

However, the truth is that the Proxy-Authorization header is attached to
the request to SERVER1 "CONNECT SERVER2:433 HTTP/1.1", as well.

So SERVER1 can see username and password. It is not necessary and safe.

Am I missing anything here?

Regards,
Peter


[stunnel]
client = yes
accept  = 127.0.0.1:8080
connect = SERVER1:3128
protocol = connect
protocolHost = SERVER2:443
protocolUsername = username
protocolPassword = password
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131024/752871bb/attachment.html>


More information about the stunnel-users mailing list