[stunnel-users] Username and Password in Clear Text

Michal Trojnara Michal.Trojnara at mirt.net
Thu Oct 24 20:30:15 CEST 2013


On 2013-10-24 07:22, Peter K. O'Connor wrote:
> I thought the username and password will *only* be sent to SERVER2,
> *after* the SSL handshake, with each request.
It the password for authentication on your proxy was sent *after* the
handshake, then SSL would have to be terminated on the proxy rather than
on your final server.  Your proxy could then eavesdrop all your data,
and the transfer between your proxy and your final server would be
unencrypted.  Is that really what you'd expect?

The usual scenario is that the connection from your client to your proxy
is generally performed over a trusted network, while the connection
between your proxy and the final server is performed over a hostile
network (usually the Internet).

> Am I missing anything here?
Not really.  This is precisely how the CONNECT protocol is designed.

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131024/8e4fd24c/attachment.sig>


More information about the stunnel-users mailing list