[stunnel-users] Some troubles with PROXY protocol

Michal Trojnara Michal.Trojnara at mirt.net
Thu Apr 10 18:28:29 CEST 2014 

Hi Alexey,

For protocols that require interaction with unencrypted SSL this would
boil down to a classic chicken-and-egg problem.  Fortunately, the PROXY
protocol is not one of them.  The following patch should fix your problem:

--- protocol.c.orig     2014-04-10 18:20:17.000000000 +0200
+++ protocol.c  2014-04-10 18:20:52.000000000 +0200
@@ -75,7 +75,7 @@
         FUNCTION func;
     } handlers[2];
 } protocols[]={
-    {"proxy",   {{PROTOCOL_PRE_SSL,     proxy_server},     
{PROTOCOL_PRE_SSL, NULL}}},
+    {"proxy",   {{PROTOCOL_POST_SSL,    proxy_server},     
{PROTOCOL_PRE_SSL, NULL}}},
     {"cifs",    {{PROTOCOL_PRE_CONNECT, cifs_server},      
{PROTOCOL_PRE_SSL, cifs_client}}},
     {"pgsql",   {{PROTOCOL_PRE_CONNECT, pgsql_server},     
{PROTOCOL_PRE_SSL, pgsql_client}}},
     {"smtp",    {{PROTOCOL_PRE_SSL,     smtp_server},      
{PROTOCOL_PRE_SSL, smtp_client}}},

Mike

On 2014-04-09 00:48, Alexey V. Drozdov wrote:
> Hi, Mike!
>
> I have analyze your fix and found mistake :(
> We will switch to target SNI section after init_ssl(c) only, thereby  init_remote(c) will be connect to wrong destination.
>
>     if(!c->opt->option.client && c->opt->protocol<0
> #ifndef OPENSSL_NO_TLSEXT
>             && !c->opt->servername_list_head
> #endif
>             ) {
>         /* server mode and no protocol negotiation needed */
>         init_ssl(c);
>         init_remote(c);
>     } else { /* client mode or protocol negotiation enabled */
>         protocol(c, PROTOCOL_PRE_CONNECT);
>         init_remote(c);  <<<<<<<<<< Incorrect destination
>         protocol(c, PROTOCOL_PRE_SSL);
>         init_ssl(c); <<<<<<<<<<< switch to target SNI config section only there
>         protocol(c, PROTOCOL_POST_SSL);
>     }
>
>
> /Alexey V. Drozdov
> e-mail: anyquist at yandex.ru
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140410/0cd4cc68/attachment.sig>

More information about the stunnel-users mailing list