[stunnel-users] Using Chrome directly as an STunnel Client to connect to an STunnel Server

Dipen Doshi dbdoshi at outlook.com
Wed Oct 4 19:19:03 CEST 2017


Manuele--


Yes, SSL over SSL was more of an academic exercise, rather than a practical concern. But, thanks for the explanation. Chrome encrypts the connection, sends it to the STunnel server, which then decrypts. This means that any traffic flowing out of STunnel server past this point is non-SSL. The STunnel server then makes a connection to my router's HTTPS port 443. This fails because the HTTPS server expects SSL traffic over 443, but the actual traffic it gets is not SSL and hence, rejects the connection. I think I am understanding it correctly.


I followed your suggestion to run an STunnel client on my computer and Chrome going via it and it works. Alternatively, inserting an instance of STunnel client between the STunnel server and HTTPS server (all 3 running on the router) also works.


On a related note, while reading the documentation, I came across the "protocol" configuration parameter. One of the values it can take is "connect". I haven't had the chance to test it, but it is intriguing. I am wondering if putting "protocol = connect" in my STunnel server's service options will force STunnel to make a HTTPS connection to the HTTPS server... Any idea?


Thanks,

Dipen Doshi


________________________________
From: Manuele Trimarchi <info at trimarchimanuele.it>
Sent: Monday, October 2, 2017 12:32 AM
To: Dipen Doshi; stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Using Chrome directly as an STunnel Client to connect to an STunnel Server

Hi,

Chrome is not able to know that behind the SSL connection there will be another SSL connection and not plain HTTP, that's your problem.

In order to achive your goal for point 2 (btw I don't think that this kind of configuration has any sense honestly) you need to run an instance of stunnel in client mode on your computer that connects to the 443 endpoint of stunnel server. Then it will listen on a port that you decide (i.e. 8443). At this point you have to point chrome to https://localhost:8443 and all will works *but* with some problems about certificate. This time chrome will get an handshake with the webserver and not with stunnel server.

I hope that you understand that this is not a normal configuration and there is no need to double encrypt the HTTP connection.

Kind regards.
--
Manuele Trimarchi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20171004/dfce7322/attachment.html>


More information about the stunnel-users mailing list