Re: [OT] Tunneling an arbitrary protocol via SSL/TLS [resolved]

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

On 9/9/13 2:50 PM, Christopher Schultz wrote:
> Somewhat off-topic, but I was wondering if anyone knew of any
> package or technique that could be used to tunnel an arbitrary
> protocol via TLS?
> 
> In this particular case, I need to wrap HTTP in TLS (to make HTTPS
> :) without modifying the source of the client -- and the client
> does not support HTTPS. :(
> 
> So far, I've come up with the following possibilities:
> 
> 1. Use stunnel.

Oddly enough, my experience with stunnel is limited to tunneling AJP
and MySQL. After re-reading the man page (someone suggested it after I
claimed that stunnel required stunnel processes at both ends) and it
appears that it's trivial to configure stunnel at one end as long as
the other end already speaks TLS -- like the case where I need to
connect to an HTTPS server but my client can't do HTTPS (at least not
yet).

I like this better than using httpd for a few reasons:

1. I don't need httpd for anything else, and would prefer not to
install something so big for such a small job.

2. I already have stunnel running for other reasons

3. Configuration is simpler (but not much)

Anyhow, if anyone is interested, I've been able to set this up quite
trivially using stunnel /on the client end/ of the connection with
this configuration:

====
sslVersion = TLSv1
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /testing.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes

[testing]
accept=localhost:1234
connect=www.remote-server.com:443
====

Most of that is stock configuration from Debian (e.g. chroot, socket
options, etc.). Plus, I haven't configured client certs yet, but it
should be as easy as:

cert=/path/to/my/private-key-and-certificate.pem

Now that I know stunnel doesn't need to be running on both sides of a
connection, I might be able to simplify some of my MySQL configurations.

(For those who aren't familiar, Linux distributions tend not to build
their package-managed MySQLs with SSL support due to some odd
licensing issues. That means that, even though MySQL "supports"
encrypted connections, it basically can't actually do them in
practice. If I can use stunnel locally, I can have stunnel act as my
"server" and proxy to MySQL. I have this set up this way now, but I
also have a mirror stunnel process running on the client as well.
Given the above, I should be able to connect to the remote stunnel
process directly from the JDBC driver and not have to do
loopback/stunnel connections on both sides).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSLyc4AAoJEBzwKT+lPKRYVBwP/0C0EThu7c3A1Z5ltsj08/pC
CPMz2R4dXyu4y08fY2pt8obeZ5y+XLIQj/+VwPqTJ+mBZxZDylp4sBcUas+eVaEG
+mtmIM6NN1EuIjWNrHfB79OZurIseZQiOPmyHuHT4yKk/BFg5h5zKvuPtDo1iqaL
nC7XsEx2URfVqISPklRYX3ZONLdy5KXA8dEvH5FxXvvWXDJsjKm1UpdH61uZzmly
Kw6+ikYERarh5H+25K0G0gDTJ8eaPA9N9AADuHB4ONmxHbSBzHkMO2CpNjxID/RJ
YBQxo2MrE34LRkWDs+h9wVE6Ooq4q24IqlUqKD/0wnaD1v0al6CBiiQPL0SntBvb
vIrzo9krhRXtkHD3FOL6jjmVfmr5wdtzXDCaa/meVDKrJNmv1aj1Cj8tLxnPbn6y
Ss5bD+LS1As1lN9o0xaaACqKOmftmoSoKfQBRn+appi22kXCx+OkSF5d3saptlzK
nG2bNkY82tSCJAq3xD41I/SZAU8zvh1VyoBOds1FdkhU5MreO99Gw60a036GDGRQ
zQ7OEkbKEzBToOh2duygetQgwARo+oNmqrOxcEuSGd0JdQnYoY8a+b4SKy3w2Eln
a9KrtT45F0cfdBoVSaD4G3qFbyHgcHor/lVJV6Nt8rtwIrZ80IsA0kyf8jQKL3Q2
RF3EgB8ln0xX7xDwhnmd
=hdqX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org