Stunnel for Service IPC over TCP?

Question

I am working with an application that consists of Windows Services on the same server sending messages to each other over TCP. Each service is assigned a port on which it listens for messages.

I should like to encrypt this traffic to prevent it from being read (for example, with a tool such as Wireshark) and was wondering whether Stunnel would enable us to encrypt this traffic without needing to change any of the code in the product?

If we have Service B that is listening on port 17900 and Service A expects Service B to be listening on that port, is it possible to ensure that the traffic from Service A to Service B is encrypted by Stunnel? Is it even a good idea?

Answer 1

If all services are running on the same server, the traffic between them will never appear on the network at all.

The server's networking stack will just move packets across processes without even involving the network adapter.

---

Network sniffers such as WireShark have quite some troubles capturing traffic between processes running on the same system, since that traffic doesn't actually reach the network:

https://stackoverflow.com/questions/5847168/wireshark-localhost-traffic-capture
Is there a way to get wireshark to capture packets sent from/to localhost on Windows?

I don't know if as of 2021 this is even possible at all, and if this changes depending on what destination IP address the connection uses (127.0.0.1 or the actual server's IP address).

Regardless, please note that running a network sniffer on the server would require administrative rights, which would anyway allow an intruder total control on the server and on all processes running on it.

If you have admin rights, you don't need to sniff network traffic; you can do everything, including reading a process' memory. Also, if you just want to stay at the networking level, you can get hold of any certificate the process is using to encrypt traffic and decrypt it.