1

So say I have an arbitrary tcp port 12345 and it's non ssl and I want to put stunnel to secure traffic to it.

When stunnel is in front of it does it mean that this port is now tls/ssl only? Or can you still connect to it unencrypted?

Basically I want to make sure that this port can only be accessed through ssl/tls and stunel and no other way.

Clarification I want to make sure only stunnel port is open. Which is answered in the comments that the unsecured port should be fire-walled but preferably bound to localhost.

user432024
  • 273
  • 3
  • 14

1 Answers1

3

When stunnel is in front of it does it mean that this port is now tls/ssl only?

Yes, that is correct. A successful TLS negotiation is required before it will pass traffic upstream.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Ok but I mean to ask if my non ssl port is 12345 and the stunnel port 12346, can I still connect to 12345 uncrypted? Are both ports open and available? I'm thinking I have to bind 12345 to 127.0.0.1 (localhost) and only allow external connection to 12346 to force ssl. – user432024 Aug 21 '14 at 02:00
  • Yes, you could. Which is why that port should be blocked in your firewall, or ideally, your application should only bind to `localhost` , which would make it impossible for anything outside of your machine to connect to without going through stunnel. – EEAA Aug 21 '14 at 02:01
  • Ok that works for me! :) Now if only I could accept the answer right away and not have to wait lol! – user432024 Aug 21 '14 at 02:02