5

I am familiar with the stunnel.conf and I know how to specify which unencrypted ports it listens to and to which encrypted ports it redirects, but I would like to understand how it gets the power to "snatch" the packets from a server listening on the same unencrypted ports.

That is, if I have a database client wishing to communicate over unencrypted port 777 and a database server normally listening on that port and communicating with the client. Now I want stunnel to take over, so I run stunnel on both the client side and the server side, listening on port 777 and redirecting traffic to encrypted port 8888. Now the client does not know about stunnel, it keeps communicating over port 777, but both stunnel and the database server are listening on port 777... so how does stunnel snatch the client's packets before they arrive at the database server?

Jim B
  • 23,938
  • 4
  • 35
  • 58
Bill The Ape
  • 165
  • 6

1 Answers1

6

It doesn't; the application needs to be configured to point to the tunnel endpoint.

In the case you're referring to, the client would need to be reconfigured to point to the local stunnel listener, which will wrap the connection data and send it to the server according to the stunnel configuration.

There's also "transparent proxy" mode, which involves explicitly sending the traffic to the stunnel process with iptables, but isn't often used.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • First, thank you very much (+1) for your quick answer. Now... "the application needs to be configured to point to the tunnel endpoint" comes as a big surprise to me, since my understanding is that the entire point of stunnel is to provide SSL/TLS to applications who don't have this capability (e.g. `telnet`?) and **without having to modify** those applications. Are you saying that configuring the client to point the local stunnel listener isn't considered modification? For example, if I want to stunnel `telnet`, I just need to `telnet 8888` instead of `telnet 23`? – Bill The Ape Sep 20 '15 at 05:12
  • 1
    yes. specifying the connection port is not a modification one needs to make at the source code level. it is possible to change most of the time via cli/gui. – m1keil Sep 20 '15 at 05:27
  • 1
    @BillTheApe Exactly - the database client software can (unless it is very bad) have a different port specified - but in the case of a local stunnel wrapping the traffic to send to the server, you'd really only need to change the host to localhost, if you set the local stunnel to listen on the DB's normal port. – Shane Madden Sep 20 '15 at 07:28
  • Thank you again & Accepting. Is it possible for you to provide a brief example, a snippet from stunnel.conf exemplifying a *"case of a local stunnel wrapping the traffic to send to the server, you'd really only need to change the host to localhost, if you set the local stunnel to listen on the DB's normal portt"* ? Apologies upfront for not fully understanding the terminology (I am not an expert in this field). – Bill The Ape Sep 20 '15 at 14:32
  • @BillTheApe See [this question](http://serverfault.com/questions/537161/stunnel-config-loads-succefully-but-it-does-not-connect) for a good example - in that case for the client config, it's going to listen for local connections on port 1337, then wrap those connections in SSL connections outbound to the `192.208.*.*:80` server. – Shane Madden Sep 21 '15 at 16:09