stunnel interview questions
Top stunnel frequently asked interview questions
I'm terminating SSL with Stud and forwarding the request to HAProxy which determines if it's a WebSocket connection and either forwards the request to Node.js or to nginx. The problem I'm having is that I cannot seem to get the X-forwarded-for from Stud. When I set write-ip in the stud conf my requests fail.
Is this possible with such a stack?
Source: (StackOverflow)
I have a new aws EC2 instance, everything worked fine from home. Now the ssh access is blocked in university! I wanted to know how I can bypass that and ssh into my ec2 instance. What ways i can do it? Also, How can I use stunnel to do this? A short explanation is appreciated along with the solution.
Source: (StackOverflow)
I've created a conf file for a connection to an address and port for stunnel whose location is in /usr/local/etc/stunnel/ and started the stunnel service.
I've binded the address to my local ip address 127.0.0.1:60005
To test the connection, I've tried to connect the address via telnet with:
telnet 127.0.0.1 60005
Turns:
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
Connection closed by foreign host.
I know that connection is not closed by foreign host as I tried telnet with the original ip address, there is no problem.
So,
how can I test my stunnel connection except using telnet?
Thanks.
Source: (StackOverflow)
We are investigating if it is possible to use HAProxy to load balance across multiple tomcat servers. We would like to use HTTPs for all requests and use sessions via the JSESSIONID cookie. HAProxy doesn't support SSL natively but we can use stunnel in front of it.
With this setup in mind:
1) Do we have to use sticky sessions (subsequent request always go to the same tomcat instance) ?
2) If we do have to use sticky sessions then how could we solve updating our tomcat instance with a new webapp deployment without having to force the users to log out (losing their sessions) ?
Source: (StackOverflow)
For some of my site visitors, the SSL certificate is failing. Whatever tests I do on various browsers for me the SSL certificate is valid.
I can't think of how to test this on client side, and to identify the problem.
How would you do this?
One client gets: fatal certificate unknown
Source: (StackOverflow)
I have recently set up a Node.js based web socket server that has been tested to handle around 2,000 new connection requests per second on a small EC2 instance (m1.small). Considering the cost of a m1.small instance, and the ability to put multiple instances behind a WebSocket capable proxy server such as HAProxy, we are very happy with the results.
However, we realised we had not done any testing using SSL yet, so looked into a number of SSL options. It became apparent that terminating SSL connections at the proxy server is ideal because then the proxy server can inspect the traffic and insert headers such as X-Forward-For so that the server knows which IP the request came from.
So I looked into a number of solutions such as Pound, stunnel and stud, all of which allowed incoming connections on 443 to be terminated, and then passed onto HAProxy on port 80, which in turn passes the connection onto the web servers. Unfortunately however, I found that sending traffic to the SSL termination proxy server on a c1.medium (High CPU) instance very quickly consumed all CPU resources, and only at a rate of 50 or so requests per second. I tried using all three of the solution listed above, and all of them performed roughly the same as I assume under the hood they all rely on OpenSSL anyway. I tried using a 64 bit very large High CPU instance (c1.xlarge) and found that performance only scale linearly with cost. So based on EC2 pricing, I'd need to pay roughly $600p/m for 200 SSL requests per second, as opposed to $60p/m for 2,000 non SSL requests per second. The former price becomes economically unviable very quickly when we start planning to accept 1,000s or 10,000s of requests per second.
I also tried terminating the SSL using Node.js' https server, and the performance was very similar to Pound, stunnel and stud, so no clear advantage to that approach.
So what I am hoping someone can help with is advising how I can get around this ridiculous cost we have to absorb to provide SSL connections. I have heard that SSL hardware accelerators provide much better performance as the hardware is designed for SSL encryption and decryption, but as we are currently using Amazon EC2 for all of our servers, using SSL hardware accelerators is not an option unless we have a separate data centre with physical servers. I am just struggling to see how the likes of Amazon, Google, Facebook can provide all their traffic over SSL when the cost of this is so high. There must be a better solution out there.
Any advice or ideas would be greatly appreciated.
Thanks
Matt
Source: (StackOverflow)
I have a working WebSocket non secure application. But my website uses https and I need a Secure WebSocket connection to avoid Firefox to complain about the fact that the connection is insecure.
I am using php-websocket-server for my WebSocket server with PhP 5.2.9, so when i use WebSocket secure i can't decrypt packets with the openssl_decrypt function.
That's why i used stunnel in order to decrypt packets sent by the client using wss, to do that i binded client WebSocket to 12345 port an server WebSocket to 54321 port, then i added a stunnel in server mode :
[wsServer]
accept = 12345
connect = 192.168.1.227:54321
With this configuration my application works fine on Chrome through https + wss. But on Firefox there's a problem during the handshake, it seems that Sec-WebSocket-Version and Sec-WebSocket-Key are missing in the header. I don't understand because it works on Firefox through http + ws.
Thanks in advance for your help.
Edit : i added an exception for the certificate on the port 12345, now the handshake is going well because i think Firefox now have the Sec-WebSocket-Key.
Here the working header request with Firefox (bigger than Chrome request):
GET / HTTP/1.1
Host: 192.168.1.227:12345
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive, Upgrade
Sec-WebSocket-Version: 13
Origin: https://192.168.1.227
Sec-WebSocket-Protocol: HyBi-00
Sec-WebSocket-Key: 65nHN33M6drIPjQHcGK8pA==
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Source: (StackOverflow)
I have ratchet webSocket server running and it works well.
the problem is that some of the connections are closing right after the handshake.
after searching stackOverflow and google I found out that I should use wss, because using ssl will prevent the connections from being closed. after some more reading I found that wss is not implemented yet in ratchet, and that the solution is to warp ratchet with stunnel. I searched again for help on how to implement this but found non .
how do I warp ratchet with stunnel? is there a better way to solve this problem?
I'm really a newbie will all the ssl issue.
thanks!
Source: (StackOverflow)
I want to learn about the nuts-and-bolts of using SSL to secure client/server communication. Is there any documentation, anywhere, regarding how to do this with OpenSSL?
The best I've been able to find so far is the source code for stunnel (http://www.stunnel.org/)...
To be more precise, I want the client to be able to connect with the server, do the secure handshake, verify that the the server's certificate is valid (eg, signed by a trusted CA, not expired, etc) then send some data.
Source: (StackOverflow)
I know that STunnel can be set up as either server or client with the "client = no" or "client = yes" lines in the config file. Is there a way for a machine to be BOTH a server and client?
Source: (StackOverflow)
we have a node.js/express application sitting behind stunnel for ssl termination. I cannot figure out how to force secure session cookies. looking at the session middleware source:
// only send secure session cookies when there is a secure connection.
// proxySecure is a custom attribute to allow for a reverse proxy
// to handle SSL connections and to communicate to connect over HTTP that
// the incoming connection is secure.
var secured = cookie.secure && (req.connection.encrypted || req.connection.proxySecure);
if (secured || !cookie.secure) {
res.setHeader('Set-Cookie', cookie.serialize(key, req.sessionID));
}
I apparently have to set req.connection.proxySecure to true, but I don't know how to do that. It appears stunnel is supposed to communicate this "over HTTP", but stunnel can't set headers. So I am at a loss. Should I instead try to set it locally by a custom bit of middleware before the session middleware, or in a connect config variable somewhere?
Thanks for any help
Source: (StackOverflow)
I would like to use Cap'n Proto RPC to communicate with a server in the cloud from a desktop box in an office. Cap'n Proto doesn't provide secure network connections through a firewall. I would prefer c++ since I have other components which require this.
I see some people have been looking at nanomsg and other transports which link directly into the application, but I was wondering whether stunnel or something similar might be satisfactory.
The stunnel application, as most know, can provide HTTPS encapsulation of TCP/IP traffic under certain conditions, as per the FAQ:
- The protocol is TCP, not UDP.
- The protocol doesn't use multiple connections, like ftp.
- The protocol doesn't depend on Out Of Band (OOB) data,
- Remote site can't use an application-specific protocol, like ssltelnet, where SSL is a negotiated option, save for those protocols already supported by the protocol argument to stunnel.
It seems like Cap'n Proto RPC might satisfy these conditions. I don't think the customer will object to installing stunnel in this case. Has anyone tried this or something similar? If so, your experiences would be appreciated. If someone knows of a faster/lighter alternative it would also be helpful.
thanks!
Source: (StackOverflow)
I have a form that users can fill out, and the data will be stored into a MySQL database using PHP. The connection to the Apache server is encrypted through HTTPS, and I would like to encrypt the connection to the MySQL database. Both Apache and MySQL are on the same server machine.
I digged around the Interweb and Stunnel seems to be what I need. OpenSSL and SSL are supported and activated on the server, since the we are given the option of using the standard port and a stunnel port to connect to the MySQL server. However, all the articles I found online deal with using Stunnel to connect a MySQL client to an external MySQL Server, but not how to use PHP to connect to a local MySQL server. Am I right to assume that just because the form is transmitted through https, it doesn't mean that the connection to the database is also encrypted?
The PHP code I use to connect to MySQL is like this:
$mysqli = new mysqli("ip","user", "password", "database", "standardport");
This works fine using the standardport. However, if I change it to a Stunnel Port, I get a connection time-out error. Clearly I'm missing something; any help and advice is appreciated! Thanks!
Source: (StackOverflow)
Can stunnel server work without stunnel client? I mean can I write my own http server with only HTTP and add SSL support via Stunnel server? and clients will connect to stunnel server with they own client program using ssl? thanks.
Source: (StackOverflow)
1 question about Stunnel. I would like to use Stunnel as a FIX (Financial Information eXchange) gateway for internet, to support both SSL and non-SSL connection. Is Stunnel able to do without any encryption? I just had a try with plain socket but it looked Stunnel rejected the connection saying 'invalid protocol' or something.
Source: (StackOverflow)