Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the "socks_ssl" protocol, it secures the remote connection instead of the local connection #8

wants to merge 2 commits into
base: master


Copy link

commented Jul 12, 2019

Right now stunnel can't be used as a socks server to reach TLS-only endpoints. For example, using this config file:

protocol = socks
accept = 1081
PSKsecrets = stunnel.secrets

client = yes
accept = 1080
connect =  localhost:1081
PSKSecrets = stunnel.secrets

and simulating a non-TLS capable system as follows:

curl --proxy "socks4://localhost:1080" ""

then I would expect to receive the home page of the site, but what I get instead is 400 The plain HTTP request was sent to HTTPS port. That's because when runing as a socks server stunnel uses TLS to secure the local connection, but the connection to the target endpoint is made in plain TCP.

This defeats the whole purpose of stunnel, which is "to add TLS encryption functionality to existing clients and servers without any changes in the programs' code", for the cases where we need to run it in socks server mode.

The proper fix for this would be to secure both the local and the remote connection, but this would require to manage two ssl endpoints where the application is currently designed for only one. Instead, I decided to implement a simpler workaround: using plain TCP for the socks negotiation and TLS for connecting to the target hosts, thus "reversing" the current behavior.

I have done this by adding a new protocol, named socks_ssl (suggestions for a better name welcome), so that you can use this configuration:

protocol = socks_ssl
accept = 1080
PSKsecrets = stunnel.secrets

...and then the curl example above will work as expected, retrieving the contents of the page.

Some context on why this is needed

I'm a big fan of MSX computers. Many years ago another enthusiast of the platform developed ObsoNET, a network card for these computers; and I developed InterNestor, the TCP/IP stack to make the most of it.


Implementing TLS in InterNestor is out of the question because a Z80 can't handle the required encryption algorithms, so running stunnel on another computer (or even a Raspberry Pi) in the same network is a great alternative for connecting to TLS-only services. However, having to configure a client endpoint for each service is somewhat cumbersome, so my plan is to add socks client capabilities to InterNestor and then use stunnel as a socks server... but for that to work I need stunnel to TLS-ify the remote connection when running as such.


This comment has been minimized.

Copy link

commented Oct 9, 2019

Error reporting after arm-linux-gcc cross-compilation

[!] error queue: ec_curve.c:3179: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
[!] error queue: ec_curve.c:3126: error:100AF010:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:EC lib
[!] EC_KEY_new_by_curve_name: bn_gcd.c:525: error:0306E06C:bignum routines:BN_mod_inverse:no inverse
[.] Configuration successful
[ ] Binding service [rtsp]
[ ] Listening file descriptor created (FD=9)
[ ] Setting accept socket options (FD=9)
[ ] Option SO_REUSEADDR set on accept socket
[ ] Service [rtsp] (FD=9) bound to
[!] Cannot open log file: /var/log/stunnel.log
[ ] Deallocating section defaults

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.