[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Question : prevent close-nofity alerts from stunnel-server
From: bhakta79 <bhakta79 () gmail ! com>
Date: 2012-11-29 4:15:23
Message-ID: 50B6DE8B.5040302 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I was trying MITM on a windows application (which talks to a M$ server).
Stunnel was running on my windows xp machine.
windows-client-app -> stunnel server ---> stunnel client --> M$ Server
What I found is that stunnel server sends close notify alert to the
windows client app which causes the client to suspend all further
communication (busted windows-client of course!). I tried setting the
TimeoutClose option to high values but I always saw the server sending
close notify alert (is the timeout close only a client-side parameter?)
Is there a way to configure server to not send close notify?
stullen logs:
2012.11.28 18:32:12 LOG7[3908:5904]: SSL socket closed on SSL_read
2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown
2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read
2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901 byte(s) sent
to SSL, 38020 byte(s) sent to socket
2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert
2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning: close
notify
2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully sent
close_notify alert
2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356) closed
<mailto:stunnel-users@stunnel.org>
I finally ended up making this one line code-change to stop server from
sending close alert that helped my MITM progress.
src/client.c:
if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) &&
!sock_open_rd && !c->sock_ptr) {
s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending
close_notify alert");
*! if(0 && SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3,
TLSv1 */*
s_log(LOG_DEBUG, "Sending close_notify alert");
shutdown_wants_write=1;
} else { /* no alerts in SSLv2, including the close_notify
alert */
s_log(LOG_DEBUG, "Closing SSLv2 socket");
if(c->ssl_rfd->is_socket)
shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the
kernel */
if(c->ssl_wfd->is_socket)
shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */
/* notify the OpenSSL library */
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
}
}
Is there a way to prevent server from sending close notify alert by
means of stunel.conf parameters?
stunnel.conf:
debug = 7
output = stunnel.log
cert = fakecert.pem
key = fakecert.key
options = DONT_INSERT_EMPTY_FRAGMENTS
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[https]
sslVersion = TLSv1
accept = 0.0.0.0:443
connect = 127.0.0.1:446
[https-client]
client = yes
sslVersion = TLSv1
accept = 127.0.0.1:446
connect = 172.24.244.11:443
TIMEOUTclose = 300
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-html" lang="x-western"> Hello,<br>
<br>
I was trying MITM on a windows application (which talks to a M$
server). Stunnel was running on my windows xp machine.<br>
<br>
windows-client-app -> stunnel server ---> stunnel client
--> M$ Server<br>
<br>
What I found is that stunnel server sends close notify alert to
the windows client app which causes the client to suspend all
further communication (busted windows-client of course!). I tried
setting the TimeoutClose option to high values but I always saw
the server sending close notify alert (is the timeout close only a
client-side parameter?)<br>
<br>
Is there a way to configure server to not send close notify?<br>
<br>
<br>
stullen logs:<br>
<br>
<a href="mailto:stunnel-users@stunnel.org">2012.11.28 18:32:12
LOG7[3908:5904]: SSL socket closed on SSL_read<br>
2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown<br>
2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read<br>
2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901
byte(s) sent to SSL, 38020 byte(s) sent to socket<br>
2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert<br>
2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning:
close notify<br>
2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully
sent close_notify alert<br>
2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356)
closed</a><br>
<br>
<br>
I finally ended up making this one line code-change to stop server
from sending close alert that helped my MITM progress. <br>
<br>
src/client.c:<br>
<br>
\
if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && !sock_open_rd \
&& !c->sock_ptr) {<br>
\
s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending close_notify alert");<br>
<b>! if(0 \
&& SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3, TLSv1 */</b><br>
\
s_log(LOG_DEBUG, "Sending close_notify alert");<br>
\
shutdown_wants_write=1;<br>
} else { /* \
no alerts in SSLv2, including the close_notify alert */<br>
\
s_log(LOG_DEBUG, "Closing SSLv2 socket");<br>
\
if(c->ssl_rfd->is_socket)<br>
\
shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the kernel */<br>
\
if(c->ssl_wfd->is_socket)<br>
\
shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */<br>
\
/* notify the OpenSSL library */<br>
\
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);<br>
}<br>
}<br>
<br>
<br>
Is there a way to prevent server from sending close notify alert
by means of stunel.conf parameters?<br>
<br>
<br>
stunnel.conf:<br>
<br>
debug = 7<br>
output = stunnel.log<br>
<br>
cert = fakecert.pem<br>
key = fakecert.key<br>
<br>
options = DONT_INSERT_EMPTY_FRAGMENTS<br>
<br>
socket = l:TCP_NODELAY=1<br>
socket = r:TCP_NODELAY=1<br>
<br>
[https]<br>
sslVersion = TLSv1<br>
accept = 0.0.0.0:443<br>
connect = 127.0.0.1:446<br>
<br>
<br>
[https-client]<br>
client = yes<br>
sslVersion = TLSv1<br>
accept = 127.0.0.1:446<br>
connect = 172.24.244.11:443<br>
<br>
<br>
TIMEOUTclose = 300<br>
<br>
<br>
</div>
</body>
</html>
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic