>
> I'm not sure, but to get you going you can tell socat to not verify
> certificates:
>
> socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443,verify=0
>
Yep, that works. But that somewhat defeats the purpose of the secure
connection - meaning I couldn't use it in production.
> Another way to do this is with xinetd and the stunnel program.
>
Oooh, I like this even more. This looks like a more production-ready
solution and I like that it launches when accessed rather than being
connected all of the time.
> For example, here's an xinetd file for doing a plaintext localhost imap
> that connects to gmail's secure imap:
> service imap
> {
> disable = no
> socket_type = stream
> wait = no
> user = root
> server = /usr/bin/stunnel
> server_args = /etc/stunnel/gmail-imap.conf
> log_on_success += USERID
> log_on_failure += USERID
> }
>
>
> And the /etc/stunnel/gmail-imap.conf:
> client = yes
> connect = imap.gmail.com:993
> verify=0
> fips=no
>
Very cool example.
Apparently I had trouble with stunnel verifying certificates also...
>
Yeah... I need to get that fixed, for sure.
I need to run OpenVPN over https so that it will work even in places where
the firewall is fairly advanced - such as the Provo City Library.
Currently I'm using autossh and haproxy, but I'd like to pare it down to
just haproxy and then remove the OpenVPN encryption so that it's OpenVPN
through TLS instead of TLS wrapped by OpenVPN through TLS.
This is unwrapping is particularly important because I also have a use case
of running OpenVPN over OpenVPN (once to make a publicly accessible
connection from inside of a private location, the next to make the public
connection actually private as if it were in the private location) and I
don't want 4-6 layers of encryption.
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
