-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 9/9/13 2:50 PM, Christopher Schultz wrote: > Somewhat off-topic, but I was wondering if anyone knew of any > package or technique that could be used to tunnel an arbitrary > protocol via TLS? > > In this particular case, I need to wrap HTTP in TLS (to make HTTPS > :) without modifying the source of the client -- and the client > does not support HTTPS. :( > > So far, I've come up with the following possibilities: > > 1. Use stunnel. Oddly enough, my experience with stunnel is limited to tunneling AJP and MySQL. After re-reading the man page (someone suggested it after I claimed that stunnel required stunnel processes at both ends) and it appears that it's trivial to configure stunnel at one end as long as the other end already speaks TLS -- like the case where I need to connect to an HTTPS server but my client can't do HTTPS (at least not yet). I like this better than using httpd for a few reasons: 1. I don't need httpd for anything else, and would prefer not to install something so big for such a small job. 2. I already have stunnel running for other reasons 3. Configuration is simpler (but not much) Anyhow, if anyone is interested, I've been able to set this up quite trivially using stunnel /on the client end/ of the connection with this configuration: ==== sslVersion = TLSv1 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /testing.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client = yes [testing] accept=localhost:1234 connect=www.remote-server.com:443 ==== Most of that is stock configuration from Debian (e.g. chroot, socket options, etc.). Plus, I haven't configured client certs yet, but it should be as easy as: cert=/path/to/my/private-key-and-certificate.pem Now that I know stunnel doesn't need to be running on both sides of a connection, I might be able to simplify some of my MySQL configurations. (For those who aren't familiar, Linux distributions tend not to build their package-managed MySQLs with SSL support due to some odd licensing issues. That means that, even though MySQL "supports" encrypted connections, it basically can't actually do them in practice. If I can use stunnel locally, I can have stunnel act as my "server" and proxy to MySQL. I have this set up this way now, but I also have a mirror stunnel process running on the client as well. Given the above, I should be able to connect to the remote stunnel process directly from the JDBC driver and not have to do loopback/stunnel connections on both sides). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSLyc4AAoJEBzwKT+lPKRYVBwP/0C0EThu7c3A1Z5ltsj08/pC CPMz2R4dXyu4y08fY2pt8obeZ5y+XLIQj/+VwPqTJ+mBZxZDylp4sBcUas+eVaEG +mtmIM6NN1EuIjWNrHfB79OZurIseZQiOPmyHuHT4yKk/BFg5h5zKvuPtDo1iqaL nC7XsEx2URfVqISPklRYX3ZONLdy5KXA8dEvH5FxXvvWXDJsjKm1UpdH61uZzmly Kw6+ikYERarh5H+25K0G0gDTJ8eaPA9N9AADuHB4ONmxHbSBzHkMO2CpNjxID/RJ YBQxo2MrE34LRkWDs+h9wVE6Ooq4q24IqlUqKD/0wnaD1v0al6CBiiQPL0SntBvb vIrzo9krhRXtkHD3FOL6jjmVfmr5wdtzXDCaa/meVDKrJNmv1aj1Cj8tLxnPbn6y Ss5bD+LS1As1lN9o0xaaACqKOmftmoSoKfQBRn+appi22kXCx+OkSF5d3saptlzK nG2bNkY82tSCJAq3xD41I/SZAU8zvh1VyoBOds1FdkhU5MreO99Gw60a036GDGRQ zQ7OEkbKEzBToOh2duygetQgwARo+oNmqrOxcEuSGd0JdQnYoY8a+b4SKy3w2Eln a9KrtT45F0cfdBoVSaD4G3qFbyHgcHor/lVJV6Nt8rtwIrZ80IsA0kyf8jQKL3Q2 RF3EgB8ln0xX7xDwhnmd =hdqX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
