Gabor,

I'm not sure I understand what you are trying to accomplish.

Let's start with nomenclature:

o A server is a unit (hardware or software) that provides services,
e.g. e-mail distribution.

o A client is a unit that uses services a server provides.

A client connects to a server if it wants to use a service. For that,
the server listens on an address (e.g. IP host address and TCP port
number) known to the client.

For instance, a mail client establishes a TCP connection to TCP port
25 on a host running an SMTP mail server if it wants to send an
e-mail.

A server does not establish any connections to clients. It just
listens on a known address and waits for clients to connect.


If, in your example, 'client2' is a server according to my definition
and 'client1' is a real client, then yes, stunnel could be used to
e.g. encrypt the traffic between 'client1' and 'client2'.


Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Ludolf,

Thanks for you reply.

Yes, I mean how you wrote.

Could you write the name of this feature or doc to understand how it works.

Thanks & Kind regards,
Gabor
________________________________________
From: stunnel-users [stunnel-users-***@stunnel.org] on behalf of Ludolf Holzheid [***@bihl-wiedemann.de]
Sent: Wednesday, March 30, 2016 3:34 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Connecting stunnels
Gabor,

I'm not sure I understand what you are trying to accomplish.

Let's start with nomenclature:

o A server is a unit (hardware or software) that provides services,
e.g. e-mail distribution.

o A client is a unit that uses services a server provides.

A client connects to a server if it wants to use a service. For that,
the server listens on an address (e.g. IP host address and TCP port
number) known to the client.

For instance, a mail client establishes a TCP connection to TCP port
25 on a host running an SMTP mail server if it wants to send an
e-mail.

A server does not establish any connections to clients. It just
listens on a known address and waits for clients to connect.


If, in your example, 'client2' is a server according to my definition
and 'client1' is a real client, then yes, stunnel could be used to
e.g. encrypt the traffic between 'client1' and 'client2'.


Ludolf

--

Ludolf Holzheid

Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany

Tel: +49 621 33996-0
Fax: +49 621 3392239

mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de

Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796
_______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Hi Gabor,

I don't have a link to post, but you don't need any special feature of
stunnel.


The idea is to have two instances of stunnel, one of them on the
client's host and the other on the server's host.

The client connects to the local stunnel instance (which is to be run
in client mode, 'client = yes'). This stunnel instance establishes an
encrypted connection to the instance on the server's host, which in
turn sets up a clear-text connection to the server (which is to be run
in server mode, 'client = no').

For instance, to encrypt a telnet connection:

client's host server's host
+---------------+ +----------------+
| | | |
| telnet client | | telnet server |
| 127.0.0.1:x | | 127.0.0.23 |
| : | | ^ |
| : | | : |
| V | | : |
| 127.0.0.1:23 | | 127.0.0.1:z |
| stunnel | | stunnel |
| 1.2.3.4:y ===============> 5.6.7.8:992 |
| | | |
+---------------+ +----------------+

The vertical connections (with colons) are clear-text, the horizontal
connection (with equal signs) is encrypted.


Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Ludolf,

Thanks for you reply.

Sorry, my first explanation was a bit fuzzy.

I modofied your picture a bit to explain what I want :

stunnel client stunnel server stunnel client
+---------------+ +------------------+ +---------------+
| | | | | |
| telnet client | | 5.6.7.8:993 <======== 4.5.6.7:y |
| 127.0.0.1:x | | stunnel | | stunnel |
| : | | 127.0.0.1:q | | 127.0.0.1:p |
| : | | : | | : |
| V | | : | | : |
| 127.0.0.1:23 | | 127.0.0.1:z | | V |
| stunnel | | stunnel | | 127.0.0.1:23 |
| 1.2.3.4:y ===============> 5.6.7.8:992 | | telnetserver |
| | | | | |
+---------------+ +------------------+ +---------------+

In the stunnel server I'd like to connect the 2 tunnels
in order that telnet client can connect to telnet server.

Does stunnel have some solution for it? Or Do you know some standard stable and easy solution for it in Linux?

Thanks & Kind regards,
Gabor

________________________________________
From: stunnel-users [stunnel-users-***@stunnel.org] on behalf of Ludolf Holzheid [***@bihl-wiedemann.de]
Sent: Wednesday, March 30, 2016 4:49 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Connecting stunnels
Hi Gabor,

I don't have a link to post, but you don't need any special feature of
stunnel.


The idea is to have two instances of stunnel, one of them on the
client's host and the other on the server's host.

The client connects to the local stunnel instance (which is to be run
in client mode, 'client = yes'). This stunnel instance establishes an
encrypted connection to the instance on the server's host, which in
turn sets up a clear-text connection to the server (which is to be run
in server mode, 'client = no').

For instance, to encrypt a telnet connection:

client's host server's host
+---------------+ +----------------+
| | | |
| telnet client | | telnet server |
| 127.0.0.1:x | | 127.0.0.23 |
| : | | ^ |
| : | | : |
| V | | : |
| 127.0.0.1:23 | | 127.0.0.1:z |
| stunnel | | stunnel |
| 1.2.3.4:y ===============> 5.6.7.8:992 |
| | | |
+---------------+ +----------------+

The vertical connections (with colons) are clear-text, the horizontal
connection (with equal signs) is encrypted.


Ludolf

--

Ludolf Holzheid

Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany

Tel: +49 621 33996-0
Fax: +49 621 3392239

mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de

Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Gabor,

in your picture above, I don't understand who is supposed to establish
the connection (i.e. who is to act as a client) and who is supposed
to wait for connections (i.e. who is to act as a server).

An IP connection is similar to a telephone connection. The caller
(acting as the client) is supposed to dial the number of the callee's
phone and the callee (acting as the server) is supposed to sit next to
this very phone, waiting for incoming connections.

In my picture, I tried to depict this by giving the connections 'a
direction': The unit at the arrow head is the server, the unit at the
arrow tail is the client.


/Maybe/ you are thinking of running the stunnel instance in server
mode on a different host than the telnet server:

telnet client's host intermediate host telnet server's host
+---------------+ +------------------+ +----------------+
| | | | | |
| telnet client | | | | |
| 127.0.0.1:x | | | | |
| : | | | | |
| : | | | | |
| V | | | | |
| 127.0.0.1:23 | | 5.6.7.8:z ............> 4.5.6.7:23 |
| stunnel | | stunnel | | telnet |
| 1.2.3.4:y ===============> 5.6.7.8:992 | | server |
| | | | | |
+---------------+ +------------------+ +----------------+

This is essentially the same as my first picture except for the
'connect' statement in the configuration file of the stunnel in server
mode.

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Ludolf,

Thanks for your reply.
There are 2 clients (left and right side) and the middle is the server

[host1] ------------- [host2] ------------ [host3]
[stunnel client] ---> [stunnel server] <-- [stunnel client]
[telnet client] ----> [tunnelserver] ----> [telnet server]

These arrows are on my original pictures.

The server has 2 instances of stunnel and I'd like to connect them somehow.
No, I do not think it.

Kind regards,
Gabor

________________________________________
From: stunnel-users [stunnel-users-***@stunnel.org] on behalf of Ludolf Holzheid [***@bihl-wiedemann.de]
Sent: Thursday, March 31, 2016 11:19 AM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Connecting stunnels
Hi Gabor,

in your picture above, I don't understand who is supposed to establish
the connection (i.e. who is to act as a client) and who is supposed
to wait for connections (i.e. who is to act as a server).

An IP connection is similar to a telephone connection. The caller
(acting as the client) is supposed to dial the number of the callee's
phone and the callee (acting as the server) is supposed to sit next to
this very phone, waiting for incoming connections.

In my picture, I tried to depict this by giving the connections 'a
direction': The unit at the arrow head is the server, the unit at the
arrow tail is the client.


/Maybe/ you are thinking of running the stunnel instance in server
mode on a different host than the telnet server:

telnet client's host intermediate host telnet server's host
+---------------+ +------------------+ +----------------+
| | | | | |
| telnet client | | | | |
| 127.0.0.1:x | | | | |
| : | | | | |
| : | | | | |
| V | | | | |
| 127.0.0.1:23 | | 5.6.7.8:z ............> 4.5.6.7:23 |
| stunnel | | stunnel | | telnet |
| 1.2.3.4:y ===============> 5.6.7.8:992 | | server |
| | | | | |
+---------------+ +------------------+ +----------------+

This is essentially the same as my first picture except for the
'connect' statement in the configuration file of the stunnel in server
mode.

Ludolf

--

Ludolf Holzheid

Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany

Tel: +49 621 33996-0
Fax: +49 621 3392239

mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de

Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796
_______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Gabor,

I still don't understand which unit you want to act as a server and
which as a client for each connection.

The telnet client is a client at any case. On request of a user, the
telnet client establishes a connection to e.g. the stunnel instance on
host1.

The telnet server is a server at any case. A server doesn't establish
connections, but waits for incoming connections. So who is supposed
to establish the connection between the stunnel instance on host3 and
the telnet server, and on whose request?
What does the term 'server' refer to in this sentence?


Maybe it helps if you explain the application you are trying to set
up. In a previous mail, you mentioned HTTP, so I think there is a web
browser (e.g. Firefox) and a www server (e.g. Apache) you want to
connect. Is that correct?

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Ludolf,

It's again :

3 hosts :
[host1]----[host2]---[host3]

1) stunnel : host1 -> host2
2) stunnel : host3 -> host2
3) telnet : host1 -> host3 via stunnel and via host2

Kind regards,
Gabor

________________________________________
From: stunnel-users [stunnel-users-***@stunnel.org] on behalf of Ludolf Holzheid [***@bihl-wiedemann.de]
Sent: Thursday, March 31, 2016 2:09 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Connecting stunnels
Gabor,

I still don't understand which unit you want to act as a server and
which as a client for each connection.

The telnet client is a client at any case. On request of a user, the
telnet client establishes a connection to e.g. the stunnel instance on
host1.

The telnet server is a server at any case. A server doesn't establish
connections, but waits for incoming connections. So who is supposed
to establish the connection between the stunnel instance on host3 and
the telnet server, and on whose request?
What does the term 'server' refer to in this sentence?


Maybe it helps if you explain the application you are trying to set
up. In a previous mail, you mentioned HTTP, so I think there is a web
browser (e.g. Firefox) and a www server (e.g. Apache) you want to
connect. Is that correct?

Ludolf

--

Ludolf Holzheid

Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany

Tel: +49 621 33996-0
Fax: +49 621 3392239

mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de

Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796
_______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

And again:

Who is supposed to establish the connection between the stunnel
instance on host3 and the telnet server, and on whose request?

How would the setup look like if there was no encryption needed and
thus no stunnel involved?

Sorry being that lamebrained.

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Carter,

What's the advantage of this setup over a direct connection from Host1
to Host3?

Host1:

[secure_telnet]
accept = local:23
connect = host3:host3port1
client = yes

Host3:

[incoming_telnet]
accept = host3:host3port1
connect = local:23
client = no

If e.g. Host3 isn't directly reachable from Host1, a simple port
forwarding (without decryption and re-encryption) on Host2 would
suffice.

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Ludolf,

I didn't ask the reason why in this case - I have had instances where I
wanted the communication to be encrypted, but I count not go directly
from Host1 to Host3. If he can go directly from Host1 to Host3, then
your configuration is correct. However, in these days of firewalls,
network segmentation, etc. the direct path may not be available or desired.

Carter

Carter,

I was wondering if there is a reason for the two separately encrypted
connections. I had the impression, an end-to-end-encryption and a
port forwarder on Host2 was easier to set up (and more resource
conserving), but this may be a matter of taste ...

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Ludolf,

You are correct, a simple port forwarder would work just as well. In my
case, I have stunnel running for other reasons, so it was easier to use
it rather than install another package to do the port forwarding. Using
stunnel can provide more security by validating the individual
point-to-point connects with the cost of the additional overhead of
decrypting and re-encrypting the data.

Carter