[sslh] URL to sslh 1.13 for Windows package (with Cygwin)

Michael K. Avanessian michael at mka.net
Wed Oct 24 17:17:21 CEST 2012 

Yves, thanks again for producing a compiled version for Windows.  I have correctly configured SSLH and stunnel using the below commandlines:
stunnel -f -p mycert.pem  -d thelonious:443 -l /usr/local/sbin/sslh -- 
sslh -i  --ssl localhost:80 --ssh localhost:22

I can successfully do this now:
Web browser --------http/ssl------> stunnel ---http---> sslh --> http:80

However, I can't figure out how to correctly configure my client PC to use SSH client with "proxytunnel -e" to reach my SSH server.  In order to reach my SSH server, the SSH client needs to go through a local proxy, then reach my stunnel server, decapsulate contents, then send to SSLH, then SSLH routes it to SSH server on port 22 finally.

I have seen several examples on the Internet for configuring SSH putty with proxytunnel.  However, those examples presume I am using Apache mod_proxy with SSL virtual host (port 443) instead of stunnel + sslh.

Could you please provide a real "working" example config file for Openssh (using ProxyCommand proxytunnel -e) to reach my SSH server through stunnel and sslh?  Below example is only specific for people who have a newer version of apache server mod_proxy SSL (used to have a bug in older versions) virtual port 443.  I tried to do exactly the same as below; except remove -R parameter.  But, it still doesn't work.

Host *.example.com *.someotherdomain.com
    ProxyCommand proxytunnel -q -p my.local.proxy:8080 -P localproxyuserid:localproxypass -r www.example.com:443 -R extapacheuserid:extapachepass -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: www.example.com\nContent-Length: 0\nPragma: no-cache"
    DynamicForward 1080
    ServerAliveInterval 60


-----Original Message-----
From: Yves Rutschle [mailto:yves at naryves.com] 
Sent: Sunday, October 21, 2012 1:58 PM
To: Michael K. Avanessian
Cc: Michael Avanessian; sslh at rutschle.net
Subject: Re: [sslh] URL to sslh 1.13 for Windows package (with Cygwin)

On Sun, Oct 21, 2012 at 08:02:37PM +0000, Michael K.
Avanessian wrote:
> Thanks so much Yves!!!
> 
> The reason I asked for an example command line (to work with a 
> proxytunnel -e + SSH client) is because linux and windows have some 
> differences.  For example Windows doesn't even have  inetd. So, 
> unfortunately the command line you gave me doesn't work with a normal 
> default-setting stunnel installation on windows.

You shouldn't need inetd to use sslh's inetd mode -- it's really just a different way to interact with its environment.

> 
> All I did was install stunnel with all default settings (which creates 
> a self-signed cert stunnel.pem).  I also copied 
> "sslh-select-1.13b.exe" and "cygwin1.dll" in the stunnel directory.  
> Running the below command does NOT work; and produces an error 
> "Stunnel server is down due to an error".  It pops up a window 
> showsing (invalid stunnel.conf).  I have tried with and without -I 
> parameter.
> 
> stunnel -f -p stunnel.pem  -d mkanetpc:443 -l sslh -- sslh -i  --http 
> localhost:80 --ssh localhost:22

I would suspect that you have stunnel 4 installed, which IIRC only uses a configuration file and doesn't accept many command line parameters. You'll need to look up how to configure your stunnel.conf to do what you want it to do. I can't help much there as I haven't really used stunnel 4.

Note that instead of using sslh's inetd mode as above, you can run sslh listening on one port and get stunnel to forward to that port:

stunnel -f -p stunnel.pem -d mkanetpc:443 -r 5000 sslh -p mkanetpc:5000 --http localhost:80 --ssh localhost:22

The good thing about this method is that it lets you test both sides independently to help find what is not working.

Y.

More information about the sslh mailing list