[sslh] URL to sslh 1.13 for Windows package (with Cygwin)

Michael K. Avanessian michael at mka.net
Thu Oct 25 03:41:31 CEST 2012 

No matter what I do, Putty immediately produces an error: "Server unexpectedly closed network connection" on client PC.  I am not even sure if Putty is talking to proxytunnel correctly.

Proxytunnel standalone (without putty) is able to go through local proxy and even create successful SSL connection with stunnel on server  (see below command line for standalone and respective output:

proxytunnel.exe -e -p localhttpproxy:80 -P userid:password-r websiteURL:443 -d websiteURL:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; MS-RTC LM 8; .NET4.0E)\nHost: mka.net\nContent-Length: 0\nPragma: no-cache"

Via localhttpproxy:80 -> websiteURL:443 -> websiteURL:22
error: Socket read error: [104] Connection reset by peer  <----this error is only because I am not sending SSH in above standalone example.


There is nothing in the putty log when I try to use proxytunnel command.  I really wish that configuring Putty with proxytunnel was easier on Windows :(  There is absolutely no information in the putty log.  I have no idea if putty is even using proxytunnel or not.  I believe the problem is something is preventing putty to use proxytunnel.  My client workstation is just regular Windows 32bit.  

I am pretty sure the server-side is configured correctly since I have a fully working https website using stunnel+sslh.  I just need help to somehow use Putty+proxytunnel -e (or equivalent).  I am very frustrated.  It shouldn't be that hard to configure client!

------------------------------------------------------------------------------------------------------------------------------------



Yves, thanks again for producing a compiled version for Windows.  I have correctly configured SSLH and stunnel using the below commandlines:
stunnel -f -p mycert.pem  -d thelonious:443 -l /usr/local/sbin/sslh -- 
sslh -i  --ssl localhost:80 --ssh localhost:22

I can successfully do this now:
Web browser --------http/ssl------> stunnel ---http---> sslh --> http:80

However, I can't figure out how to correctly configure my client PC to use SSH client with "proxytunnel -e" to reach my SSH server.  In order to reach my SSH server, the SSH client needs to go through a local proxy, then reach my stunnel server, decapsulate contents, then send to SSLH, then SSLH routes it to SSH server on port 22 finally.

I have seen several examples on the Internet for configuring SSH putty with proxytunnel.  However, those examples presume I am using Apache mod_proxy with SSL virtual host (port 443) instead of stunnel + sslh.

Could you please provide a real "working" example config file for Openssh (using ProxyCommand proxytunnel -e) to reach my SSH server through stunnel and sslh?  Below example is only specific for people who have a newer version of apache server mod_proxy SSL (used to have a bug in older versions) virtual port 443.  I tried to do exactly the same as below; except remove -R parameter.  But, it still doesn't work.

Host *.example.com *.someotherdomain.com
    ProxyCommand proxytunnel -q -p my.local.proxy:8080 -P localproxyuserid:localproxypass -r www.example.com:443 -R extapacheuserid:extapachepass -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\nHost: www.example.com\nContent-Length: 0\nPragma: no-cache"
    DynamicForward 1080
    ServerAliveInterval 60


-----Original Message-----From: Yves Rutschle [mailto:yves at naryves.com] 
Sent: Sunday, October 21, 2012 1:58 PM
To: Michael K. Avanessian
Cc: Michael Avanessian; sslh at rutschle.net
Subject: Re: [sslh] URL to sslh 1.13 for Windows package (with Cygwin)

On Sun, Oct 21, 2012 at 08:02:37PM +0000, Michael K.
Avanessian wrote:
> Thanks so much Yves!!!
> 
> The reason I asked for an example command line (to work with a 
> proxytunnel -e + SSH client) is because linux and windows have some 
> differences.  For example Windows doesn't even have  inetd. So, 
> unfortunately the command line you gave me doesn't work with a normal 
> default-setting stunnel installation on windows.

You shouldn't need inetd to use sslh's inetd mode -- it's really just a different way to interact with its environment.

> 
> All I did was install stunnel with all default settings (which creates 
> a self-signed cert stunnel.pem).  I also copied 
> "sslh-select-1.13b.exe" and "cygwin1.dll" in the stunnel directory.  
> Running the below command does NOT work; and produces an error 
> "Stunnel server is down due to an error".  It pops up a window 
> showsing (invalid stunnel.conf).  I have tried with and without -I 
> parameter.
> 
> stunnel -f -p stunnel.pem  -d mkanetpc:443 -l sslh -- sslh -i  --http 
> localhost:80 --ssh localhost:22

I would suspect that you have stunnel 4 installed, which IIRC only uses a configuration file and doesn't accept many command line parameters. You'll need to look up how to configure your stunnel.conf to do what you want it to do. I can't help much there as I haven't really used stunnel 4.

Note that instead of using sslh's inetd mode as above, you can run sslh listening on one port and get stunnel to forward to that port:

stunnel -f -p stunnel.pem -d mkanetpc:443 -r 5000 sslh -p mkanetpc:5000 --http localhost:80 --ssh localhost:22

The good thing about this method is that it lets you test both sides independently to help find what is not working.

Y.

More information about the sslh mailing list