[sslh] sslh for windows broken?
Yves Rutschle
yves at naryves.com
Fri Oct 26 08:26:32 CEST 2012
Ah. Ok, forget my previous mail then. I need to test that on
my side.
On Thu, Oct 25, 2012 at 07:13:22PM -0700, Michael Avanessian wrote:
> Okay, after several hours of testing, I finally just connected Putty directly to
> sslh listening port (both on same local network interface; making it as simple
> as possible).
>
> Below, you can see that sslh incorrectly routes SSH2 traffic to http:80
> server.. Same thing happens with tunnelier as well.
>
>
>
> C:\Program Files (x86)\stunnel>sslh -v -p 192.168.1.2:7777 --ssl 192.168.1.2:80
> --ssh 192.168.1.2:22
> ssl addr: Horizon:http. libwrap service: (null) family 2 2
> ssh addr: Horizon:ssh. libwrap service: sshd family 2 2
> listening on:
> Horizon:7777
> timeout to ssh: 2
> listening to 1 addresses
>
> C:\Program Files (x86)\stunnel>selecting... max_fd=4 num_probing=0
> accepted fd 4 on slot 0
> selecting... max_fd=5 num_probing=1
> processing fd0 slot 0
> **** writing defered on fd -1
> connecting to Horizon:http family 2 len 16
> flushing defered data to fd 5
> selecting... max_fd=6 num_probing=0
> processing fd1 slot 0
> activity on fd5
> selecting... max_fd=6 num_probing=0
> processing fd1 slot 0
> activity on fd5
> closing fd 4
> closing fd 5
> selecting... max_fd=6 num_probing=0
>
>
> See screenshot:
> http://i67.photobucket.com/albums/h283/mkanet/sslh-broken.jpg
>
> Changing timeout value doesnt help. Is there a very special way I need to
> configure the SSH clients? Default config for Putty and Tunnelier don't work.
> Maybe the compiled Windows build of sslh is broken? I dont know anything else
> to try. :(
>
>
>
>
>
>
>
>
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 1:37:08 PM
> Subject: Fw:
>
>
> I figured out the problem! It is SSLH standalone causing the problem!
>
> The below sslh commandline is able to pass http (decapsulated by stunnel4)
> traffic to port 80 successfully. However, sslh commandline FAILS to pass SSH
> (decapsulated by stunnel4) to SSH server.
>
> sslh -p localhost:7777 --ssl localhost:80 --ssh localhost:22
>
>
> stunnel4 simply decapsulates successfully SSL wrapper and forwards all traffic
> to sslh. SSLH can only handle incoming http traffic. It can't accept incoming
> SSH traffic for some reason. Does SSLH require an extra parameter?
>
> I can prove this by changing stunnel to send SSH directly to SSH. Its fine that
> way.
>
> So, how can I get sslh to send SSH to port 22?
>
> Thanks!
>
>
>
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 10:36:07 AM
> Subject:
>
>
> Since I am not able to get putty to use proxytunnel, I thought I would try do
> alternate method:
>
> On client:
> puttyssh-->stunnel-client-->proxytunnel -a (standalone
> mode)-------------------------->
>
> proxytunnel -a 7000 -e -p localHTTPproxy:80 -P userID:password -d MYServerIP:443
> -H "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET
> CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR
> 3.5.30729; .NET4.0C; MS-RTC LM 8; .NET4.0E)\nHost:
> MYServerIP.com\nContent-Length: 0\nPragma: no-cache"
>
>
>
> On Server:
> Stunnel-server-->sslh-->SSHServer
>
> Stunnel is able to establish SSL connection. However, there is a problem with
> handling decapsulated SSH connection. Below is stunnel server log.
> Stunnel on server forwards to SSLH on port 7777, sslh then supposed to forward
> SSH connections to port 22.
>
>
> 2012.10.25 10:15:32 LOG7[4100:9232]: Service [stunnel-sslh] accepted (FD=248)
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:9232]: Creating a new thread
> 2012.10.25 10:15:32 LOG7[4100:9232]: New thread created
> 2012.10.25 10:15:32 LOG7[4100:10964]: Service [stunnel-sslh] started
> 2012.10.25 10:15:32 LOG5[4100:10964]: Service [stunnel-sslh] accepted connection
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): before/accept
> initialization
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 read client
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write
> certificate A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write key
> exchange A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server
> done A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read client key
> exchange A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read finished A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write change
> cipher spec A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write finished A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 items in the session cache
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client connects (SSL_connect())
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client renegotiations requested
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 server connects (SSL_accept())
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 server connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 server renegotiations requested
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 external session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache misses
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache timeouts
> 2012.10.25 10:15:33 LOG6[4100:10964]: No peer certificate received
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL accepted: new session negotiated
> 2012.10.25 10:15:33 LOG6[4100:10964]: Negotiated TLSv1/SSLv3 ciphersuite:
> DHE-RSA-AES256-SHA (256-bit encryption)
> 2012.10.25 10:15:33 LOG6[4100:10964]: Compression: null, expansion: null
> 2012.10.25 10:15:33 LOG6[4100:10964]: connect_blocking: connecting
> 127.0.0.1:7777
> 2012.10.25 10:15:33 LOG7[4100:10964]: connect_blocking: s_poll_wait
> 127.0.0.1:7777: waiting 10 seconds
> 2012.10.25 10:15:33 LOG5[4100:10964]: connect_blocking: connected 127.0.0.1:7777
> 2012.10.25 10:15:33 LOG5[4100:10964]: Service [stunnel-sslh] connected remote
> server from 127.0.0.1:65475
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) initialized
> 2012.10.25 10:15:33 LOG7[4100:10964]: Socket closed on read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sending close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (write): warning: close notify
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL_shutdown successfully sent
> close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (read): warning: close notify
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL closed on SSL_read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sent socket write shutdown
> 2012.10.25 10:15:33 LOG5[4100:10964]: Connection closed: 505 byte(s) sent to
> SSL, 315 byte(s) sent to socket
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Local socket (FD=248) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Service [stunnel-sslh] finished (0 left)
More information about the sslh
mailing list