[sslh] sslh for windows broken?

Yves Rutschle yves at naryves.com
Fri Oct 26 08:26:32 CEST 2012 

Ah. Ok, forget my previous mail then. I need to test that on
my side.

On Thu, Oct 25, 2012 at 07:13:22PM -0700, Michael Avanessian wrote:
> Okay, after several hours of testing, I finally just connected Putty directly to 
> sslh listening port (both on same local network interface; making it as simple 
> as possible).
> 
> Below, you can see that sslh incorrectly routes SSH2 traffic to http:80 
> server..  Same thing happens with tunnelier as well.  
> 
> 
> 
> C:\Program Files (x86)\stunnel>sslh -v -p 192.168.1.2:7777 --ssl 192.168.1.2:80 
> --ssh 192.168.1.2:22
> ssl addr: Horizon:http. libwrap service: (null) family 2 2
> ssh addr: Horizon:ssh. libwrap service: sshd family 2 2
> listening on:
>         Horizon:7777
> timeout to ssh: 2
> listening to 1 addresses
> 
> C:\Program Files (x86)\stunnel>selecting... max_fd=4 num_probing=0
> accepted fd 4 on slot 0
> selecting... max_fd=5 num_probing=1
> processing fd0 slot 0
> **** writing defered on fd -1
> connecting to Horizon:http family 2 len 16
> flushing defered data to fd 5
> selecting... max_fd=6 num_probing=0
> processing fd1 slot 0
> activity on fd5
> selecting... max_fd=6 num_probing=0
> processing fd1 slot 0
> activity on fd5
> closing fd 4
> closing fd 5
> selecting... max_fd=6 num_probing=0
> 
> 
> See screenshot:
> http://i67.photobucket.com/albums/h283/mkanet/sslh-broken.jpg
> 
> Changing  timeout value doesnt help.  Is there a very special way I need to  
> configure the SSH clients?  Default config for Putty and Tunnelier don't  work.  
> Maybe the compiled Windows build of sslh is broken?  I dont know  anything else 
> to try. :(
> 
> 
> 
> 
> 
> 
> 
> 
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 1:37:08 PM
> Subject: Fw:
> 
> 
> I figured out the problem!  It is SSLH standalone causing the problem!
> 
> The below sslh commandline is able to pass http (decapsulated by stunnel4) 
> traffic to port 80 successfully.  However, sslh commandline FAILS to pass SSH 
> (decapsulated by stunnel4) to SSH server.
> 
> sslh -p localhost:7777 --ssl localhost:80 --ssh localhost:22
> 
> 
> stunnel4 simply decapsulates successfully SSL wrapper and forwards all traffic 
> to sslh.  SSLH can only handle incoming http traffic.  It can't accept incoming 
> SSH traffic for some reason.  Does SSLH require an extra parameter?
> 
> I can prove this by changing stunnel to send SSH directly to SSH.  Its fine that 
> way.
> 
> So, how can I get sslh to send SSH  to port 22?
> 
> Thanks!
> 
> 
> 
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 10:36:07 AM
> Subject: 
> 
> 
> Since I am not able to get putty to use proxytunnel, I thought I would try do 
> alternate method:
> 
> On client:
> puttyssh-->stunnel-client-->proxytunnel -a (standalone 
> mode)-------------------------->
> 
> proxytunnel -a 7000 -e -p localHTTPproxy:80 -P userID:password -d MYServerIP:443 
> -H "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET 
> CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 
> 3.5.30729; .NET4.0C; MS-RTC LM 8; .NET4.0E)\nHost: 
> MYServerIP.com\nContent-Length: 0\nPragma: no-cache"
> 
> 
> 
> On Server:
> Stunnel-server-->sslh-->SSHServer
> 
> Stunnel is able to establish SSL connection.  However, there is a problem with 
> handling decapsulated SSH connection.  Below is stunnel server log.
> Stunnel on server  forwards to SSLH on port 7777, sslh then supposed to forward 
> SSH connections to port 22.  
> 
> 
> 2012.10.25 10:15:32 LOG7[4100:9232]: Service [stunnel-sslh] accepted (FD=248) 
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:9232]: Creating a new thread
> 2012.10.25 10:15:32 LOG7[4100:9232]: New thread created
> 2012.10.25 10:15:32 LOG7[4100:10964]: Service [stunnel-sslh] started
> 2012.10.25 10:15:32 LOG5[4100:10964]: Service [stunnel-sslh] accepted connection 
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): before/accept 
> initialization
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 read client 
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server 
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write 
> certificate A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write key 
> exchange A
> 2012.10.25  10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server 
> done A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read client key 
> exchange A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read finished A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write change 
> cipher spec A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write finished A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]:    6 items in the session cache
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 client connects (SSL_connect())
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 client connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 client renegotiations requested
> 2012.10.25  10:15:33 LOG7[4100:10964]:    6 server connects (SSL_accept())
> 2012.10.25 10:15:33 LOG7[4100:10964]:    6 server connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 server renegotiations requested
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 external session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 session cache misses
> 2012.10.25 10:15:33 LOG7[4100:10964]:    0 session cache timeouts
> 2012.10.25 10:15:33 LOG6[4100:10964]: No peer certificate received
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL accepted: new session negotiated
> 2012.10.25 10:15:33 LOG6[4100:10964]: Negotiated TLSv1/SSLv3 ciphersuite: 
> DHE-RSA-AES256-SHA (256-bit encryption)
> 2012.10.25 10:15:33 LOG6[4100:10964]: Compression: null, expansion: null
> 2012.10.25 10:15:33  LOG6[4100:10964]: connect_blocking: connecting 
> 127.0.0.1:7777
> 2012.10.25 10:15:33 LOG7[4100:10964]: connect_blocking: s_poll_wait 
> 127.0.0.1:7777: waiting 10 seconds
> 2012.10.25 10:15:33 LOG5[4100:10964]: connect_blocking: connected 127.0.0.1:7777
> 2012.10.25 10:15:33 LOG5[4100:10964]: Service [stunnel-sslh] connected remote 
> server from 127.0.0.1:65475
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) initialized
> 2012.10.25 10:15:33 LOG7[4100:10964]: Socket closed on read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sending close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (write): warning: close notify
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL_shutdown successfully sent 
> close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (read): warning: close notify
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL closed on SSL_read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sent socket write shutdown
> 2012.10.25  10:15:33 LOG5[4100:10964]: Connection closed: 505 byte(s) sent to 
> SSL, 315 byte(s) sent to socket
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Local socket (FD=248) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Service [stunnel-sslh] finished (0 left)

More information about the sslh mailing list