[sslh] Fw: sslh for windows broken? ***ISSUE RESOLVED***
Michael Avanessian
mkanet at yahoo.com
Fri Oct 26 20:58:28 CEST 2012
***ISSUE RESOLVED***
The problem is because of something so silly!
sslh -p listeningport--ssl localhost:80 --ssh localhost:22
Will only work for SSL, not SSH!!
sslh -p listeningport--ssh localhost:22 --ssl localhost:80
Will work for both SSL and SSH!!
So...Yves, you may consider putting a small note for Windows users to always put
ssh parameter BEFORE ssl parameter. Otherwise, they may try using the example
mentioned in the README; which wont work (at least in standalone mode with -p
parameter). Or, maybe you can fix the issue so it is consistent with all other
versions.
Anyway, thank you so much for this great tool! If you do fix this issue, maybe
you would consider replacing the Window binary you posted with a newer one that
works exactly like the other builds.
----- Forwarded Message ----
From: Michael Avanessian <mkanet at yahoo.com>
To: yves at naryves.com
Cc: sslh at rutschle.net
Sent: Fri, October 26, 2012 10:25:07 AM
Subject: Fw: sslh for windows broken?
I just tested with OpenSSH Server. Same problem. It doesnt seem to matter what
kind of SSH server is used, the problem is still there. I dont know what else
to try.
----- Forwarded Message ----
From: Michael Avanessian <mkanet at yahoo.com>
To: yves at naryves.com
Cc: sslh at rutschle.net
Sent: Fri, October 26, 2012 9:39:53 AM
Subject: Fw: sslh for windows broken?
Thank you very much!
Remember, sslh is able to correctly forward http to http server correctly. The
only problem is sslh also tries to forward SSH to http as well.
sslh readme says, "sslh considers that any protocol it doesn't recognise is
SSL".
This means that sslh is not recognizing ssh. I know that sslh uses the method
to look for ssh server banner because ssh server is not "shy".
I am using Bitvise SSH Server; upgrading to the latest version doesnt make any
difference. I haven't tested with any other SSH servers. But, generally,
prefer Bitvise SSH server since its very popular on Windows and optimized for
Tunnelier client, which I also prefer. Is there a specific setting I need to
use on the SSH server for sslh to work?
Thanks for all your help to get this working!
-----------------------------------------------------------------------------------------------------
Ah. Ok, forget my previous mail then. I need to test that on my side.
On Thu, Oct 25, 2012 at 07:13:22PM -0700, Michael Avanessian wrote:
> Okay, after several hours of testing, I finally just connected Putty
> directly to sslh listening port (both on same local network interface;
> making it as simple as possible).
>
> Below, you can see that sslh incorrectly routes SSH2 traffic to
> http:80 server.. Same thing happens with tunnelier as well.
>
>
>
> C:\Program Files (x86)\stunnel>sslh -v -p 192.168.1.2:7777 --ssl
> 192.168.1.2:80 --ssh 192.168.1.2:22 ssl addr: Horizon:http. libwrap
> service: (null) family 2 2 ssh addr: Horizon:ssh. libwrap service:
> sshd family 2 2 listening on:
> Horizon:7777
> timeout to ssh: 2
> listening to 1 addresses
>
> C:\Program Files (x86)\stunnel>selecting... max_fd=4 num_probing=0
> accepted fd 4 on slot 0 selecting... max_fd=5 num_probing=1 processing
> fd0 slot 0
> **** writing defered on fd -1
> connecting to Horizon:http family 2 len 16 flushing defered data to fd
> 5 selecting... max_fd=6 num_probing=0 processing fd1 slot 0 activity
> on fd5 selecting... max_fd=6 num_probing=0 processing fd1 slot 0
> activity on fd5 closing fd 4 closing fd 5 selecting... max_fd=6
> num_probing=0
>
>
> See screenshot:
> http://i67.photobucket.com/albums/h283/mkanet/sslh-broken.jpg
>
> Changing timeout value doesnt help. Is there a very special way I
> need to configure the SSH clients? Default config for Putty and Tunnelier
>don't work.
> Maybe the compiled Windows build of sslh is broken? I dont know
> anything else to try. :(
>
>
>
>
>
>
>
>
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 1:37:08 PM
> Subject: Fw:
>
>
> I figured out the problem! It is SSLH standalone causing the problem!
>
> The below sslh commandline is able to pass http (decapsulated by stunnel4)
> traffic to port 80 successfully. However, sslh commandline FAILS to pass SSH
> (decapsulated by stunnel4) to SSH server.
>
> sslh -p localhost:7777 --ssl localhost:80 --ssh localhost:22
>
>
> stunnel4 simply decapsulates successfully SSL wrapper and forwards all traffic
> to sslh. SSLH can only handle incoming http traffic. It can't accept incoming
>
> SSH traffic for some reason. Does SSLH require an extra parameter?
>
> I can prove this by changing stunnel to send SSH directly to SSH. Its fine
>that
>
> way.
>
> So, how can I get sslh to send SSH to port 22?
>
> Thanks!
>
>
>
> ----- Forwarded Message ----
> From: Michael Avanessian <mkanet at yahoo.com>
> To: yves at naryves.com
> Cc: sslh at rutschle.net
> Sent: Thu, October 25, 2012 10:36:07 AM
> Subject:
>
>
> Since I am not able to get putty to use proxytunnel, I thought I would try do
> alternate method:
>
> On client:
> puttyssh-->stunnel-client-->proxytunnel -a (standalone
> mode)-------------------------->
>
> proxytunnel -a 7000 -e -p localHTTPproxy:80 -P userID:password -d
>MYServerIP:443
>
> -H "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET
> CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR
> 3.5.30729; .NET4.0C; MS-RTC LM 8; .NET4.0E)\nHost:
> MYServerIP.com\nContent-Length: 0\nPragma: no-cache"
>
>
>
> On Server:
> Stunnel-server-->sslh-->SSHServer
>
> Stunnel is able to establish SSL connection. However, there is a problem with
> handling decapsulated SSH connection. Below is stunnel server log.
> Stunnel on server forwards to SSLH on port 7777, sslh then supposed to forward
>
> SSH connections to port 22.
>
>
> 2012.10.25 10:15:32 LOG7[4100:9232]: Service [stunnel-sslh] accepted (FD=248)
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:9232]: Creating a new thread
> 2012.10.25 10:15:32 LOG7[4100:9232]: New thread created
> 2012.10.25 10:15:32 LOG7[4100:10964]: Service [stunnel-sslh] started
> 2012.10.25 10:15:32 LOG5[4100:10964]: Service [stunnel-sslh] accepted
>connection
>
> from 137.200.0.103:21424
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): before/accept
> initialization
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 read client
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server
> hello A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write
> certificate A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write key
> exchange A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 write server
> done A
> 2012.10.25 10:15:32 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read client key
>
> exchange A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 read finished
A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write change
> cipher spec A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 write finished
>A
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL state (accept): SSLv3 flush data
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 items in the session cache
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client connects (SSL_connect())
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 client renegotiations requested
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 server connects (SSL_accept())
> 2012.10.25 10:15:33 LOG7[4100:10964]: 6 server connects that finished
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 server renegotiations requested
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 external session cache hits
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache misses
> 2012.10.25 10:15:33 LOG7[4100:10964]: 0 session cache timeouts
> 2012.10.25 10:15:33 LOG6[4100:10964]: No peer certificate received
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL accepted: new session negotiated
> 2012.10.25 10:15:33 LOG6[4100:10964]: Negotiated TLSv1/SSLv3 ciphersuite:
> DHE-RSA-AES256-SHA (256-bit encryption)
> 2012.10.25 10:15:33 LOG6[4100:10964]: Compression: null, expansion: null
> 2012.10.25 10:15:33 LOG6[4100:10964]: connect_blocking: connecting
> 127.0.0.1:7777
> 2012.10.25 10:15:33 LOG7[4100:10964]: connect_blocking: s_poll_wait
> 127.0.0.1:7777: waiting 10 seconds
> 2012.10.25 10:15:33 LOG5[4100:10964]: connect_blocking: connected
>127.0.0.1:7777
> 2012.10.25 10:15:33 LOG5[4100:10964]: Service [stunnel-sslh] connected remote
> server from 127.0.0.1:65475
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) initialized
> 2012.10.25 10:15:33 LOG7[4100:10964]: Socket closed on read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sending close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (write): warning: close notify
> 2012.10.25 10:15:33 LOG6[4100:10964]: SSL_shutdown successfully sent
> close_notify alert
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL alert (read): warning: close notify
> 2012.10.25 10:15:33 LOG7[4100:10964]: SSL closed on SSL_read
> 2012.10.25 10:15:33 LOG7[4100:10964]: Sent socket write shutdown
> 2012.10.25 10:15:33 LOG5[4100:10964]: Connection closed: 505 byte(s) sent to
> SSL, 315 byte(s) sent to socket
> 2012.10.25 10:15:33 LOG7[4100:10964]: Remote socket (FD=468) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Local socket (FD=248) closed
> 2012.10.25 10:15:33 LOG7[4100:10964]: Service [stunnel-sslh] finished (0 left)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20121026/a7ec522e/attachment-0001.html>
More information about the sslh
mailing list