[sslh] Running sslh with stunnel
Sean Warner
plica2006 at gmail.com
Sun Apr 29 16:47:36 UTC 2018
Hello,
I've got sslh running on my Pi. I can ssh into port 443 and also use that
port for https web traffic to a personal web server... great stuff.
But now I would like to encapsulate the ssh traffic so it looks like ssl. I
was following the hint from
https://github.com/yrutschle/sslh#using-proxytunnel-with-sslh. I installed
Proxytunnel and figured out how to link it with Putty. My client is a
Windows 7 machine and I installed stunnel as a server on the Pi. But with
Proxytunnel Putty never establishes an SSH session and the website stops
working too.
I have forwarded external port 443 on my router to internal port 4433.
-- stunnel.conf server config:
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
socket = l:SO_LINGER=1:1
socket = r:SO_LINGER=1:1
# Debugging stuff (may be useful for troubleshooting)
foreground = yes
debug = 7
output = /var/log/stunnel4/stunnel.log
pid = /var/run/stunnel4/stunnel.pid
fips = no
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem
[ssh]
accept = 192.168.1.124:4433
connect = 192.168.1.124:4480
TIMEOUTclose = 0
-- /etc/sslh/sslh.cfg
verbose: false;
foreground: true;
inetd: false;
numeric: true;
transparent: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";
# Change hostname with your external address name.
listen:
(
{ host: "192.168.1.124"; port: "4480"; }
);
# this solution was recommended from: wiki.techunit.org/SSLH
protocols:
(
{ name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "1022";
log_level: 1; },
{ name: "ssl"; host: "127.0.0.2"; port: "444"; log_level: 1; }
);
Testing Proxytunnel from windows command line:
-- This displays "SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3" then gives a
protocol mismatch error:
>> proxytunnel -v -E -p example.com:443 -d 192.168.1.124:4433
-- Both of these commands just give "Socket read error: [104] Connection
reset by peer":
>> proxytunnel -v -e -p mrtosho.com:443 -d 192.168.1.124:4433
>> proxytunnel -v -p mrtosho.com:443 -d 192.168.1.124:4433
I try to configure proxytunnel with Putty by pasting the command: e.g:
proxytunnel -q -E -p example.com:443 -d 192.168.1.124:4433 into the "Telnet
Command, or local proxy command" box under Connection > Proxy screen in
Putty but when I try to connect it just hangs.
So then I tried installing stunnel on Windows 7 and set it in client mode:
-- stunnel.conf client config:
debug = 7
output = stunnel.log
fips = no
[ssh]
client = yes
accept = 127.0.0.1:8844
connect = example.com:443
cert = fullchain.pem
key = privkey.pem
TIMEOUTclose = 0
By the way the cert and key are the same cert and key I have of course in
the stunnel server but also are the same I got from letsencrypt and use in
my Virtualhost to secure the https connection to my website.
Now when I try a simple SSH connection via Putty to 127.0.0.1 port 8844 it
WORKS and I can ssh to my pi. It seems I can encrypt the ssh session which
goes to server side stunnel and is decrypted then sslh demultiplexes it to
my sshd server at port 1022. Very cool.
However the website doesn't work...
Scenario 1:
With stunnel client not running on my Win7 machine I type
https://example.com into my browser and I get "SSH-2.0-OpenSSH_7.4p1
Raspbian-10+deb9u3. Protocol mismatch" printed onto the browser screen.
Scenario 2:
I start stunnel client on my Win7 machine. It says: " Compiled/running with
OpenSSL 1.0.2m-fips 2 Nov 2017". I type https://example.com into my browser
and I get "SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3. Protocol mismatch"
printed onto the browser screen.
In /var/log/daemon.log I get log info about both sslh and stunnel operation:
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[11]: TLS accepted: new session
negotiated
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[11]: No peer certificate received
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[11]: Negotiated TLSv1.2
ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[11]: Compression: null, expansion:
null
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[11]: s_connect: connecting
192.168.1.124:4480
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[11]: s_connect: s_poll_wait
192.168.1.124:4480: waiting 10 seconds
Apr 29 17:13:22 nextcloudpi stunnel: LOG5[11]: s_connect: connected
192.168.1.124:4480
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[11]: persistence:
192.168.1.124:4480 cached
Apr 29 17:13:22 nextcloudpi stunnel: LOG5[11]: Service [ssh] connected
remote server from 192.168.1.124:57368
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[11]: Option SO_LINGER set on
remote socket
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[11]: Option TCP_NODELAY set on
remote socket
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[11]: Remote descriptor (FD=11)
initialized
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[10]: Read socket closed
(readsocket)
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: Sending close_notify alert
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: TLS alert (write): warning:
close notify
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[10]: SSL_shutdown successfully
sent close_notify alert
Apr 29 17:13:22 nextcloudpi stunnel: LOG6[10]: TLS socket closed (SSL_read)
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: Sent socket write shutdown
Apr 29 17:13:22 nextcloudpi stunnel: LOG5[10]: Connection closed: 60 byte(s)
sent to TLS, 494 byte(s) sent to socket
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: Remote descriptor (FD=10)
closed
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: Local descriptor (FD=3)
closed
Apr 29 17:13:22 nextcloudpi stunnel: LOG7[10]: Service [ssh] finished (1
left)
Apr 29 17:13:22 nextcloudpi sslh[5850]: **** writing deferred on fd -1
Apr 29 17:13:22 nextcloudpi sslh[5850]: probing for ssh
Apr 29 17:13:22 nextcloudpi sslh[5850]: probing for ssl
Apr 29 17:13:22 nextcloudpi sslh[5850]: all probes failed, connecting to
first protocol: ssh
Apr 29 17:13:22 nextcloudpi sslh[5850]: connecting to 127.0.0.2:1022 family
2 len 16
Apr 29 17:13:22 nextcloudpi sslh[5850]: ssh:connection from
192.168.1.124:57368 to 192.168.1.124:4480 forwarded from 127.0.0.1:46042 to
127.0.0.2:1022
Apr 29 17:13:22 nextcloudpi sslh[5850]: flushing deferred data to fd 3
Apr 29 17:13:22 nextcloudpi sslh[5850]: client socket closed
Apr 29 17:13:22 nextcloudpi sslh[5850]: connection closed down
I don't really understand this but it looks like stunnel recognised the
connection on port 4433 then sent it to port 4480 and eventually sslh didn't
understand if the connection was ssh or ssl so it defaulted to ssh and sent
the connection to port 1022 which is my ssh port though this is https
traffic. So I guess stunnel maybe didn't decrypt the ssl connection? Or it
did but it was never encrypted in the first place?
Scenario 3:
I start stunnel client on my Win7 machine. It says: " Compiled/running with
OpenSSL 1.0.2m-fips 2 Nov 2017". I change the proxy settings in Google
Chrome to use 127.0.0.1 Port 8844 then type https://example.com into my
browser and I get " ERR_TUNNEL_CONNECTION_FAILED" printed onto the browser
screen.
In /var/log/daemon.log I get log info about both sslh and stunnel operation:
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[ui]: Service [ssh] accepted (FD=3)
from my-public-ip-address:53800
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Service [ssh] started
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Option SO_LINGER set on local
socket
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Option TCP_NODELAY set on
local socket
Apr 29 17:25:37 nextcloudpi stunnel: LOG5[23]: Service [ssh] accepted
connection from my-public-ip-address:53800
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: Peer certificate not required
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): before
SSL initialization
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): before
SSL initialization
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: SNI: no virtual services
defined
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
read client hello
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
write server hello
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
write change cipher spec
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
write finished
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
write finished
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
read change cipher spec
Apr 29 17:25:37 nextcloudpi sslh[5850]: accepted fd 4
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS state (accept): SSLv3/TLS
read finished
Apr 29 17:25:37 nextcloudpi sslh[5850]: **** writing deferred on fd -1
Apr 29 17:25:37 nextcloudpi sslh[5850]: probing for ssh
Apr 29 17:25:37 nextcloudpi sslh[5850]: probing for ssl
Apr 29 17:25:37 nextcloudpi sslh[5850]: all probes failed, connecting to
first protocol: ssh
Apr 29 17:25:37 nextcloudpi sslh[5850]: connecting to 127.0.0.2:1022 family
2 len 16
Apr 29 17:25:37 nextcloudpi sslh[5850]: ssh:connection from
192.168.1.124:57420 to 192.168.1.124:4480 forwarded from 127.0.0.1:46094 to
127.0.0.2:1022
Apr 29 17:25:37 nextcloudpi sslh[5850]: flushing deferred data to fd 3
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 24 server accept(s)
requested
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 24 server accept(s)
succeeded
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 0 server
renegotiation(s) requested
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 13 session reuse(s)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 10 internal session cache
item(s)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 0 internal session cache
fill-up(s)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 3 internal session cache
miss(es)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 0 external session cache
hit(s)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: 1 expired session(s)
retrieved
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: TLS accepted: previous
session reused
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: s_connect: connecting
192.168.1.124:4480
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: s_connect: s_poll_wait
192.168.1.124:4480: waiting 10 seconds
Apr 29 17:25:37 nextcloudpi stunnel: LOG5[23]: s_connect: connected
192.168.1.124:4480
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: persistence:
192.168.1.124:4480 cached
Apr 29 17:25:37 nextcloudpi stunnel: LOG5[23]: Service [ssh] connected
remote server from 192.168.1.124:57420
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Option SO_LINGER set on
remote socket
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Option TCP_NODELAY set on
remote socket
Apr 29 17:25:37 nextcloudpi sslh[5850]: client socket closed
Apr 29 17:25:37 nextcloudpi sslh[5850]: connection closed down
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Remote descriptor (FD=9)
initialized
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: Read socket closed
(readsocket)
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: Sending close_notify alert
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS alert (write): warning:
close notify
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: SSL_shutdown successfully
sent close_notify alert
Apr 29 17:25:37 nextcloudpi stunnel: LOG7[23]: TLS alert (read): warning:
close notify
Apr 29 17:25:37 nextcloudpi stunnel: LOG6[23]: TLS closed (SSL_read)
Once again it looks like stunnel takes the request and forwards it to sslh
who can't tell if it is ssh or ssl traffic. But there is also probably an
issue with decapsulating the https connection properly?
I don't use proxycomand in any of those above scenarios.
Sorry for this long email. I'm asking two questions really...
1. What am I doing wrong with the Proxycomand? Ideally I would like to get
this working with Proxycomand and Putty alone.
2. With stunnel set up as a client on my Win7 machine (and as a server on
the Pi) whether I try to use my website as normal through my internet
connection or through the localhost:8844 it doesn't work. What changes do I
need to make here?
I'm very grateful for any help.
Thank you,
Flex
More information about the sslh
mailing list