Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Patch List> <Patch Directory>
Patch info for many_sgifford

Patch info for many_sgifford

CreatorScott Gifford
Patch to Version3.22
TypeEnhancement
Patchmany_sgifford.patch
Description

(Full Text)

Non-SSL passthrough for negotiated protocols, immediate chroot/setuid options, use open file descriptor instead of new remote socket or local program, and more.

Author Comments


[Ednote: See the website listed for the majority of the
 information available with the patch.]

Date: 24 Jan 2003 11:55:05 -0500
From: Scott Gifford <sgifford@suspectclass.com>

Eben <stunnel@netdevice.com> writes:

> I prefer running stunnel 4.x as a service under daemontools.
> I haven't been able to get it's logging running as a service however,
> see
> http://marc.theaimsgroup.com/?l=stunnel-users&m=104086103019110&w=2.

I have stunnel 3 working under daemontools OK, although with some
patches.  I haven't tried stunnel 4 yet.  I have a page about my
stunnel patches at:

    http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html

which includes my qmail-pop3d runfile.

Hope this helps,

----ScottG.


[Ednote: the following is snagged from
 http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel3.22-sg2.README
 which has more details.  See the acutal link, since this version is not in
 sync with any changes he makes.]


In the process of making stunnel work exactly how I want it to with
qmail, I came up with some patches.  You can get information about
what I'm working on at:

    http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html

Originally, this was several different patches; that was annoying to
maintain, so I've combined them into one big patch.  I'll be happy to
try splitting this back up again if people would find it useful.

* Paranoia Changes

These changes allow stunnel to run more securely in some situations,
by accepting a flag which causes stunnel to chroot immediately after
starting, and another flag which causes stunnel to do the
setuid/setgid calls immediately, instead of waiting until after the
sockets are open.

The flags added are:

  -/ chroot-dir: chroot(chroot-dir) as soon as starting up.

                 Note that any files or directories you require, such
                 as the PID directory, must be created within the new
                 root.

                 Additionally, you must create a fake path within your
                 chroot directory to contain the openssl configuration
                 file.

  -i: setuid()/setgid() immediately, instead of waiting until after
   listening on the socket.

Additionally, these changes makes the UID and GID given to the -s and
-g option be used directly as UIDs instead of being looked up in
/etc/passwd or /etc/group if they consist entirely of numbers.

= Changes since original

  Numeric UIDs/GIDs are now supported even if the "-i" flag isn't
used.



* OpenFD Changes

These changes allow stunnel to do secure forwarding to a file
descriptor, instead of to a local program or a remote program.  It
only makes sense to use this in conjunction with the -f flag, under
something like inetd or tcpserver.  It is your responsibility to have
the file descriptor opened when stunnel is run.

The flag added is:

  -F fd: Do secure forwarding to file descriptor fd.  This descriptor
         must be a socket, since two-way communications are required.

Information about a program which will set up the socket and file
descriptor properly is avaialble in smtp-tls.README.

= Changes since original version

  None.



* Protocol Changes

IMAP client and server support is added.

This patch adds support for "plaintext passthrough" for the SMTP,
POP3, and IMAP protocols in server mode, if the protocol name given to
the -n flag is followed by a minus sign (such as "-n pop3-").
Plaintext passthrough watches for commands which determine
capabilities (EHLO, CAPA, CAPABILITY) and start TLS (STARTTLS, STLS),
.  If a command to start TLS is seen, stunnel switches to TLS mode and
becomes a TLS proxy.  If any other command is received, TLS
capabilities are disabled, and stunnel becomes a simple proxy, passing
all data through unmodified.  If plaintext-passthrough isn't requested
by the command-line options, the connection will be dropped upon
receipt of any non-TLS and non-capability command.

Capability probe commands (EHLO, CAPA, CAPABILITY) are augmented to
get the capabilities of the original server (by passing along the
command sent by the client), and add the TLS capability to it in a
protocol-appropriate way.

= Changes since original version

IMAP support added

Plaintext passthrough added for POP3, IMAP

Bugs in original patch involving line-endings are fixed

Bugs in original patch involving blank lines are fixed

fdgets, fdputs, and fdwrite are added

Plaintext passthrough is only used when protocol is followed by a
minus sign.  For example, "-n smtp-".

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.