| <Patch List> <Patch Directory> | ||||||||||
Patch info for connect-proxy_savardd
Author Comments
Date: Thu, 31 Oct 2002 19:54:06 -0500 (EST)
From: Daniel Savard <savardd@gnulinux.ca>
Subject: Patch for stunnel 4.00 to be able to use stunnel over an https proxy
Hello,
This is a patch that permits stunnel to be used over an https proxy. It is
based on the work of Tan Swee Heng and add password support and stunnel 4.00.
Thanks,
Daniel Savard
savardd@gnulinux.ca
This is a patch to be able to use stunnel through a https proxy that
support the CONNECT protocol.
This patch permits the following:
IMAP client --> stunnel client* --> HTTPS proxy --> SSL IMAP server
Instead of the following:
IMAP client --> stunnel client --> SSL IMAP server
For this patch to work, the https proxy must support the CONNECT protocol as
specified on the RFC2817. This permit a true TCP link between the client and
the remote host through the proxy.
Also, the https proxy must accept the remote port you specify. Some
proxy (like Apache) will only accept that you connect to ports 443 or 563 by
default. You can use another stunnel at the remote host to transfert from the
port 443 to 110/995 or 143/993 for exemple.
IMAP client --> stunnel client* --> HTTPS proxy --> stunnel server -->
IMAP server
Note: in the above samples, the stunnel followed by * is configured to use an
https proxy. When the httpsproxy options are used, the means of 'connect' is
changed. Instead of meaning the remote host address, it means the https proxy
address.
client = yes
debug = 7
foreground = yes
pid =
[https]
accept = 8080
connect = proxy.test.com:51966
httpsproxy_dest = mail.test.com:993
httpsproxy_auth = test:pass
httpsproxy_useragent = Mozilla/4.75 [fr]
In the above sample configuration file:
stunnel will listen to port 8080 on the localhost
it will connect to the https proxy at proxy.test.com
and tell the https proxy to connect to mail.test.com on the port 993
It will also authenticate itself on the https proxy with user 'test' and
password 'pass' and make itself looks like Netscape (Mozilla...)
The parameters 'httpsproxy_dest' tells stunnel that you want to use a proxy
server. Stunnel will get the proxy server name from the 'connect' parameter andtell the proxy server to connect to the value of the 'httpsproxy_dest'
parameter.
If the optional 'httpsproxy_auth' parameters is present, stunnel will use the
username and password specified to authenticate on the https proxy. The format
must be in the form 'name:password' witouht the quote. The parameter may be in
clear text or may already be base64 encoded. For exemple, it may be test:pass
or dGVzdDpwYXNz.
If the optional 'https_useragent' parameter is present, stunnel will use the
string specified as the user agent to the proxy. This may be useful to make theproxy or other site in thinking that this is a specific browser that do the
connection instead of stunnel.
I started with code from the proxy_sweeheng.patch from Tan Swee Heng
<sweeheng@srikant.org>, converted it to stunnel 4.00 and added basic
authentication with code from Bob Deblier <bob@virtualunlimited.com> (code came
from his beecrypt library)
Daniel Savard
savardd@gnulinux.ca
This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk. The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.
|