Comments on: SSL to SSH tunneling (stunnel)

By: JoeT

JoeT — Sat, 21 Jan 2012 17:12:07 +0000

your post helped me, i was trying to setup stunnel and it wasn’t working; just kept hanging no matter what i tried doing with pem files and ports and iptables, grrr.
turns out i needed to uncomment this line:
client=yes
thanks!

By: farshid

farshid — Tue, 03 Jan 2012 12:45:24 +0000

Thanks so much, that’s awesome. Some people may ask why to do this (@Ammon) . The answer is there are firewalls out there that can mangle SSH2_MSG_KEXINIT packet on ssh initiating a connection therefore fully block the ssh connection on any port!! That’s awesome way to go around that. Many thanks.

By: Yoshito

Yoshito — Wed, 05 Oct 2011 19:10:28 +0000

I just have finished my configuration and it works very well. Here is the openssl PEM generator command for people who are a bit lost with SSL certs.

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

Vive l’Internet totalement libre.

By: Cedric

Cedric — Mon, 09 May 2011 03:20:17 +0000

And this post is all the more interesting that Saul Christie forgot to mention that Apache’s mod_proxy_connect has a bug, which may only be corrected by applying a patch to Apache at compile time, which prevents using proxytunnel over https.

So the only way, without recompiling apache to do what you need is the way you very simply explained it above.

Thanks.

By: admin

admin — Thu, 08 Apr 2010 08:33:08 +0000

My blog post explains how to run SSH in SSL, which I believe is the same as your SSH in HTTPS.

By: Jonas

Jonas — Thu, 08 Apr 2010 01:17:47 +0000

This works but is a bit of a ‘middle-ground’ fudge and certainly won’t work in all environments. If you want to get your SSH through a web-proxy, it’s better to completely wrap your SSH in HTTPS – e.g.

http://www.saulchristie.com/bypass-firewalls

A little bit more effort but completely indetectable even by full network traffic analysis.

By: amaël

amaël — Fri, 13 Nov 2009 16:01:49 +0000

is there a way to use stunnel with a proxy that allow https (CONNECT)? The proxy needs the client to be authenticated. I ‘ve seen savvard patch but it doesn’t work with latest version (4.28) of stunnel.

By: nalply

nalply — Sun, 01 Nov 2009 14:47:18 +0000

It’s neccessary if you are limited by a stupid firewall not allowing outgoing SSH. With SSH over SSL you can trick out the firewall .

By: Pants

Pants — Thu, 03 Sep 2009 13:05:02 +0000

Great post. I ‘get’ exactly why you need to tunnel SSH over stunnel as you’ve described here. I’m currently working with a very tricky proxy server that won’t allow a connection directly to an SSHD server because it requires SSL handshaking, otherwise it drops the connection. Using stunnel I can now get the correct SSL protocol and still use SSH too.

By: admin

admin — Thu, 02 Apr 2009 06:50:43 +0000

Yes, SSH is very safe!
And I am quite aware of how alternate ports for the sshd.

Most of the time this guide is like reinvent the wheel.

I did not do the tunneling due to security issues in ssh but to pass through tightly secured proxies and firewalls. On larger companies, security department usually only allow internet traffic on http and https (ssl) through a forward proxy.

Then you have two ways to go.

1. Tunnel ssh over http; Then you must cope with all strange hacks a forward proxy might do. Adding headers etc.

2. Or do some tricks over https proxy connect with ssl, one could be my solution above.