Re: [Astlinux-devel] stunnel support

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Kristian,

Another interesting feature of stunnel is to listen on IPv6 and connect to legacy IPv4-only services.

Just a couple changes to stunnel.init are needed to automatically support that.

If we ever wanted to support local IPv6 "connect's" we would have to change the STUNNELSERVS delimiter from a colon to a tilde as we have done elsewhere.  Or use a dns name for the local host with a AAAA record.

Lonnie

On Apr 13, 2011, at 4:31 PM, Kristian Kielhofner wrote:

> OpenVPN is used to build SSL encrypted layer 3 or layer 2 tunnels
> between two points.
> 
> Stunnel is used to add SSL functionality to any application that uses
> a TCP socket.  So, for example:
> 
> FreeSWITCH includes an XML-RPC webserver.  It doesn't support SSL or TLS.
> 
> You could configure FreeSWITCH to listen on localhost.  You would then
> configure stunnel to listen on a network facing TCP port (with SSL/TLS
> enabled in stunnel).  This port would accept TLS/SSL encrypted traffic
> and transparently proxy it back to FreeSWITCH listening on localhost.
> You could then access the stunnel port with a standard web browser
> using HTTPS and it "just works" even though FreeSWITCH doesn't support
> SSL natively.
> 
> I use stunnel to transparently encrypt HTTP traffic from a network
> security camera.  I then access the AstLinux machine over the internet
> with HTTPS and AstLinux/stunnel implements the SSL that my network
> security camera vendor should have implemented themselves :).  I can
> do this from any web browser.  If I was using openvpn I'd need to
> install an openvpn client and build a full blown tunnel.
> 
> On Wed, Apr 13, 2011 at 5:17 PM, Lonnie Abelbeck
> <li...@lo...> wrote:
>> Kristian,
>> 
>> Thanks for your comments, but how is this different (solution wise) from using the more general OpenVPN between boxes?
>> 
>> Do you prefer we continue supporting stunnel by default in AstLinux?  A change has to be made either way.
>> 
>> Lonnie
>> 
>> 
>> On Apr 13, 2011, at 3:42 PM, Kristian Kielhofner wrote:
>> 
>>> Stunnel is not for VPN services.  It's to "bolt on" SSL to other
>>> daemons, etc that don't have it.  FreeSWITCH socket, Asterisk AMI,
>>> come to mind.  I like it.
>>> 
>>> On Wed, Apr 13, 2011 at 4:37 PM, Lonnie Abelbeck
>>> <li...@lo...> wrote:
>>>> Devs,
>>>> 
>>>> If there are no objections, let's remove stunnel support from the default image.
>>>> 
>>>> With all our VPN choices stunnel seems superfluous for our solution.  I assume no-one uses it.  We will note it in the ChangeLog.
>>>> 
>>>> The version we currently use has moved to their obsolete directory, seems like a good time to uncheck it.
>>>> 
>>>> Lonnie
>>> --
>>> Kristian Kielhofner
>>> 
>>> 
>> 
>> 
> 
> 
> 
> -- 
> Kristian Kielhofner
> 
> 