tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] Tunneling an arbitrary protocol via SSL/TLS [resolved]
Date Tue, 10 Sep 2013 14:05:46 GMT
Hash: SHA256


On 9/9/13 2:50 PM, Christopher Schultz wrote:
> Somewhat off-topic, but I was wondering if anyone knew of any
> package or technique that could be used to tunnel an arbitrary
> protocol via TLS?
> In this particular case, I need to wrap HTTP in TLS (to make HTTPS
> :) without modifying the source of the client -- and the client
> does not support HTTPS. :(
> So far, I've come up with the following possibilities:
> 1. Use stunnel.

Oddly enough, my experience with stunnel is limited to tunneling AJP
and MySQL. After re-reading the man page (someone suggested it after I
claimed that stunnel required stunnel processes at both ends) and it
appears that it's trivial to configure stunnel at one end as long as
the other end already speaks TLS -- like the case where I need to
connect to an HTTPS server but my client can't do HTTPS (at least not

I like this better than using httpd for a few reasons:

1. I don't need httpd for anything else, and would prefer not to
install something so big for such a small job.

2. I already have stunnel running for other reasons

3. Configuration is simpler (but not much)

Anyhow, if anyone is interested, I've been able to set this up quite
trivially using stunnel /on the client end/ of the connection with
this configuration:

sslVersion = TLSv1
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes


Most of that is stock configuration from Debian (e.g. chroot, socket
options, etc.). Plus, I haven't configured client certs yet, but it
should be as easy as:


Now that I know stunnel doesn't need to be running on both sides of a
connection, I might be able to simplify some of my MySQL configurations.

(For those who aren't familiar, Linux distributions tend not to build
their package-managed MySQLs with SSL support due to some odd
licensing issues. That means that, even though MySQL "supports"
encrypted connections, it basically can't actually do them in
practice. If I can use stunnel locally, I can have stunnel act as my
"server" and proxy to MySQL. I have this set up this way now, but I
also have a mirror stunnel process running on the client as well.
Given the above, I should be able to connect to the remote stunnel
process directly from the JDBC driver and not have to do
loopback/stunnel connections on both sides).

- -chris
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message