Date: Thu, 31 Oct 2002 19:54:06 -0500 (EST) From: Daniel Savard Subject: Patch for stunnel 4.00 to be able to use stunnel over an https proxy Hello, This is a patch that permits stunnel to be used over an https proxy. It is based on the work of Tan Swee Heng and add password support and stunnel 4.00. Thanks, Daniel Savard savardd@gnulinux.ca This is a patch to be able to use stunnel through a https proxy that support the CONNECT protocol. This patch permits the following: IMAP client --> stunnel client* --> HTTPS proxy --> SSL IMAP server Instead of the following: IMAP client --> stunnel client --> SSL IMAP server For this patch to work, the https proxy must support the CONNECT protocol as specified on the RFC2817. This permit a true TCP link between the client and the remote host through the proxy. Also, the https proxy must accept the remote port you specify. Some proxy (like Apache) will only accept that you connect to ports 443 or 563 by default. You can use another stunnel at the remote host to transfert from the port 443 to 110/995 or 143/993 for exemple. IMAP client --> stunnel client* --> HTTPS proxy --> stunnel server --> IMAP server Note: in the above samples, the stunnel followed by * is configured to use an https proxy. When the httpsproxy options are used, the means of 'connect' is changed. Instead of meaning the remote host address, it means the https proxy address. # This is the start of the sample configuration file client = yes debug = 7 foreground = yes pid = [https] accept = 8080 connect = proxy.test.com:51966 httpsproxy_dest = mail.test.com:993 httpsproxy_auth = test:pass httpsproxy_useragent = Mozilla/4.75 [fr] # This is the end of the sample configuration file In the above sample configuration file: stunnel will listen to port 8080 on the localhost it will connect to the https proxy at proxy.test.com and tell the https proxy to connect to mail.test.com on the port 993 It will also authenticate itself on the https proxy with user 'test' and password 'pass' and make itself looks like Netscape (Mozilla...) The parameters 'httpsproxy_dest' tells stunnel that you want to use a proxy server. Stunnel will get the proxy server name from the 'connect' parameter andtell the proxy server to connect to the value of the 'httpsproxy_dest' parameter. If the optional 'httpsproxy_auth' parameters is present, stunnel will use the username and password specified to authenticate on the https proxy. The format must be in the form 'name:password' witouht the quote. The parameter may be in clear text or may already be base64 encoded. For exemple, it may be test:pass or dGVzdDpwYXNz. If the optional 'https_useragent' parameter is present, stunnel will use the string specified as the user agent to the proxy. This may be useful to make theproxy or other site in thinking that this is a specific browser that do the connection instead of stunnel. I started with code from the proxy_sweeheng.patch from Tan Swee Heng , converted it to stunnel 4.00 and added basic authentication with code from Bob Deblier (code came from his beecrypt library) Daniel Savard savardd@gnulinux.ca