I came across an open source SOCKS client library that supports connecting to a SOCKS proxy using a trustmanager key to verify the remote server.
However, I have been unable to find SOCKS proxy servers that support this. Are these available at all commercial or not?
The library in question is sockslib (Java), which sports this specific client example.
A related question: with this specific library, it is possible to define both a keymanager key (in addition to the trustmanager key) as well as normal credentials. Does this make sense for SOCKS servers?
WinGate SOCKS server supports accepting a connection (TCP) and immediately performing a TLS handshake on it prior to SOCKS protocol.
It also supports authenticating to the SOCKS server using client certificates. Or you can just do plaintext (or even GSS-API) auth after that.
Note that this is NOT the method proposed in draft-aft-socks-ssl-00 in 1997 which proposed layering TLS over the top of SOCKS framing (IMO an unnecessarily complicated way of doing it, which only provides a single benefit - being able to negotiate SSL or not - with a lot of down-sides).
Related
In Hyperledger Fabric we use TLS for secure communication between nodes. So how do I verify/check secure communication between two nodes in HLF after enabling TLS communication?
I have two Fabcar examples, one with TLS enable and one without TLS enabled. so how do I check/verify the result of two codes? I should get the difference in the results of both the codes.
As a simple test you might run wireshark to inspect the packages to the two HLF's where Wireshark should be able to tell you if the traffic is TLS or not, based on the packages.
This link explain some basics to how wireshark detect package types. And here how it detect TLS.
With some strategic filters it should not be a too big of problem to check the specific packages for HLF's. There might even exist some finished filters for this on google.
I am trying to connect a client to a secure (SSL/TLS) IMAP server. The client code cannot handle SSL/TLS correctly, so I am trying to see if a proxy server can be used in the middle. I was thinking something like the following:
IMAP Client <------- Plain Text Requests -------> Proxy <------- SSL/TLS Requests -------> SSL/TLS protected IMAP server.
I think this is possible but I am curious on what products can be used for the proxy? And, is this a normal deployment option?
Thanks much,
Ash
Use stunnel. With it you can do direct TLS (i.e. imaps, port 993) and also TLS upgrade of a plain IMAP connection (port 143) using the STARTTLS command. See the documentation for more details.
This is insane. An obvious fix is to find out why your client software cannot handle TLS. Deploying proxies or standalone tunnels makes little sense.
Seriously, if your "client" cannot even establish a TLS connection, it's either severely misconfigured, has damaged installation, or so bad that it won't reliably work even after you deploy this bandaid.
I have a C++ application that has a SSL/TLS communication with its own server and i don't have any access to that server. I'm trying to find out what is it sending from my PC to the server.
I tried burp and fiddler as man-in-middle but it didn't work. The application does not support Proxy so i tried routing the traffic using proxifier to burp and fiddler but it didn't work.
So I came up with these articles https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415 and http://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id
I just need to know , How I can find Master-key and Session-ID to decrypt SSL/TLS trafic.
It depends on the TLS cipher suite being used. If the ciphersuite uses forward secrecy (DHE) you cannot decrypt the stream. If it uses RSA encryption then you need at least the private key of the server. If it also uses client authentication then you would also need the private key of the client. if it uses symmetric encryption you need the symmetric (master) key from either one of them.
But if you do have a C++ application, I would simply add logging to that application (at the lowest level).
You can use following alrternates on a x86 windows
STRACE - http://blogs.msdn.com/b/emmanubo/archive/2007/06/04/introduction-to-strace-httpreplay-support-tools.aspx
SOCKTRC if this app is on windows checkout
http://blogs.msdn.com/b/emmanubo/archive/2007/08/03/socktrc-tool.aspx
HTTPREPLAY -
generally used for browsers but here can be used to view the responses in the UI
1 question about Stunnel. I would like to use Stunnel as a FIX (Financial Information eXchange) gateway for internet, to support both SSL and non-SSL connection. Is Stunnel able to do without any encryption? I just had a try with plain socket but it looked Stunnel rejected the connection saying 'invalid protocol' or something.
It's possible to use SSL/TLS without encryption using cipher suites with null encryption (e.g. TLS_RSA_WITH_NULL_SHA), which are normally disabled by default, but could be set via the ciphers option of Stunnel. However, you would still be using SSL/TLS, which isn't what you seem to be looking for.
It looks like you're more generally looking for what's usually called a TCP bouncer. You should be able to find a number of implementations around.
I'm pretty far out of my depth here, so bear with me. We're using JDBC via com.intersys.jdbc.cachedriver to run stored procedures in Intersystems Cache and get the results in Java. However, there are other clients that connect directly to the Cache using a terminal over telnet. We have to lock down Cache's telnet port so that only telnet over SSL is possible. However, the Cache experts here say that locking down one port in Cache locks them all down, so the Java to Cache connection will also have to use SSL. I understand vaguely that some JDBC drivers support SSL, but I don't see that the Cache one does. What I need to know is:
What's needed to configure SSL for the JDBC connections? (We're using JBoss 4.2.3)
What about certificates? I assume those have to go somewhere.
Is it actually true that locking down the telnet connections is also going lock down JDBC in the same way?
Configuring Java Clients to Use SSL/TLS with Caché
Using SSL/TLS with Caché
Telnet vs ssh is a question about what the OS allows and only relates to Cache peripherally. It doesn't mean anything regarding items 1 or 2. So in answer to the direct question you are asking, "No".
1. What's needed to configure SSL for the JDBC connections? (We're using JBoss 4.2.3)
See http://docs.intersystems.com/cache20102/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_ssltls#GCAS_ssltls_javacli for details. This section doesn't explicitly mention JDBC, but it's true for JDBC (and the reference has been added for the documentation 2011.1 [next release] .)
2. What about certificates? I assume those have to go somewhere.
To quote the documentation: "If the client has a private key and certificate, these are stored in the client’s keystore; the keystore can also hold the client’s root CA certificate and any intermediate CA certificates. To authenticate the server, the client may need to have the root CA certificate for the server and any intermediate CA certificates, these can be stored either in the client’s truststore or along with client certificate information in the keystore. For more information on keystores and truststores, see the section “Keystores and Truststores” in the Java Secure Socket Extension (JSSE) Reference Guide."
3. Is it actually true that locking down the telnet connections is also going lock down JDBC in the same way?
Yes -- if telnet connections are to require TLS, then the superserver TLS setting needs to be Required, which means that you have to use TLS for anything that goes through the superserver (including JDBC). If you just want to allow the use of TLS for telnet connections, set the TLS value to Enabled, which allows non-TLS connections by other means (such as JDBC).