Java Applet Client for STUNNEL-fronted server

Discussion in 'Java' started by Richard Maher, Jun 17, 2007.

  1. Hi,

    I currently have an intranet-resident JAVA Applet that connects back to the
    Application Server via standard TCP/IP sockets using the java.net.Socket
    class, and everything is peachy. What I'm looking at doing now is making it
    Internet friendly by providing host authentication (don't care about client
    authentication at the mo) and strong cryptography between client and server.

    OpenSSL and Stunnel (I don't want to have to make the Application Server SSL
    compatible if I don't have to) are available on the server box therefore I
    would dearly love an example of a JAVA client that can talk javax.net.SSL
    (or something else) to a Stunnel-fronted server. (Less is definitely more
    here - The least number of client keys and or certificate-generations the
    better!)

    Can anyone please help me with this? Obviously example-code would be ideal,
    as would first-hand accounts of the trials and tribulations, but I'll
    certainly settle for web-references to the appropriate docs or other
    relevant material!

    Are all the libraries/code reqd bundled with the JDK and runtime JVM ready?

    Is there a better way? (Sadly IPsec is not an option here) Maybe there's an
    alternate solution that can preserve the client's true IP address and
    present it to the Application Server's "Listen"?

    Cheers Richard Maher
     
    Richard Maher, Jun 17, 2007
    #1
    1. Advertising

  2. Is my question so ambiguous that nobody wants to answer it?

    Well, it work for the other guy :)

    Cheers Richard Maher

    "Richard Maher" <> wrote in message
    news:f52k0r$bk3$...
    > Hi,
    >
    > I currently have an intranet-resident JAVA Applet that connects back to

    the
    > Application Server via standard TCP/IP sockets using the java.net.Socket
    > class, and everything is peachy. What I'm looking at doing now is making

    it
    > Internet friendly by providing host authentication (don't care about

    client
    > authentication at the mo) and strong cryptography between client and

    server.
    >
    > OpenSSL and Stunnel (I don't want to have to make the Application Server

    SSL
    > compatible if I don't have to) are available on the server box therefore I
    > would dearly love an example of a JAVA client that can talk javax.net.SSL
    > (or something else) to a Stunnel-fronted server. (Less is definitely more
    > here - The least number of client keys and or certificate-generations the
    > better!)
    >
    > Can anyone please help me with this? Obviously example-code would be

    ideal,
    > as would first-hand accounts of the trials and tribulations, but I'll
    > certainly settle for web-references to the appropriate docs or other
    > relevant material!
    >
    > Are all the libraries/code reqd bundled with the JDK and runtime JVM

    ready?
    >
    > Is there a better way? (Sadly IPsec is not an option here) Maybe there's

    an
    > alternate solution that can preserve the client's true IP address and
    > present it to the Application Server's "Listen"?
    >
    > Cheers Richard Maher
    >
    >
     
    Richard Maher, Jun 21, 2007
    #2
    1. Advertising

  3. Richard Maher wrote:
    > Is my question so ambiguous that nobody wants to answer it?


    I posted some SSLSocket code in your next question, so I assume
    all is set here.

    Arne
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Jul 4, 2007
    #3
  4. Hi

    > I posted some SSLSocket code in your next question, so I assume
    > all is set here.


    Yeah, Rockin' and Rollin' thanks again Arne. (At least I hope so, I haven't
    gotten around to testing it yet (with Stunnel), and am currently
    experiencing the joys of porting my Internet Explorer JavaScript/HTML to
    Firefox :) On the upside, the Applet stuff worked straight away)

    Having said that there is a related topic that you might be able to assist
    me with though: -

    "The TCP/IP Out-of-band character with Java->SSL->Stunnel."

    I know Java can't receive OOB data (except inline) but it can send them and
    SSLSocket inherits sendUrgentData() so it's vaguely on topic. The problem I
    foresee according to the STUNNEL docs is that unless the OOB character is
    in-lined then it will just be ignored. Can anyone confirm this?

    SSLv3 seems to mandate that the OOB data be supported (as normal data with a
    complete SSL wrapper record) but I can't find anything in the OpenSSL
    routines that modify (or inform) an SSL_Read() that it's got the OOB; can
    anyone confirm this?

    At first glance, I just can't see a problem with STUNNEL/OpenSSL unpacking
    the OOB byte and passing it on to the in-the-clear connection (with the
    option for *both* inline or OOB) but maybe that's just me?

    Cheers Richard Maher

    PS. I actually find the whole SSL thing a huge fudge and long for the day
    when everyone is talking something more transparent like IPSec! (Or other
    VPN solution) Still they'll always be the ubiquitous unauthorised browser
    client with a dynamic IP address I suppose.

    PPS. If you know much about a "SOCKS - Generic *circuit-level* Proxy Server"
    I'd be very willing to listen to that too! But the implementations I've seen
    (HP-UX at least) seem to deploy SSH in this space with one process/user and
    up-front user authorization and other unpleasantness; any thoughts?

    "Arne Vajhøj" <> wrote in message
    news:468b173a$0$90270$...
    > Richard Maher wrote:
    > > Is my question so ambiguous that nobody wants to answer it?

    >
    > I posted some SSLSocket code in your next question, so I assume
    > all is set here.
    >
    > Arne
     
    Richard Maher, Jul 4, 2007
    #4
  5. Richard Maher wrote:
    > Having said that there is a related topic that you might be able to assist
    > me with though: -
    >
    > "The TCP/IP Out-of-band character with Java->SSL->Stunnel."
    >
    > I know Java can't receive OOB data (except inline) but it can send them and
    > SSLSocket inherits sendUrgentData() so it's vaguely on topic. The problem I
    > foresee according to the STUNNEL docs is that unless the OOB character is
    > in-lined then it will just be ignored. Can anyone confirm this?
    >
    > SSLv3 seems to mandate that the OOB data be supported (as normal data with a
    > complete SSL wrapper record) but I can't find anything in the OpenSSL
    > routines that modify (or inform) an SSL_Read() that it's got the OOB; can
    > anyone confirm this?
    >
    > At first glance, I just can't see a problem with STUNNEL/OpenSSL unpacking
    > the OOB byte and passing it on to the in-the-clear connection (with the
    > option for *both* inline or OOB) but maybe that's just me?


    I would go for a simpler solution.

    Either open a second socket connection for this traffic or make
    a protocol on the original socket that has both "next data block"
    and "urgent interrupt" messages.

    Arne
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Jul 4, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rune Andresen
    Replies:
    2
    Views:
    1,954
    Phil Powell
    Sep 17, 2003
  2. Krista
    Replies:
    3
    Views:
    2,335
    Andrew Thompson
    Sep 15, 2004
  3. Roland Poellinger
    Replies:
    1
    Views:
    1,313
    Ryan Dillon
    Mar 12, 2005
  4. Ktm
    Replies:
    0
    Views:
    352
  5. joe

    stunnel and slow perl cgi

    joe, May 13, 2004, in forum: Perl Misc
    Replies:
    1
    Views:
    133
Loading...

Share This Page