How to Make SSL Rawrequests using Stunnel

Stunnel is a cool network client/daemon written by Michal Trojnara that can be configured to act as an SSL enabled proxy for network communications.

In this article, we are going to discuss how to install and configure stunnel so that we can use it to help us make raw http requests over SSL. Included at the end of this article are a couple small configuration utilities that will let us start up stunnel very easily and remove all the work from configuring it.

First you are going to need to get yourself a copy of stunnel and the 2 OpenSSL dll's it relies on from the authors site. Both Stunnel, and the OpenSSL libraries have alot of versions available. You have to be careful that you get versions that work together.

The easiest way to do this is to download the stunnel installer found here:

Follow the link for "Window Stunnel 3.4a Install" to the page that has the download. The installer is in German, but you can follow it along enough to get it installed. The installer comes with a 3.24 console version of stunnel and the right OpenSSL libraries you need for the rest of this article.

The next step we are going to do is to learn to configure it manually and what it actually does. To get a listing of all of its configuration options, open up a command prompt window in the folder it was installed to and run it with the /? option

To make our raw http requests, we need to feed it 3 pieces of data in the command line.

  1. Tell it to use client mode (it listens on our machine acting as an SSL tunnel to remote host)
  2. Tell it which port to listen on so that we can connect to it. <listenPort>
  3. Tell it which host:port to forward the data we send to it, <connectHost>:<connectPort> A sample command line would look like this:
     -c -d <listenPort> -r <connectHost>:<connectPort> 

    Listenport must be a free port on our local machine to use, connectHost can be either the dns name of the server to connect to or its IP, and connectPort has to be the port on the remote machine that has an SSL aware service running for us to connect to.

    After you fire up stunnel with the right commandline you can now connect to it as you would a normal server and it will SSL tunnel all of the data to the remote host feeding you back its response as if you were talking directly to the other machine.

    Using this technique, we can SSL enable any standard winsock client such as Sleuth RawRequest as well as many other winsock only scripts and utilities you may have laying around.

    To help make the configuration of and startup of stunnel a one click event, I have built a couple small utilities to help you get you up and running efficiently.

    Here is the interface of the quick config utility I built to help you configure stunnel for use with http requests.

    In the download package I have included this utility as both a standalone exe as well as a Sleuth plugin version. Source is also included in case you want to modify or change it, The plugin version is compatible with both Sleuth 1.36 and 1.4

    When it first starts up it will look for stunnel.exe in its home directory. If it is not found, it will warn you and exit.

    Once it has found stunnel, it will automatically determine a free port that it can start stunnel up on. If one is not found in the range 1030-1230 it will warn you and exit.

    Now just enter the URL you wish to request in the main textbox, (line breaks ignored) and hit Done. Stunnel will be started with the proper command line ready to accept connections.

    If you are using the plugin version with Sleuth 1.4 RawRequest will be automatically started up for you already loaded with a modified URL to connect to this stunnel instance.

    If you are using the plugin with Sleuth 1.36, or the standalone exe version, the modified URL will instead be copied to the clipboard. Now just fire up your RawRequest tool of choice, paste in the url and you can connect to any https site.

    Once you have a running version of stunnel up and configured, you can make as many RawRequests to that server:host as you need. You will not need to startup a new instance of stunnel unless you need to change the host:port you are connecting to.

    If you get timeout errors, watch the stunnel console window for output. If the console window immediately closes after it was started up, there was some error starting it up, check the save commandline box and run it again to generate a bat file with the commandline it used to help you in debugging. If stunnel throws a critical exception and crashs when you connect to it, make sure you have the right OpenSSL libraries for the version of stunnel you have (not a problem if you use the installer mentioned at the top of the article)

    If the https site requires a certain certificate to connect to it, drag and drop the certificate in .pem format into the lower textbox and check the lower checkbox before starting it up. (I havenít personally played with this option much but looks right from the examples I read)

    Download: Stunnel Config Utility - includes standalone exe, Sleuth plugin version, and VB6 source

Copyright 2000-2003 All Rights Reserved