Tunelling using OpenSSL.

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Tunelling using OpenSSL.

OpenSSL - User mailing list
Is it possible to tunnel a connection by OpenSSL? For example, use OpenSSL and a browser to encrypt browsing.

Thank you.
Reply | Threaded
Open this post in threaded view

RE: Tunelling using OpenSSL.

Michael Wojcik
> From: openssl-users <[hidden email]> On Behalf Of Jason Long via openssl-users
> Sent: Friday, 4 September, 2020 16:55

[Your message had a Reply-To header directing replies to your address rather than the list. If you did that deliberately, please don't. It's rude. You post here, you read here.]

> Is it possible to tunnel a connection by OpenSSL?

Yes, but probably not the way you mean.

The OpenSSL project delivers a variety of artifacts, including:

- a library (typically built as a collection of binaries, but notionally a single library for most purposes) that implements TLS, various cryptographic primitives, and related useful functions

- a command-line utility (also named "openssl") which can be used for testing, manipulating cryptographic file formats, and other purposes

- SDK components such as headers for developing applications that use OpenSSL

- documentation

What it does NOT include is an end-user application for general-purpose cryptography, similar to what OpenSSH provides. That's a rather different function.

Of course you can tunnel anything through a TLS connection; you can tunnel anything through anything. Any channel that lets you convey unbounded information entropy, at whatever rate, can be used as a tunnel. You can tunnel IP traffic in DNS requests or carrier-pidgeon messages.

But OpenSSL isn't going to do that for you. There are generic tunnel applications (e.g. stunnel) that use TLS and (I believe this is true of stunnel) specifically use OpenSSL as their TLS implementation, but those are separate projects.

Now, you could play games with, say, NetCat and the openssl utility to create proxy TLS connections. For example, on the client side:

   1. ncat -L ... | openssl s_client ...
   2. connect plaintext client to the ncat port via loopback

And on the server side:

   1. openssl s_server ... | ncat ...
   2. ncat connects to the server via loopback

That sort of thing might even have its uses, for example as a simple exfiltration shroud. But it's not something you want to use under normal circumstances.

> For example, use OpenSSL and a browser to encrypt browsing.

Er ... you know browsers already do that, right? That's the quintessential TLS application.

It might help if you explained what you're actually trying to accomplish, and why.

Michael Wojcik