Hello Guus. I've reading mailing list archives threads about it at http://www.tinc-vpn.org/pipermail/tinc/2011-July/thread.html#2757 and http://rutschle.net/pipermail/sslh/2011-July/thread.html and now trying to hide tinc server behind sslh multiplexer but without luck. First of all directly it works fine. Initiator (instance of tincd with ConnectTo statement) successfully establishes connection and run tunnel with server (instance of tincd witch is listening for incoming connections). Server and client on physically separate machines and different IP addresses. When I'm moving tinc server to 127.0.0.1:443 hiding it behind sslh which listens on 192.168.0.1:443 and started with appropriate switch (--tinc) connection not establishes. Even client tinc say that it: Trying to connect to server (192.168.0.1 port 443) Connected to server (192.168.0.1 port 443) Sending ID to server (192.168.0.1 port 443): 0 client 17.0 Sending 14 bytes of metadata to server (192.168.0.1 port 443) Connection closed by server (192.168.0.1 port 443) Closing connection with server (192.168.0.1 port 443) Hexadecimal tcpdump do not show that identification string "0 client 17.0" appeared at all and thus sslh stupidly waiting for "0 " and not switching to tincd server. When I'm connecting to server behind sslh manually and entering ID by hand I get multiplexing working: telnet 192.168.0.1 443 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. 0 client 17.0 0 server 17.0 1 94 64 0 0 XXXXXXXXX... If i'm telnetting to tincd server directly it send it's identification immediately without waiting for client ID: telnet 127.0.0.1 655 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 0 server 17.0 And again I can initiate handshaking manually during this telnet session: 0 client 17.0 1 94 64 0 0 XXXXXXXXX... As I've reading documentation at http://www.tinc-vpn.org/documentation-1.1/tinc_7.html "7.3.1 Authentication protocol" and see from debug messages client and server exchanges identifications simultaneously at the same time. Is this rigth behavior of tincd client which waits that opposite ID message from server side is mandatory? If tincd clent don't send it ID to server then it is impossible for sslh to detect tinc protocol. Or is this problem of sslh? Thank You.
On Sat, Nov 12, 2011 at 06:52:15AM -0800, Varda Zklir wrote:> I've reading mailing list archives threads about it at http://www.tinc-vpn.org/pipermail/tinc/2011-July/thread.html#2757 and http://rutschle.net/pipermail/sslh/2011-July/thread.html and now trying to hide tinc server behind sslh multiplexer but without luck. > > First of all directly it works fine. Initiator (instance of tincd with ConnectTo statement) successfully establishes connection and run tunnel with server (instance of tincd witch is listening for incoming connections). Server and client on physically separate machines and different IP addresses. > > When I'm moving tinc server to 127.0.0.1:443 hiding it behind sslh which listens on 192.168.0.1:443 and started with appropriate switch (--tinc) connection not establishes.[...]> Is this rigth behavior of tincd client which waits that opposite ID message from server side is mandatory? If tincd clent don't send it ID to server then it is impossible for sslh to detect tinc protocol. Or is this problem of sslh?The problem is in sslh. There is a bug in the detection of tinc's protocol, which the attached patch should fix. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- --- sslh-1.9.orig/common.c +++ sslh-1.9/common.c @@ -290,7 +290,7 @@ int is_openvpn_protocol (const char*p,in * */ int is_tinc_protocol( const char *p, int len) { - return !strncmp(p, "0 ", len); + return len > 2 && !strncmp(p, "0 ", 2); } /* -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20111112/c9afabbf/attachment.pgp>