Re: [stunnel-users] Linux FIPS compile libary question

I do not think is possible to avoid the port
forwarding part. Your router will stop the incoming
packets and they will never reach the stunnel service
listening for connections.

Sometimes, people uses th VNC client in listening
mode, reversing who initiates the connection. In
listening mode the server initiates the connection.
however, this puts the firewall issue on the client
side instead of the server.

--- jz <jz@ellingtongeologic.com> wrote:

>
> Hello, expert:
>
> I have a question. Can stunnel be used behind a
> router without the router forwarding the port
> number? Recently I found one VNC can work this way.
> Was wondering whether you can modify the config.
> file to make it work.
>
> right now I set (serverside) the router forwarding
> port 8888 to the desktop, the stunnel on the desktop
> listening for port 8888 and forward this stream 8888
> to VNC's 5955.
>
> My purpose is to bypassing the router forwarding
> part.
>
> Thanks for any input.
>
> J
>
>
>
> Thanks for the info. Turns out I caused my own
> problems. I added some features to stunnel that
> require ldap. That is what brought in the new
> openssl dependencies. I need to make a custom ldap
> library using the FIPS openssl libraries.
>
> Thanks again.
> -Joe
>
> -----Original Message-----
> From: stunnel-users-bounces@mirt.net
> [mailto:stunnel-users-bounces@mirt.net] On Behalf Of
> Luis Rodrigo Gallardo Cruz
> Sent: Thursday, April 10, 2008 5:32 PM
> To: stunnel-users@mirt.net
> Subject: Re: [stunnel-users] Linux FIPS compile
> libary question
>
> On Thu, Apr 10, 2008 at 01:30:22PM -0400, Joe Kemp
> wrote:
> > I guess the question is what will the linker do
> with a shared libssl
> > in /lib and a static one in
> /usr/local/sslfips/lib. I ran the libtool
> > with a -v. It gave tons of output and only had
> references to the
> > library in /usr/local/sslfips.
> >
> > So I am going to assume I am seeing the
> dependencies of other
> > libraries used by stunnel. For instance libldap
> needs openssl and
> > uses the shared version. It's a little
> nerve-wracking ensuring FIPS
> > compliance.
>
> That sounds ... ugly. If your shared libraries can
> pull in a copy of libssl.so, you run the risk that
> some symbols might be resolved at run time against
> that copy, instead of against the static copy
> "inside"
> the executable. Unless you were to link with
> -Bsymbolic, which is an advanced option invented
> with no other purpose than to trip inocent students
> of c linkage.
>
> For this kind of stuff, I'd advice you to compile an
> stunnel with as few external libraries as you can
> get away with, and relink *all* those libraries to
> use your static libssl. Even better, get static
> libraries for them all and link against that.
>
> > Is there a way to see just what the stunnel layer
> depends on? Ldd -v
> > gave me more info but I am assuming it is still
> showing all levels of
> > dependencies (stunnel's, libldap's, libsasl2,
> etc.).
>
> objdump -x /usr/bin/stunnel |grep NEEDED gives you
> the list of sonames embedded in the executable. ldd
> tells you how the dynamic linker will resolve them
> to actual .so files.
> _______________________________________________
> stunnel-users mailing list
> stunnel-users@mirt.net
>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.22.5/1357 -
> Release Date: 4/3/2008 10:48 AM
> > BEGIN:VCARD
> VERSION:2.1
> N:zhang;jilin
> FN:jilin zhang
> NICKNAME:J
> ORG:Ellington & Associates
> TITLE:Geologist
> TEL;WORK;VOICE:7139562838
> TEL;WORK;FAX:7139562840
> ADR;WORK:;;1022 Wirt Road, Suite
> 312;Houston;Texas;77055;US
> LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1022 Wirt Road,
> Suite 312
> Houston
> Texas
> 77055
> US
> URL:www.ellingtongeologic.com
> EMAIL;PREF;INTERNET:jz@ellingtongeologic.com
> X-WAB-GENDER:2
> REV:20080417T113641Z
> END:VCARD
> > _______________________________________________
> stunnel-users mailing list
> stunnel-users@mirt.net
>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>



__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i...Dypao8Wcj9tAcJ
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users