.:: Marcos Dione/StyXman's glob ::. (Posts about piercing)https://www.grulic.org.ar/~mdione/glob/enContents © 2025 <a href="mailto:mdione@grulic.org.ar">Marcos Dione</a> Thu, 29 May 2025 15:41:12 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssSocks over sshhttps://www.grulic.org.ar/~mdione/glob/posts/socks-over-ssh/Marcos Dione<p>Soon I'll be changing jobs, going from one MegaCorp to another. The problem is, my current workplace already has a silly security policy that does not allow you to use IRC or do HTTP against a dynamic DNS/IP (like the one at home), but happily lets you use webmails through which you can send anyone the company's IP without leaving much trace. Furthermore, my next assignment will have stricter Internet policy, so I finally sit down to see alternatives to have more traffic with the less footprint.</p> <p>As I already mentioned, back home I have <code>ssh</code> listening on port 443 (and the port forwarded from the router to the server), and this worked for a while. Then these connections were shutdown, so I used <code>stunnel</code> on the server and <code>openssl s_client</code> plus some <code>ssh</code> config magic to go over that. This allowed me to use <code>screen</code> and <code>irssi</code> to do IRC and that was enough for a while. This meant I could talk to the communities around the tools and libs we were using.</p> <p>But now I plan to change the way I do my mail. So far the setup includes using <code>fetchmail</code> to bring everything to that server, then use <code>dovecot</code> and/or a webmail to check from anywhere. But as ports are filtered and I already use 443 for <code>ssh</code>, I can't connect to IMAPS and I don't want to use something like <code>sslh</code> to multiple <code>ssh</code> and <code>https</code> on the same port because it sounds to ohacky, I turned towards SOCKS proxying.</p> <p>Setting up a SOCKS proxy through <code>ssh</code> is simple. Most of the tutorials you'll find online use <code>putty</code>, but here I'll show how to translate those to the CLI client:</p> <div class="code"><pre class="code literal-block">Host home Hostname www.xxx.yyy.zzz # do not even do a DNS req; the IP is mostly static for me Port 443 ProxyCommand openssl s_client -connect %h:%p -quiet 2&gt;/dev/null DynamicForward 9050 # this is the line that gives you a SOCKS proxy </pre></div> <p>Then the next step is to configure each of your clients to use it. Most clients have an option for that, but when not, you need a proxyfier. For instance, even when KDE has a global setting for the SOCKS proxy, <code>kopete</code> does not seem to honor it. These proxifyers work by redirecting any <code>connect()</code>, <code>gethostbyname()</code> and most probably others to the SOCKS proxy. One of the best sources for SOCKS configuration is <a href="https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/">TOR's wiki</a>, which heavily relies on SOCKS proxies, but right now the proxyfier they suggest (<code>dante-client</code>) does not install on my Debian setup, so I went with <code>proxychains</code>. Its final config is quite simple:</p> <div class="code"><pre class="code literal-block"><span class="err">#</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Each</span><span class="w"> </span><span class="k">connection</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">done</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">chained</span><span class="w"> </span><span class="n">proxies</span> <span class="err">#</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">proxies</span><span class="w"> </span><span class="n">chained</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">order</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">they</span><span class="w"> </span><span class="n">appear</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">list</span> <span class="err">#</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">proxies</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">online</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">play</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">chain</span> <span class="err">#</span><span class="w"> </span><span class="n">otherwise</span><span class="w"> </span><span class="n">EINTR</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">returned</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">app</span> <span class="n">strict_chain</span> <span class="err">#</span><span class="w"> </span><span class="n">Proxy</span><span class="w"> </span><span class="n">DNS</span><span class="w"> </span><span class="n">requests</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">leak</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">DNS</span><span class="w"> </span><span class="k">data</span> <span class="n">proxy_dns</span> <span class="err">#</span><span class="w"> </span><span class="ow">Some</span><span class="w"> </span><span class="n">timeouts</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">milliseconds</span> <span class="n">tcp_read_time_out</span><span class="w"> </span><span class="mi">15000</span> <span class="n">tcp_connect_time_out</span><span class="w"> </span><span class="mi">8000</span> <span class="o">[</span><span class="n">ProxyList</span><span class="o">]</span> <span class="err">#</span><span class="w"> </span><span class="n">defaults</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="ss">"tor"</span> <span class="n">socks5</span><span class="w"> </span><span class="mf">127.0.0.1</span><span class="w"> </span><span class="mi">9050</span> </pre></div> <p>In fact, that's the default config with only one modification: the SOCKS protocol is forced to 5, so we can do DNS requests with its UDP support.</p> <p>With this simple setup I managed to connect to my XMMP server with <code>kopete</code>, which is already a lot. Next step will be to figure out the mail setup and I can call this done.</p>piercingsysadminhttps://www.grulic.org.ar/~mdione/glob/posts/socks-over-ssh/Sun, 09 Aug 2015 17:37:21 GMTSsl3_Get_Record wrong version numberhttps://www.grulic.org.ar/~mdione/glob/posts/SSL3_GET_RECORD-wrong-version-number/Marcos Dione<p>Since I work in MegaCorp I found a new level of security policy; for me this is a low point: I not only can't <code>ssh</code> home; since I changed my DynDNS provider from dym.com to afraid.org, I can't even access my webserver because the proxy denies me access citing: <code>Your request was denied because of its content categorization: "Dynamic DNS Host;Suspicious"</code>. So I can access lots of questionable contents using Google cache but not my own photos, fine.</p> <p>At the beginning, the classical trick of making the <code>ssh</code> server to listen in the port 443 worked fine, but at some point Network Operations managed to close that hole. This change was not communicated, so it's not clear that it was completely on purpose. I once asked for the Network Usage Policy, if it exists, but the unofficial answer was on the lines of «I'm not sure you really want to ask».</p> <p>So, I managed to pierce the firewall again with a further trick: <a href="https://systemoverlord.com/blog/2011/02/19/ssh-across-a-layer-7-filter/">wrapping <code>ssh</code> traffic in a SSL connection</a>. This makes the traffic look like regular <code>https</code> traffic (remember, the <code>s</code> stands for SSL/TLS) but it encrypts the traffic twice.</p> <p>Everything was smooth again, until the server crashed due to a lack of power. After I powered it on again, I found that I couldn't connect anymore. This morning I decided to take a couple of minutes to figure out why. The <code>ssh</code> client tells me this:</p> <div class="code"><pre class="code literal-block">$<span class="w"> </span>ssh<span class="w"> </span>-v<span class="w"> </span>-o<span class="w"> </span><span class="s1">'ProxyCommand openssl s_client -connect %h:%p -quiet 2&gt;/dev/null'</span><span class="w"> </span>-p<span class="w"> </span><span class="m">443</span><span class="w"> </span>foo.afraid.org OpenSSH_5.1p1<span class="w"> </span>Debian-5,<span class="w"> </span>OpenSSL<span class="w"> </span><span class="m">0</span>.9.8g<span class="w"> </span><span class="m">19</span><span class="w"> </span>Oct<span class="w"> </span><span class="m">2007</span> debug1:<span class="w"> </span>Reading<span class="w"> </span>configuration<span class="w"> </span>data<span class="w"> </span>/home/user/.ssh/config debug1:<span class="w"> </span>Reading<span class="w"> </span>configuration<span class="w"> </span>data<span class="w"> </span>/etc/ssh/ssh_config debug1:<span class="w"> </span>Applying<span class="w"> </span>options<span class="w"> </span><span class="k">for</span><span class="w"> </span>* debug1:<span class="w"> </span>Executing<span class="w"> </span>proxy<span class="w"> </span>command:<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>openssl<span class="w"> </span>s_client<span class="w"> </span>-connect<span class="w"> </span>foo.afraid.org:443<span class="w"> </span>-quiet<span class="w"> </span><span class="m">2</span>&gt;/dev/null debug1:<span class="w"> </span>permanently_drop_suid:<span class="w"> </span><span class="m">1004</span> debug1:<span class="w"> </span>identity<span class="w"> </span>file<span class="w"> </span>/home/user/.ssh/identity<span class="w"> </span><span class="nb">type</span><span class="w"> </span>-1 debug1:<span class="w"> </span>identity<span class="w"> </span>file<span class="w"> </span>/home/user/.ssh/id_rsa<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="m">1</span> debug1:<span class="w"> </span>Checking<span class="w"> </span>blacklist<span class="w"> </span>file<span class="w"> </span>/usr/share/ssh/blacklist.RSA-1024 debug1:<span class="w"> </span>Checking<span class="w"> </span>blacklist<span class="w"> </span>file<span class="w"> </span>/etc/ssh/blacklist.RSA-1024 debug1:<span class="w"> </span>identity<span class="w"> </span>file<span class="w"> </span>/home/user/.ssh/id_dsa<span class="w"> </span><span class="nb">type</span><span class="w"> </span>-1 ssh_exchange_identification:<span class="w"> </span>Connection<span class="w"> </span>closed<span class="w"> </span>by<span class="w"> </span>remote<span class="w"> </span>host </pre></div> <p>Not much info, really. Form the server side I have this:</p> <div class="code"><pre class="code literal-block"><span class="n">SSL_accept</span><span class="o">:</span><span class="w"> </span><span class="mi">1408</span><span class="n">F10B</span><span class="o">:</span><span class="w"> </span><span class="n">error</span><span class="o">:</span><span class="mi">1408</span><span class="n">F10B</span><span class="o">:</span><span class="n">SSL</span><span class="w"> </span><span class="n">routines</span><span class="o">:</span><span class="n">SSL3_GET_RECORD</span><span class="o">:</span><span class="n">wrong</span><span class="w"> </span><span class="n">version</span><span class="w"> </span><span class="n">number</span> <span class="n">Connection</span><span class="w"> </span><span class="n">reset</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">byte</span><span class="o">(</span><span class="n">s</span><span class="o">)</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">SSL</span><span class="o">,</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">byte</span><span class="o">(</span><span class="n">s</span><span class="o">)</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">socket</span> </pre></div> <p>Nice, a cryptic error message, at least for me. Strange enough, <code>openssl</code> by itself manages to connect alright:</p> <div class="code"><pre class="code literal-block">$<span class="w"> </span>openssl<span class="w"> </span>s_client<span class="w"> </span>-connect<span class="w"> </span>foo.afraid.org:443<span class="w"> </span>-ssl3 CONNECTED<span class="o">(</span><span class="m">00000003</span><span class="o">)</span> <span class="o">[</span>...<span class="o">]</span> SSH-2.0-OpenSSH_6.2p2<span class="w"> </span>Debian-6 </pre></div> <p>That's the <code>ssh</code> server saying hi. After some DDG'ing<sup id="fnref:1"><a class="footnote-ref" href="https://www.grulic.org.ar/~mdione/glob/posts/SSL3_GET_RECORD-wrong-version-number/#fn:1">1</a></sup> I find <a href="http://serverfault.com/questions/303090/stunnel-wont-work-with-sslv3-from-some-hosts">this post in serverfault</a>. The first answer itself is not very helpful, but the second one is actually the OP saying how he solved it. It's telling <code>stunnel</code> <a href="https://www.stunnel.org/static/stunnel.html">to accept any version of SSL client</a> while <a href="https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#NOTES">telling SSL to ignore SSLv2</a>. I don't understand how it fixes it, but it works, yay!</p> <div class="footnote"> <hr> <ol> <li id="fn:1"> <p>DuckDuckGo is getting better by the day. <a class="footnote-backref" href="https://www.grulic.org.ar/~mdione/glob/posts/SSL3_GET_RECORD-wrong-version-number/#fnref:1" title="Jump back to footnote 1 in the text">↩</a></p> </li> </ol> </div>piercingsysadminhttps://www.grulic.org.ar/~mdione/glob/posts/SSL3_GET_RECORD-wrong-version-number/Mon, 02 Dec 2013 08:19:54 GMT