ssh over stunnel hangs on second connection

cygwin@kosowsky.org cygwin@kosowsky.org
Fri Feb 16 23:46:17 GMT 2024 

Andrew Schulman via Cygwin wrote at about 09:36:58 -0500 on Friday, February 16, 2024:
 > Hi. I'm the stunnel maintainer for Cygwin. I don't know why stunnel would hang
 > as you describe, but I'll try to help.
 > 
 > I agree that your configuration of ssh over TLS is common - I used it myself for
 > years. However as matthew patton suggests, there are other ways to get the same
 > goal, that may let you work around this problem.
 > 
 > One possibility that matthew didn't mention, is to run your ssh server on port
 > 443, and connect directly to it with ssh - no TLS wrapper. Yes, that's
 > non-standard, but if you can live with that, it might work fine for you and be
 > simpler. My best understanding is that ssh and TLS are indistinguishable to an
 > application firewall.

I actually ran SSHD over 443 (technically, had my router port forward
443 to 22 on my server) for about 15 years.
But then I started finding some corporate and airline networks would
use DPI to block non-ssl packets on 443 which would block SSH.
This is the reason I went to SSH over SSL/stunnel to get around such
DPI and it has worked fine for the past 5+ years.

I only noticed the current problem when I moved to a new Win11 laptop
along with upgraded Cygwin...

 > 
 > But supposing you keep your current configuration. Can you please clarify how
 > you're invoking stunnel? Do you have a ProxyCommand directive in your
 > .ssh/config, like:
 > 
 > ProxyCommand /usr/bin/stunnel stunnel.conf

No... I just ssh to 'localhost' on the port that per stunnel.conf is
listening for client connections.
This works fine in Ubuntu and has worked fine for me before on
Win7/Win10.

I don't use any fixed ProxyCommand to invoke stunnel because the vast
majority of the time I just use straight SSH -- I only use 'stunnel'
when SSH is blocked.

 > or is it some other way? I ask this because with ProxyCommand as above, you
 > should get a separate stunnel process for each new ssh connection, and I can't
 > think why they would interfere with each other.
 > 
 > Andrew
 > 
 > 
 > -- 
 > Problem reports:      https://cygwin.com/problems.html
 > FAQ:                  https://cygwin.com/faq/
 > Documentation:        https://cygwin.com/docs.html
 > Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list