X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 8C6F23857359
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1708127236;
	bh=R7Z+On+VNt//Xm0uFpx3Yx/wvdzJSFsl5oLaApy8kbM=;
	h=Date:In-Reply-To:References:To:Subject:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=ULH9UCkPVO+g2zSgLMSklLPHNAagjOVfg7+BZ9K8hnV+BhOrc6ExRBihF+hMWIZsc
	1Zca2v9GD3UwyOPLYq48lh3LIILa1Mchocb1FCNLRPlXYCXucA+G9yYI9eeYs5Sd/W
	jWhk6w5FQnB88G9B/UA4fK18OmbTjUDOZiZr3Qo0=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 4D420385770C
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 4D420385770C
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708127179; cv=none;
	b=WCOBsD7G512DHKFbV2vig5dYnuVg9wk+e/OppTuRB2exkhlvtUvnEhjSsiMB/vA591kW8icptVRw3vH8sseRQ66hse3BoOct2C79+LcSJkwtIh1e7Tj+9WUKBZSLfPMPToIcSahFx43SEOmQpUqvN06Fl/c2AjsucA35uni8DeY=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1708127179; c=relaxed/simple;
	bh=wfWIBsfku0p3Gl4R/sO9/VI3m6r8fZxG7kWytIqSzX4=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:From:To:Subject;
	b=cKdARuMKszp8wdVkUL0uCr/YvLfenyhcpIdBPdTHf7SFFhV9N16uU4YNalTaOZaHwdOsdfAyjuXmk7M5ZFyi6lVBZPsdRsfxZ0gjlVuWwVuss/J32tTNKg4H4YjeYiRJMEURY08Grz9BmMQ73Nhr8Rw4Z3L1GvV4zDvqxpDq2xQ=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Spam-Status:	No, score=-2.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_EF, HEADER_FROM_DIFFERENT_DOMAINS, NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
	SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Level:
X-Spam-Score:	-2.2
Message-ID:	<0100018db4504c0a-a8320068-b704-4458-b4b1-eee8b912bdc7-000000@email.amazonses.com>
Date:	Fri, 16 Feb 2024 23:46:17 +0000
X-Mozilla-Status:	0001
X-Mozilla-Status2:	00000000
MIME-Version:	1.0
In-Reply-To:	<2orusip0fcft7bvfemu05eb61l43vsnmj8@4ax.com>
References:	<0100018dae3b46a4-ccc76b81-1814-421b-a81c-d00436297c10-000000 AT email DOT amazonses DOT com>
	<2orusip0fcft7bvfemu05eb61l43vsnmj8 AT 4ax DOT com>
X-Mailer:	VM 8.2.0b under 25.2.2 (x86_64-pc-linux-gnu)
To:	cygwin AT cygwin DOT com, Andrew Schulman <andrex DOT e DOT schulman AT gmail DOT com>
Subject:	Re: ssh over stunnel hangs on second connection
X-Virus-Scanned:	ClamAV using ClamSMTP
Feedback-ID:	1.us-east-1.Zao4ZYFkcQIqFUKHPFqcIUzSz0SUuTXbgFyfdyEho8U=:AmazonSES
X-SES-Outgoing:	2024.02.16-54.240.8.81
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	cygwin--- via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT kosowsky DOT org
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

Andrew Schulman via Cygwin wrote at about 09:36:58 -0500 on Friday, February 16, 2024:
 > Hi. I'm the stunnel maintainer for Cygwin. I don't know why stunnel would hang
 > as you describe, but I'll try to help.
 > 
 > I agree that your configuration of ssh over TLS is common - I used it myself for
 > years. However as matthew patton suggests, there are other ways to get the same
 > goal, that may let you work around this problem.
 > 
 > One possibility that matthew didn't mention, is to run your ssh server on port
 > 443, and connect directly to it with ssh - no TLS wrapper. Yes, that's
 > non-standard, but if you can live with that, it might work fine for you and be
 > simpler. My best understanding is that ssh and TLS are indistinguishable to an
 > application firewall.

I actually ran SSHD over 443 (technically, had my router port forward
443 to 22 on my server) for about 15 years.
But then I started finding some corporate and airline networks would
use DPI to block non-ssl packets on 443 which would block SSH.
This is the reason I went to SSH over SSL/stunnel to get around such
DPI and it has worked fine for the past 5+ years.

I only noticed the current problem when I moved to a new Win11 laptop
along with upgraded Cygwin...

 > 
 > But supposing you keep your current configuration. Can you please clarify how
 > you're invoking stunnel? Do you have a ProxyCommand directive in your
 > .ssh/config, like:
 > 
 > ProxyCommand /usr/bin/stunnel stunnel.conf

No... I just ssh to 'localhost' on the port that per stunnel.conf is
listening for client connections.
This works fine in Ubuntu and has worked fine for me before on
Win7/Win10.

I don't use any fixed ProxyCommand to invoke stunnel because the vast
majority of the time I just use straight SSH -- I only use 'stunnel'
when SSH is blocked.

 > or is it some other way? I ask this because with ProxyCommand as above, you
 > should get a separate stunnel process for each new ssh connection, and I can't
 > think why they would interfere with each other.
 > 
 > Andrew
 > 
 > 
 > -- 
 > Problem reports:      https://cygwin.com/problems.html
 > FAQ:                  https://cygwin.com/faq/
 > Documentation:        https://cygwin.com/docs.html
 > Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -