tinc behind sslh

Sat Nov 12 16:43:15 CET 2011

On Sat, Nov 12, 2011 at 06:52:15AM -0800, Varda Zklir wrote:

> I've reading mailing list archives threads about it at http://www.tinc-vpn.org/pipermail/tinc/2011-July/thread.html#2757 and http://rutschle.net/pipermail/sslh/2011-July/thread.html and now trying to hide tinc server behind sslh multiplexer but without luck.
> 
> First of all directly it works fine. Initiator (instance of tincd with ConnectTo statement) successfully establishes connection and run tunnel with server (instance of tincd witch is listening for incoming connections). Server and client on physically separate machines and different IP addresses.
> 
> When I'm moving tinc server to 127.0.0.1:443 hiding it behind sslh which listens on 192.168.0.1:443 and started with appropriate switch (--tinc) connection not establishes.
[...]
> Is this rigth behavior of tincd client which waits that opposite ID message from server side is mandatory? If tincd clent don't send it ID to server then it is impossible for sslh to detect tinc protocol. Or is this problem of sslh?

The problem is in sslh. There is a bug in the detection of tinc's protocol,
which the attached patch should fix.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------

--- sslh-1.9.orig/common.c
+++ sslh-1.9/common.c
@@ -290,7 +290,7 @@ int is_openvpn_protocol (const char*p,in
  * */
 int is_tinc_protocol( const char *p, int len)
 {
-    return !strncmp(p, "0 ", len);
+    return len > 2 && !strncmp(p, "0 ", 2);
 }
 
 /* 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20111112/c9afabbf/attachment.pgp>
