SSL connections to FurryMUCK with TinyFugue and Stunnel on Mac OS X!

[giza]

This post is gonna get geeky. I warned ya!

So... I figured it was about time that I started connecting to FurryMUCK via SSL so that other people couldn't sniff my session. Fink for OS X didn't seem to have support for TinyFugue with SSL, so I figured my best bet would be to use Stunnel to listen on a port on my machine, encrypt the data, and send it over to the FurryMUCK machine's SSL port.

Sounds simple, right? Well, under Stunnel version 3, it would have been. I could have started stunnel with one command that takes a few command line switches and I would be on my way. But Stunnel version 4 did away with the switches. Now you are forced to use a config file. It doesn't matter that upgrading to version 4 would completely and totally BREAK any site running version 3, or that the instructions on the stunnel.org FAQ are still for verison 3. For those of you who are free software authors out there, here's a hint: when releasing new versions of your software, do NOT depricate existing switches. EVER. Anyway..

[Edit: I was informed by taral that one does not need to create a key when running in a client mode. But hey, these kinds of mistakes happen when the manpage throws all these switches at you and is pretty poor at providing examples.]

Now I needed to create a configuration file for Stunnel. Since FurryMUCK listens for SSL connections on port 8899, I decided that I would use that same port on my machine, so that connecting on port 8899 to my machine would encrypt the traffic with SSL and send it over to FurryMUCK's server. To do that, I used this configuration file:

#
# We're running in client mode, which means the remote side speaks SSL
#
client = yes

#
# Create the pid in our home directory. Normally, our home directory should
# not be world-writeable, so we shouldn't have to worry about symlink attacks
#
pid = /Users/doug/.stunnel.pid

#
# Configuration for FurryMUCK. Listen on port 8899 locally, encrypt with
# SSL, and forward to the SSL port of FurryMUCK
#
[furrymuck]
accept = localhost:8899
connect = muck.furry.com:8899

I tested this by running stunnel ~/bin/stunnel-mucks.ini, and then typing telnet localhost 8899. Sure enough, the login screen for FurryMUCK would come up!

Now, I wanted to modify TinyFugue so that it would connect to the new port. I added this line to my .tfrf file:

/addworld -Ttiny giza giza ******** localhost 8899

I modified the old line so that it read:

/addworld -Ttiny giza-nossl giza ******** localhost 8888

This way, if Stunnel or SSL is ever unavailalbe, I could still connect via an unencrpyted connection.

I started up TinyFugue, and sure enough, I got an encrypted connection to Furry MUCK. I could tell that the connection was encrypted by typing WHO giza, and looking for an asterisk next to my name.

The final step was to tie this all together. I didn't want to have to start up Stunnel everytime I wanted to connect to the MUCK, and I didn't want it using up memory when I wasn't connected. So I wrote this shell script:

#!/bin/sh
#
# Wrapper for executing the TinyFugue MUCK client program with SSL support.
#

#
# Location of TinyFugue
#
# -n means "don't load up our default world
#
TF="/usr/local/bin/tf -n"

#
# The name of our Stunnel PID file?
#
PID_FILE=$HOME/.stunnel.pid

#
# Figure out what directory we are running in
#
DIR=`dirname $0`

#
# Run stunnel using our config file
#
stunnel $DIR/stunnel-mucks.ini || exit $?

#
# Now actually run TinyFugue
#
$TF || exit $?

#
# We're done with stunnel, kill it off
#
kill `cat $PID_FILE`


That's uh, about all there is to it. Happy MUCKing. :-)

Comments

[taral.livejournal.com]

?!

You don't need a key/cert when using stunnel in client mode.

[giza.livejournal.com]

Ah, I thought so! Turned out that my early tests of Stunnel were not in client mode. I had to figure THAT one out after wondering why telnetting to localhost:8899 didn't give me any output.

I hate Stunnel 4.

[furahi.livejournal.com]

Are you sure? Doesn't it still have to send a private key to the other end for them to encrypt the incomming (for stunnel) data?

[taral.livejournal.com]

Nope. You don't actually need keys/certificates at all to get secure connections. The certificates are for making sure that you're actually connected to the site you think you're connecting to.

[rebelsheart]

I like your new icon.

[chipotle.livejournal.com]

You're far more dedicated than I am. I went back to the older version of stunnel that I knew how to use. :)

Since then, I've actually made the switch to running Trebuchet as my MUCK client, but I find I still use stunnel -- I have a script set up for making characters on a MUCK that I administer which uses it.

[giza.livejournal.com]

Ooh, and there's a Mac OS X client for that, too. I've been wanting to get away from some of the terminal-based apps, and here's another excuse for me to do that. :-) Thanks for the hookup!

[balinares.livejournal.com]

Back in the day, my Mac-using friends on my usual MU* haunts would use some program called Rapscallion. They seemed to like it. I don't know how well it behaves with OS X, however, but it might be worth a try.

[drleo.livejournal.com]

Hooray for SSL mucking! I actually run the SSL-enabled version of TinyFugue 5, but it runs on Solaris, not on a Mac. But before then, I actually did the same stunnel thing, except I just let stunnel run all the time, without worrying about booting it and shutting it down.

My reasoning is as follows: Except when it's actually moving data, it's going to be sitting in kernel-sleep, so it won't be using up any CPU. And while it's idle, if memory does get that loaded, the OS will happily to page it to disk where it will stay until I end up using it again. Stunnel isn't a big program, anyway. So although I don't think it was worth the trouble of scripting starting up/shutting down, it was clearly simple enough to do anyway. :)

[giza.livejournal.com]

I thought about that, but I wanted to take the approach of having the state on the Mac be consistent. i.e. not have Stunnel maybe running or maybe not running, depending on whether I ran tf since the last boot.

But I think it's a moot point, I'm gonna give Trebuchet (http://www.belfry.com/fuzzball/trebuchet/) a try sometime soon. And I can put it on my old Linux box, too!

[drleo.livejournal.com]

I addressed the state problem by having it be started at boot, so the consistent state was for it to always be running. Since this all ran on my server, it was fairly straightforward.

If you have a Linux box, you could always have stunnel permanently resident on there, and have your Mac TF connect to that Stunnel. Your packets would travel in the clear on your LAN between your Mac and your Linux box, but I presume you don't care about that.

Trebuchet is good too, I hear, although I'm still an old stick in the mud for TinyFugue.

stunnel

[cjthomas.livejournal.com]

I have a one-line shell script in my binaries directory called "stelnet" that does the job for me };>. Uses the old version of stunnel.

Maybe check the dev forum for stunnel to see a) why they did it, and b) how much flack they've taken so far for it? The logical thing to do in response is to submit a patch that adds the old switches back in.

[feren.livejournal.com]

[I figured it was about time that I started connecting to FurryMUCK via SSL so that other people couldn't sniff my session.]

The only thing this really accomplishes is preventing anybody from snooping your password when you're connecting and authenticating to the game. Very few people beyond we hard-core geeks will use SSL to reach the game, so I view anything that goes "beyond the MUCK server" to another person's client as completely insecure.

Still, it's fun to toy around with. I wish it was a more frequently used option.

[bigtig.livejournal.com]

So .... using the '-x' option within tinyfugue that automatically supports SSL connections was too hard?

Basically the only change in v5.0b3 is it supports SSL. And it's rock solid.

Congrats on making it work though. Carefuly, someone will hear and you'll becomed stained as a sysadmin.

[giza.livejournal.com]

Heh, that's news to me. I did a Google search for something like "furrymuck ssl", and most of the matches I got all said to use Stunnel. Maybe I shoulda searched for TinyFugue, too. I dunno.

>Carefuly, someone will hear and you'll becomed stained as a sysadmin.

I'm afraid you're far too late...

[bigtig.livejournal.com]

Yeah. It came up when someone asked on the programmers shout channel, I think. Someone had wrote their own SSL into the code base for tinyfugue and offered it as a patch. The discussion wandered into the fact that tinyfugue already had support.

Incedentally if you do a 'whodo' of folks on the muck, the at sign next to their time means they are SSL connected.

[taral.livejournal.com]

Oddly enough, Debian packages stunnel 4 as package "stunnel4", and kept stunnel 3 as "stunnel".

[giza.livejournal.com]

I'm learning the hard way that Debian does that for a lot of things... It's a real pain in the ass.

Why or why can't we all just get along and use an eBuild system like GenToo uses? Every package name just has a version attribute and all is good...