Subj : BINKP over TLS
To   : Paul Hayton
From : Alexey Fayans
Date : Tue Dec 24 2019 01:07 am

Hello Paul!

On Tue, 24 Dec 2019 at 10:32 +1300, you wrote to me:

 AF>> Actually I did it just for fun as a PoC. My system is reachable
 AF>> both via binkp and binkps on a single port - 24554. It also uses
 AF>> a LetsEncrypt certificate. You can try it.
 PH> If you could share the steps I would love to repro this and test also
 PH> :)

I have latest version of SSLH (built from source) running with this config:

=== Start of Windows Clipboard ===
verbose: 0;
foreground: true;
inetd: false;
numeric: true;
transparent: false;
timeout: 2;
user: "nobody";
pidfile: "/var/run/sslh.pid";
chroot: "/opt/sslh";

syslog_facility: "auth";

listen:
(
    { host: "0.0.0.0"; port: "24554"; },
    { host: "::"; port: "24554"; }
);

protocols:
(
     { name: "tls"; host: "127.0.0.1"; port: "24553"; },
     { name: "anyprot"; host: "192.168.1.2"; port: "24554"; }
);

on_timeout: "anyprot";
=== End of Windows Clipboard ===

And haproxy listening on 24553 with the following config:

=== Start of Windows Clipboard ===
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
        ssl-default-bind-options no-sslv3

        # Custom
        tune.ssl.default-dh-param 2048

defaults
        log     global
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen binkps
        mode tcp
        bind 127.0.0.1:24553 ssl crt /etc/ssl/certs/bsrealm.net.pem
        server binkd 192.168.1.2:24554
=== End of Windows Clipboard ===

Please note that latest SSLH has a bug in on_timeout (on-timeout) config 
directive handling (see https://github.com/yrutschle/sslh/issues/253) so maybe 
it's a good idea to use version supplied by your distro.


.... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net
--- GoldED+/W32-MSVC 1.1.5-b20180707
 * Origin: Music Station | https://ms.bsrealm.net (2:5030/1997)

.