[stunnel-users] X509 certificate info extract and use
meresponde2001-stn at yahoo.es
Fri Jan 25 20:52:12 CET 2013
On Tue, 15 Jan 2013 14:16:55 +0100
"Pierre-Yves Bonnetain" <py.bonnetain at ba-consultants.fr> wrote:
> My BigDatabase has it's login/password authentication process. Since my
> customers want to access the database through bad Internet, we set up a
> SSL/TLS frontend. Each customer has his own X509 certificate, with all
> proper bells and jingles in it. The frontend checks the certificate (CA
> sig, validity, revocation, etc.) and then, as it should, passes the
> unencrypted flow to the application.
Hi, I'm quite late to your help request but, here I go :)
Assuming the frontend that checks the certificate is stunnel
(otherwise I couldn't understand your explanation here)... I think
you are missing the point there.
Let me ask one thing. When you say you pass "the unencrypted flow
to the application", do you mean you pass the flow to an unencrypted
connection too? If so, it is a big mistake.
Anyway I don't know how your scenario works but in my head there is
- app with database can't accept direct internet connections
- stunnel needed in the client/user and in the server.
- user certificate created with password (so each time the user
open stunnel, it is requested by Stunnel to start)
- stunnel checks certificate against CA
- stunnel passes the flow to the app and this requests the
Here you have a double identification check.
You have an encrypted connection where is checked that there is a
valid certificate and, therefore, a valid user; also you have an
application that, after being checked the certificate, it checks for
an user and password to be able to use it.
So, why do you need or why are you seeking for a check of a
certificate by the application?
Maybe I didn't explain before. The application can't accept a
connection if there is not a valid connection with stunnel first,
which requires a valid certificate. So, by insist in check the
I had this kind of connection you are telling here with a HTTP
server that requested a login too and I had as I explained. You
can't login to the HTTP server unless you have a valid certificate
for stunnel to check.
The link between both is obvious, unless your neighbour has stolen
your certificate, the password for your certificate and the password
for the database app and he also uses the same client database app.
(Not impossible but… well, you know)
I hope I cleared your doubts a little ;)
More information about the stunnel-users