[stunnel-users] Using stunnel to secure clients instead of servers
Leon Smith
leon.p.smith at gmail.com
Wed Jan 7 18:41:20 CET 2015
On Wed, Jan 7, 2015 at 11:01 AM, Ludolf Holzheid <
lholzheid at bihl-wiedemann.de> wrote:
I don't know your setup, but if there is no proxy involved, you don't
> need the 'protocol=...' option. For certificate pinning, you'll
> certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with
> LEVEL not below 2
>
Hmm, what do you mean by "no proxy involved?" Unless I'm modifying the
source, wouldn't using stunnel essentially always be proxy?
To be even more explicit, the HTTP client is cabal-install, which is a
program that downloads and compiles code from the Hackage public source
code repository for Haskell. cabal-install is HTTP only, whereas
Hackage supports both HTTP and HTTPS. I _could_ modify cabal-install,
as it is free, libre, and open source software, but for reasons both
good and bad, getting the changes pushed upstream is problematic. So I
was curious about finding a quick workaround for those concerned about
possible MITM attacks injecting malicious code into the packages, and came
up with the idea of a stunnel or nginx proxy. (Some of the people who
run Hackage are working on code signing, but who knows when that'll
finally be available...)
Perhaps the man page would make a little bit more sense to me on this count
if I had a better understanding of the TLS protocol and how it relates to
https, but that's not something I honestly know all that much about.
As it stands the man page is a bit opaque to me on this topic...
Best,
Leon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150107/5bfe46bc/attachment.html>
More information about the stunnel-users
mailing list