[stunnel-users] Public domain [PATCH] support environment variables in config file

Pierre Delaage delaage.pierre at free.fr
Tue May 31 10:02:25 CEST 2016


Hi Michal,
Did not have a look at the code yet, but should it be possible to 
replace envvars usage by some keys in the registry on windows platform 
and/or %userprofile%/config-file ?

Anyway, my opinion on the patch is that there is no real interest for 
"generic/self-expanding" config file , and it is even dangerous :
I would not trust stunnel if, at run time, its config could be modified 
by USER envvars...

I would rather prefer "usual config file" BUT stored (and then read by 
sw) in USERPROFILE (on WCE : there is only ONE profile, so that we can 
easily create fake stubs for w32 functions),
and then use the stunnel command line to load the proper config, or 
whatever admin system script invoking stunnel program.

Moreover if one needs a specific admin mechanism to CREATE 
"personalized" config file based on a common template, this can be done 
easily by some system scripting either in linux or windows. Personnaly I 
am making a wide usage of sed (even with gnuwin32 : remember, sed is 
able to access system variables).
This is NOT directly an stunnel issue, but a pure admin issue.

NB: if stunnel is running as a service, there is no reason that ordinary 
users modify the config with "customized options" : so if one cert is 
needed, its name can be hardcoded in the config file.
if the cert need to be changes, one can play with the cert file (by 
admin scripting if necessary).

Yours sincerely,
Pierre

Le 31/05/2016 08:05, Michał Trojnara a écrit :
> I'm pretty sure the use of ExpandEnvironmentStringsA() will break WCE
> builds.  Please correct me if I'm wrong.
>
> Best regards,
> 	Mike
>
> On 23.05.2016 14:24, Dmitry Bakshaev wrote:
>> the problem frequently occurs on the client side: admin need to
>> configure stunnel for multiple users.
>> every user has own key, certificate, own permissions on file system (for
>> log-files, etc)
>>
>> this patch allow to write flexible config.
>>
>> some examples:
>> cert = %USERPROFILE%\.config\my.pem (windows)
>> cert = ${HOME}/.config/my.pem (other)
>>
>> output = %APPDATA%\stunnel.log (windows)
>> output = ${HOME}/stunnel.log (other)
>>
>> CAfile = %ALLUSERSPROFILE%\ourCAbundle.crt (windows)
>> CAfile = /etc/ssl/certs/ourCAbundle.crt (other, not using variables)
>>
>> "secure" :) random port example:
>> ...
>> [srv1]
>> accept = 127.0.0.1:%SRV1_PORT% (windows)
>> accept = 127.0.0.1:${SRV1_PORT} (other)
>> ...
>> start stunnel (batch-file or shell-script):
>> set SRV1_PORT=%RANDOM% (windows)
>>
>> limitations:
>> 1. don't support unicode on windows (localized usernames, files, etc)
>> 2. only ${NAME} syntax supported on *nix (not $NAME).
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160531/4c2f59ce/attachment.html>


More information about the stunnel-users mailing list