<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 25/09/13 00:43, Gary Chodos wrote:<br>
</div>
<blockquote
cite="mid:CANDYHM5_BnKDd8Xe3GZfzqBUN4zZk8+uZuho_XuH8Cm1DTtsdg@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div>We are trying to decide between SNIProxy and stunnel for the
following task:</div>
<div><br>
</div>
<div>- Client browser hits <a moz-do-not-send="true"
href="https://foo.bar.org">https://foo.bar.org</a>, which
resolves to an IP that corresponds to the stunnel machine
listening on 443.</div>
<br>
<div>- stunnel "forwards" (sorry if this is not the correct
technical term) the connection to a different machine, specified
by a different IP address, which is also configured to believe
it is <a moz-do-not-send="true" href="http://foo.bar.org">foo.bar.org</a>
and actually has a web server listening on 443 and houses the
SSL key/cert.</div>
<div><br>
</div>
</blockquote>
What an odd setup. You want to make an HTTPS connection to an IP
address, but want that to make an HTTPS connection to another IP
address, but don't want it to house the SSL cert. <br>
<br>
That isn't possible - an "SSL terminator" requires the cert -
otherwise it isn't terminating the SSL connection. Why don't you
just use a standard TCP forwarder instead - won't that do what you
want? Don't forget: SSL occurs *within* a TCP session - so a
standard TCP forwarder can "reroute" the SSL transaction without
needing to know what it is forwarding (ie no need for certs)<br>
<br>
You could use xinetd or netcat - tonnes of options<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
</pre>
</body>
</html>