[stunnel-users] stunnel patch to support URL lookups for parameters

Dan Jakubiec dan.jakubiec at gmail.com
Wed Dec 13 21:00:15 CET 2006


Attached is a patch which extends the "connect=" and "CApath=" options to
allow these parameters to be obtained dynamically at connect-time via a URL
lookup, rather than statically from the stunnel configuration file.  It is a
generalization of an earlier patch to 4.04 submitted by Jan Piet-Mens which
does something similar using LDAP lookups.  Feedback is appreciated!

Here is a summary of the functionality, along with some notes:

   1. The patch was written to allow stunnel to dynamically route and
   authenticate incoming connections based on parameters found in the client's
   certificate.
   2. Routing and authentication information is obtained by issuing a URL
   lookup, so the information can be obtained from a variety of local or remote
   sources.
   3. It is particularly useful in high-volume, load-balancing scenarios
   where many copies of stunnel are running on multiple front-end servers.  It
   allows the destination socket and client certificate verification info to be
   obtained on-the-fly from a centralized database.
   4. Although primarily intended for use with HTTP, this patch uses the
   libcurl URL library and should work with all of its supported protocols:
   HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP or FILE.

As a brief example, an end-user might configure their stunnel as follows:

cert = id.pem
verify = 2
CApath = ca_dir
CAlookup = http://database.stunnel.org/map_client.php?hash=%h
<http://database.stunnel.org/map_client.php?hash=%25h>

[dynamic]
accept = 50000
connect = @http://database.stunnel.org/map_client.php?common_name=%n<http://database.stunnel.org/map_client.php?common_name=%25n>

In this scenario, an incoming stunnel connection would obtain it's connect
info from database.stunnel.org by sending an HTTP request and passing the
common name found in the client certificate.  Similarly, the client's
certificate would be verified using CA certificates obtained via HTTP lookup
to the same host.

Comments are appreciated.

Thanks,

Dan Jakubiec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061213/c1c38574/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: url_lookup.pat
Type: application/octet-stream
Size: 21633 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061213/c1c38574/attachment.obj>


More information about the stunnel-users mailing list