[stunnel-users] Username authentication

Joe Kemp jkemp at capwin.org
Fri Mar 7 16:40:57 CET 2008

I should not have said I am using client certificates.  I tested them and verified I can authenticate with them.  However, I do not want to deploy a PKI with the current application.  I need to authenticate users against an existing LDAP server using username and password.

It looks like a lot is already there.  Basically I want to do something like the connect protocol option.  I will probably just add a new protocol called ldap or something like that.  I see the TODO list includes replacing protocol.c with a scripting engine.  That would be perfect.

-----Original Message-----
From: Brian Hatch [mailto:bri at stunnel.org]
Sent: Friday, March 07, 2008 4:34 AM
To: Joe Kemp
Cc: stunnel-users at mirt.net
Subject: Re: [stunnel-users] Username authentication

About 2008-03-04 17:05 -0500, Joe Kemp voiced:

> I want to try to use stunnel as a "simple" client vpn.
> It solves all of my encryption issues but I would like to verify a
> username/password before it lets the traffic through.  I didn't see
> any patches or hacks out there that did this.  Has this been attempted
> before or am I on my own.  I would also be interested in other
> solutions based on openssl that are not network device level VPNs
> clients.

You want to use X509 certificate verification.  It's the way authentication is done in the SSL world.  It's built into Stunnel.

You may also want to look at tappipe, which is Michal's VPN-over-Stunnel package.  I use it very successfully for a few of my connections.

> Already using client side certificates and I know that is the normal SSL authentication mechanism....

Then why don't you want to use them?  ;-)

Brian Hatch                  Waltz, nymph, for quick jigs vex Bud.
   Systems and               --28 letter panagram
   Security Engineer

Every message PGP signed

More information about the stunnel-users mailing list