[stunnel-users] Feature request - verify fall-back

Brian Hatch bri at stunnel.org
Thu May 8 21:53:32 CEST 2008

Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:

> I wish to use stunnel for following use-case (to create a
> highly-protected website which can be accessed only using a valid
> client-cert).
> gateway.example.com:443 -> public.example.com:80 (when client-cert
> verification fails)
> gateway.example.com:443 -> intranet.example.com:80 (when client-cert
> verification ok - normally hidden from public)
> I guess it will be a nice addition to stunnel's feature list.

I disagree.  I don't think it's a good idea to add to Stunnel.

This is application layer logic you want, essentially.  Your best
bet would be to use SSL in apache/webserver of choice directly.
Then you can place the verification constraint in the configuration
and configure the webserver to serve up selected pages if and only
if a cert has been used via normal apache 'require' ACLs.

Alternatively this could be configured with apache as a reverse
proxy using mod_proxy in front of two different back end webservers
(public and intranet in your example above) if you really want
distinct webservers for each.

Brian Hatch                  "I think that we missed something.
   Systems and                We should have called it 'Licensed
   Security Engineer          Software Delivery', not 'Electronic.'"
http://www.ifokr.org/bri/    --Bruce

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080508/b9e2cebe/attachment.sig>

More information about the stunnel-users mailing list