[stunnel-users] Identification Propagation patch using stunnel client certificates

Christophe Nanteuil christophe.nanteuil at gmail.com
Mon Feb 2 14:25:03 CET 2009


I improved the patch for propagating authentication made by stunnel to
"connect server" using ident protocol (RC 1413) :
- Better implementation of RFC 1413 protocol (error replies)
- multi-threading of the ident server and ident admin server : they
can answer multiple requests (thanks to the great code of stunnel
which permits easy generalization of code and multiplatform support)
- servers keep connections open which allows several requests without
connecting/disconnecting each time.
- some bugs correction.

This patch allow the "connect server " to just ask stunnel about the
client identity using ident protocol. No double authentication needed
(as far as you use client certificates with stunnel)... It is useful
when, on your "connect server" (for example Apache with mod_ident or
squid or dansguardian), you want to :
- keep relevant log of who/when connected
- implement profile access

Refs :
For Apache : http://httpd.apache.org/docs/2.2/mod/mod_ident.html
For Squid :  http://www.squid-cache.org/Doc/config/ident_lookup_access/
For Dansguardian :
http://dansguardian.org/downloads/detailedinstallation2.html (see
Username identification methods)

Feedback welcomed,
Christophe Nanteuil

2009/1/12 Christophe Nanteuil <christophe.nanteuil at gmail.com>:
> Hello,
> Since there is a new file included in the compilation process, you
> need to do the following to apply the patch :
> tar -xzf stunnel-4.26.tar.gz -C /your/path/
> cd /your/path/stunnel-4.26
> patch -p1 < /path/to/patch/attachment-0001.bin
> aclocal && autoconf && automake && ./configure && make
> You can safely ignore the error on the last file when applying the
> patch (it seems it lacks a carriage return).
> --
> Christophe Nanteuil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-identprop-0.30.patch
Type: text/x-patch
Size: 40497 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090202/69429e2a/attachment.bin>

More information about the stunnel-users mailing list