[stunnel-users] Distinguished Name (DN) is a cleartext network communication?

Michael Renner michael.renner at gmx.de
Thu Jan 8 20:45:48 CET 2009

On Wednesday 07 January 2009, Michal Trojnara wrote:
> On środa, 7 stycznia 2009, Michael Renner wrote:
> > I am confused. Trying to use the DN as a kind of password replacement I
> > saw that the DN goes unencrypted through the network, while the traffic
> > itself is encrypted of cause.
> [cut]
> > This is, more or less, the content of the DN. Is there a chance to
> > encrypt this?
> Why would you like/need to encrypt the certificate?  It's sent before the
> encryption keys are negotiated, so it's obviously not encrypted.  A
> certificate is by definition something publicly availabe, so I can't see
> any reason to encrypt it.

Moin Michal and Karl, thanks for the answer.

I see, the usage of the certificate is the wrong way for me. This is (or 
should become) my setup:

A server should appear like a a 'normal' https webserver to others. More or 
less interesting, or just a 404 error message. However: it should appear 
harmless to others, just like a webserver.
Behind this should work a proxy server (squid). Only authorized users should 
be able to use it.

So my first idea was to use a client certificate and a server side script 
(startet by a stunnels 'exec' statement) to switch from 'webserver' mode to 
the 'proxy' mode:

if [ "${SSL_CLIENT_DN}" == "/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel 
client/CN=mars.vbox4php.org/emailAddress=michael.renner at gmx.de" ]; then
   nc localhost 3128
      #echo "this server is offline, please try again later"
      #nc www.example.org 80
      cat /etc/stunnel/404.html

This works so for: I can configure my browser to use the local tunnel endpoint 
as the proxy address, because I have the right certificate with the clients 
stunnel configuration. Others with a 'ordinary' Browser see only the 404 
But this setup is senseless, since the DN is readable with a network sniffer. 
It does not appear harmless any longer after a closer look into the network 
traffic. But it have to. 

Now, I need an other idea to implement such s service.

Any hint?

|Michael Renner      E-mail: michael.renner at gmx.de  |
|D-81541 Munich      Germany        ICQ: #112280325 |
|Germany             Don't drink as root!      ESC:wq

More information about the stunnel-users mailing list