[stunnel-users] Identification Propagation patch using stunnel client certificates

Christophe Nanteuil christophe.nanteuil at gmail.com
Fri Jan 9 11:54:20 CET 2009


NB : this patch is provided as alpha version : it handles only 1
request at a time for each administrative and ident servers.

Why to use this patch ?
This patch can be useful when :
- you provide access to Internet via your stunnel server and when your
legislation enforces you to keep logs of who connected where and when.
In this case, you will have Squid logs filled with identification of
stunnel clients in a very simple way : nothing to ask to the client as
it uses automatically its certificate to fill in the identity fields.
- you want to implement several profile access for your clients
accessing your web proxy/server : as the proxy will ask ident request
to stunnel, you can create filter groups to allow / denied access
(with redirection to a page that you can customize) depending on
stunnel answer : see filtergroups option of DansGuardian or acl
options in squid.

Patch to version : 4.26

Type : new feature

Description : Identification Propagation using stunnel client certificates

The patch proposes to extend the identification propagation provided
by the directive 'EXEC=' to directive 'CONNECT='
when using client certificates. With EXEC directive, Subject name and
Issuer Name of clients are put in environment variables, which allows
the program to determine identity of the stunnel client. This patch
adds an ident server functionality to stunnel, compliant with RFC
1413, to allow propagation of identification to remote hosts specified
by the service directive 'CONNECT='.
Additionnaly, this patch provides an admnistrative server "bound" to
the Ident server : on the administrative socket (default port, you can request number of users currently connected
and list them.

How to use this patch ?
You just have to add a 'identServer=yes' directive to services that
you want to propagate identification.

For example, you can use this patch when connecting to a DansGuardian
web proxy (installed on proxy.example.com) with the option authplugin
= '/etc/dansguardian/
authplugins/ident.conf' enabled in the configuration file (or when
connecting to a Squid web proxy compiled with --enable-ident-lookups
option), and the following stunnel configuration file (located in
/etc/ssl/stunnel/stunnel-ident.conf) :


Stunnel will create a listening socket on and answer
requests initiated by DansGuardian.

Christophe Nanteuil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-identprop-0.21a.patch
Type: text/x-patch
Size: 37816 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090109/d0b27936/attachment.bin>

More information about the stunnel-users mailing list