[stunnel-users] Distinguished Name (DN) is a cleartext network communication?

Christophe Nanteuil christophe.nanteuil at gmail.com
Fri Jan 9 13:25:07 CET 2009

2009/1/8 Michael Renner <michael.renner at gmx.de>:
> A server should appear like a a 'normal' https webserver to others. More or
> less interesting, or just a 404 error message. However: it should appear
> harmless to others, just like a webserver.
> Behind this should work a proxy server (squid). Only authorized users should
> be able to use it.
If I understand well what you want to do, I think my patch
"Identification Propagation patch using stunnel client certificates"
can be useful :
- Use my stunnel patch

Using squid as a proxy :
- In stunnel config file : select pertinent fields of the certiificate
: DN -> identFields=1023
- Get a squid version compiled with --enable-ident-lookups option
- In squid : use a home-made external authentification program which
returns ok if the DN provided is good. Squid documentation will tell
you what is the need for the home-made authentification program.

I think it's easier with DansGuardian proxy :
- In stunnel config file : select pertinent fields of the certiificate
: only Issuer_CN -> identFields=32
- in /etc/dansguardian/dansguardian.conf, create 2 groups :
filtergroups = 2
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
- create filter groups in /etc/dansguardian/lists/filtergroupslist.
(All not matching users will go in group 1) :
put a line like "your issuer CN equals 2"
- in /etc/dansguardian/dansguardianf1.conf, put "groupmode=0" , ie banned
- in /etc/dansguardian/dansguardianf2.conf, put "groupmode=2" , ie non filtered

Note that the authentification of the users is done by stunnel.
Stunnel forwards the identification to the proxy which does not need
to authenticate since it was done by stunnel.

If the ident provided by my patch is not convenient, you can modify it
to match your needs.

Hope this helps

Christophe Nanteuil

More information about the stunnel-users mailing list