[stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified

• Previous message (by thread): [stunnel-users] Stunnel listen on different ports
• Next message (by thread): [stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list,

I've written a patch to bring in the following directives:
    - evilconnect
    - evilexec/evilexecargs

The idea is when stunnel works in server mode and is asked to verify the
client's certificate, it normally shuts the connection down when the
latter is invalid.  With these options, when the certificate can't be
verified, stunnel redirects the "evil" connection to another
destination.

What is the purpose of this new feature ?

For instance, if your company does not allow SSH connections out, you
may use the following configuation:
% connect = yourdomain.com:22
% evilconnect = www.yourdomain.com:80

So you will access your SSH server with your valid user certificate.  On
the other hand, if an over-zealous sneaky admin looks at the proxy logs
and tries to connect to your stunnel, it will be redirected to an
uninteresting website ;).

Here is the documentation:
%  evilconnect = [host:]port
%      connect to a remote host:port when the client's certificate cannot
%      be verified
%
%      This is only meaningful in server mode when connect and verify are
%      used.  Otherwise it has the same properties as the connect option.
%
%  evilexec = executable_path (Unix only)
%      execute local inetd-type program when the client's certificate can-
%      not be verified
%
%      This is only meaningful in server mode when exec and verify are
%      used.  Otherwise it has the same properties as the exec option.
%
%  execargs = $0 $1 $2 ... (Unix only)
%      arguments for evilexec including program name ($0)
%
%      Quoting is currently not supported.  Arguments are separated with
%      arbitrary number of whitespaces.

I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very
good idea and implemented a proof of concept code with GnuTLS.

Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and
verified that it works.

Looking forward for your remarks... thanks!

Best regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

• Previous message (by thread): [stunnel-users] Stunnel listen on different ports
• Next message (by thread): [stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]