[stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified
Jeremie Le Hen
jeremie at le-hen.org
Wed Jul 29 11:47:20 CEST 2009
And well... the patch ;-).
On Tue, Jul 28, 2009 at 11:14:49PM +0200, Jeremie Le Hen wrote:
> Hi list,
> I've written a patch to bring in the following directives:
> - evilconnect
> - evilexec/evilexecargs
> The idea is when stunnel works in server mode and is asked to verify the
> client's certificate, it normally shuts the connection down when the
> latter is invalid. With these options, when the certificate can't be
> verified, stunnel redirects the "evil" connection to another
> What is the purpose of this new feature ?
> For instance, if your company does not allow SSH connections out, you
> may use the following configuation:
> % connect = yourdomain.com:22
> % evilconnect = www.yourdomain.com:80
> So you will access your SSH server with your valid user certificate. On
> the other hand, if an over-zealous sneaky admin looks at the proxy logs
> and tries to connect to your stunnel, it will be redirected to an
> uninteresting website ;).
> Here is the documentation:
> % evilconnect = [host:]port
> % connect to a remote host:port when the client's certificate cannot
> % be verified
> % This is only meaningful in server mode when connect and verify are
> % used. Otherwise it has the same properties as the connect option.
> % evilexec = executable_path (Unix only)
> % execute local inetd-type program when the client's certificate can-
> % not be verified
> % This is only meaningful in server mode when exec and verify are
> % used. Otherwise it has the same properties as the exec option.
> % execargs = $0 $1 $2 ... (Unix only)
> % arguments for evilexec including program name ($0)
> % Quoting is currently not supported. Arguments are separated with
> % arbitrary number of whitespaces.
> I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very
> good idea and implemented a proof of concept code with GnuTLS.
> Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and
> verified that it works.
> Looking forward for your remarks... thanks!
> Best regards,
> Jeremie Le Hen
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 12467 bytes
Desc: not available
More information about the stunnel-users