[stunnel-users] Individual user certs for each person who uses Windows PC

Bucci, David G david.g.bucci at lmco.com
Tue Aug 31 16:42:44 CEST 2010

Thanks, guys, good ideas.  Wow, subst, that's a blast from the past.  Some deployment sites will have networked homedirs, some won't, Michal.

Can I confirm, if stunnel is run by the user (whether manually or as part of a login script), then when the user logs off, the process can be relied on to be killed?  I'm concerned that a leftover tunnel could be used to masquerade by a subsequent logon-ee).

And ... does stunnel for Windows have any inherent way to only allow localhost access? (host.allow type mechanism).  Our clients are not running firewalls on their PCs, at least not all of them (closed network situation).  Or alternatively, any way to specify what user is allowed access (like iptables can do in Linux)?  Sorry, I'm not a Windows guy, I'm still reeling from the fact that Windows doesn't have any inherent way to do transparent proxying (not even on the Server versions).

As a feature request for the Windows version ... some way to tie in to the system keystore, so that user certificates that are populated there can be directly used.  Implicit in that would be DER (and probably PKCS#12) support, I suppose.


-----Original Message-----
From: stunnel-users-bounces at mirt.net [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michal Trojnara
Sent: Tuesday, August 31, 2010 7:18 AM
To: stunnel-users at mirt.net
Subject: EXTERNAL: Re: [stunnel-users] Individual user certs for each person who uses Windows PC

Pierre DELAAGE wrote:
> Hello,
> I suggest you have a look at the windows "subst" command (available in 
> ALL versions of windows),
> that allows a virtual drive to be mapped to a directory.

AFAIK most multi-user deployments map home directories from a file server.
Stunnel could simply use a certificate from the mapped drive.

> If the script fails, then NO risk that userB uses cert of user A.
> But in that case stunnel must be started ALSO in the startup menu script

> (the same as that doing the "subst"), and NOT as a service.

Sure.  There's also no way to know in advance (at boot time) which user is
going to log in.  8-)

stunnel-users mailing list
stunnel-users at mirt.net

More information about the stunnel-users mailing list