[stunnel-users] Three patches
Michal.Trojnara at mirt.net
Tue Jun 1 16:09:36 CEST 2010
Tristan Schmelcher wrote:
> Add support for building against a libssl/libcrypo that has had
> various non-essential features removed via the "no-<feature>"
> Configure options for openssl. This requires disabling non-essential
> Stunnel features at compile-time if they have dependencies on disabled
> libssl/libcrypto features.
> For memory-constrained embedded systems, this is a big win. With this
> patch I was able to cut the memory footprint of stunnel+openssl by
> about a third simply by disabling openssl features that I didn't need.
Can you share the results of your tests?
How much of the binary size does disabling MD4/SSLv3/SSLv2 really save?
> This splits the stderr logging effect of the "foreground" option into
> a separate option named "stderr", so that users have the freedom to
> enable foreground without stderr logging, or vice versa. For backwards
> compatibility though, specifying foreground = yes implies stderr = yes
> unless followed in the config by stderr = no.
> This is useful on embedded Linux systems that lack an implementation
> of fork() (due to the processor not having an MMU), because on such
> systems every daemon has to be launched in a foreground mode and
> pre-daemonized with the simpler vfork() function, e.g. using "&" from
> a shell. In this mode, logging to stderr does not make sense, because
> in reality the process is still a daemon so the logging clutters the
Couldn't you simply redirect stderr to a file?
> I saved the best for last. ;) This adds a "verify_dns" option to check
> the CommonName in peer certificates against their DNS name when
> verifying, much as web browsers do.
> I have seen posts from users asking for this feature in the past, so I
> think it's value is self-evident.
The basic purpose of SSL/TLS is to prevent network-level attacks. Many
years ago I refused to implement this option as it's inherently vulnerable
to DNS spoofing and cache poisoning. I think my point stands even more
nowadays with DNS cache poisoning attacks getting more and more popular.
Also stunnel, unlike web browsers, connects a predefined (static) list of
servers. It's much more secure to just download their certificates and
check them with "verify = 3".
I think I could add a Windows GUI option to download and save remote
certificates. What do you think?
More information about the stunnel-users