[stunnel-users] X509 certificate info extract and use

Javier meresponde2001-stn at yahoo.es
Sun Feb 3 22:26:26 CET 2013


On Sun, 03 Feb 2013 19:54:06 +0100
Pierre-Yves Bonnetain <py.bonnetain at ba-consultants.fr> wrote:

> Hello Javier,
> 
> On 02/02/13 22:40, Javier wrote:
> > Then, I can't help here. You'll need a separate app in the middle 
> > to allow only one username and password that could pass to the DB 
> > app if correct, as well as the rest of data traffic.
> 
> That's what we are working on : some small additions to stunnel, to
> (optionally) send some certificate-related data to the downlink
> application, and a protocol-aware relay downlink (in front of the real
> application). This relay will receive the certificate-related data and
> the stunnel-decrypted data flow, make its checks and let pass or drop
> everything.
> 
> Sincerely,

I see, but you don't need to send any certificate related data if 
you already have one relay app instance for each stunnel service. 
You only have to bother of find an application for relay.

I mean:

stunnel service 1 with level 3 verification only accepts user 1 
certificate and relays data to relayer app instance 1 that only 
accepts user 1 user and password.
stunnel service 2 with level 3 verification only accepts user 2 
certificate and relays data to relayer app instance 2 that only 
accepts user 2 user and password.

As long as stunnel won't accept more certificates for each service 
than the one set to verify and the app behind each service only 
accepts that certificate user username and password, all is done, no 
other user can use that stunnel service unless knows every login 
data that is personalized for that user.

I think that now there is a closest approach to link certificate 
access and user/pass access without need to pass certificate data to 
other application.

But I have to admit that for me would be enough, but understanding 
your case, won't be for you, so I only can wish you to find the 
solution :) With my knowledge I couldn't do better...

I hope you can find what you need :)

Regards.



More information about the stunnel-users mailing list