[stunnel-users] Using stunnel to secure clients instead of servers

Leon Smith leon.p.smith at gmail.com
Wed Jan 7 18:41:20 CET 2015

On Wed, Jan 7, 2015 at 11:01 AM, Ludolf Holzheid <
lholzheid at bihl-wiedemann.de> wrote:

I don't know your setup, but if there is no proxy involved, you don't
> need the 'protocol=...' option.  For certificate pinning, you'll
> certainly need 'CAfile=...' or 'CApath=...', and 'verify=LEVEL' with
> LEVEL not below 2

Hmm, what do you mean by "no proxy involved?"    Unless I'm modifying the
source,  wouldn't using stunnel essentially always be proxy?

To be even more explicit,  the HTTP client is cabal-install,  which is a
program that downloads and compiles code from the Hackage public source
code repository for Haskell.    cabal-install is HTTP only,  whereas
Hackage supports both HTTP and HTTPS.    I _could_ modify cabal-install,
 as it is free, libre, and open source software,   but for reasons both
good and bad,  getting the changes pushed upstream is problematic.   So I
was curious about finding a quick workaround for those concerned about
possible MITM attacks injecting malicious code into the packages,  and came
up with the idea of a stunnel or nginx proxy.    (Some of the people who
run Hackage are working on code signing,  but who knows when that'll
finally be available...)

Perhaps the man page would make a little bit more sense to me on this count
if I had a better understanding of the TLS protocol and how it relates to
https,   but that's not something I honestly know all that much about.
 As it stands the man page is a bit opaque to me on this topic...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150107/5bfe46bc/attachment.html>

More information about the stunnel-users mailing list