[stunnel-users] Failover behavior with stunnel

Michal Trojnara Michal.Trojnara at mirt.net
Sun Nov 15 20:58:38 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 15.11.2015 11:58, Thireus wrote:
> 1. I would like to know if there is a way to use failover with two 
> servers with two different set of TLS cert/key.

No.  Both client and server certificates are currently set way before
stunnel connects the target.

I guess what you really need is client certificate selection based on
the list of acceptable issuers sent by the stunnel server, because
each of your stunnel servers expects client certificates issued by a
separate CA.  Am I right?

Client certificate autoselection currently works on Windows with the
CAPI engine.  I have also added a new TODO item to implement client
certificate autoselection for certificates/keys stored in PEM files:
https://www.stunnel.org/sdf_todo.html

Alternatively, you may reconfigure your stunnel servers to accept
client certificates issued by the same CA.

> 2. On the same topic, I would like to know if there is an option
> that could open the local port (accept) only when the connection
> (connect) is established?

No.

> The problem I'm facing is that I use a PAC profile with failover on
> several stunnel entries: "return PROXY 127.0.0.1:4441; PROXY 
> 127.0.0.1:4442; PROXY 127.0.0.1:4443;".

Did you mean:
return "PROXY 127.0.0.1:4441; PROXY 127.0.0.1:4442; PROXY 127.0.0.1:4443
";
?

You are trying establish end-to-end failover across two (in fact
three, including connection between the stunnel server and the HTTP
proxy) separate TCP connections.  It is not possible without a
heartbeat service.

> 3. Is there another way to tweak stunnel behavior when a remote
> server is down?

You could write a heartbeat service to periodically initiate short
connections to the remote services, and then reconfigure stunnel
accordingly.  Still, this is a crude workaround and not the proper
solution.

Best regards,
	Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJWSOPuAAoJEC78f/DUFuAUIS0P/jnqjuDwznLKO4A2gFfrnCid
cp+UO3WbP8AVT1NTKs1jCJ4lrlMhLhJsj7eR9Se3J+zkfSVHh26CEY07IRc+fTzH
d+9LLYP9951NzjdajOafK6k9K5W/p5/kTna/UGao7rh+vyUGbYFRP0rKl537n2+9
4I4qd6hpqJxT11l5UGSABIQV9eedtrUAx+EVKQeP1ZxaVuTpYayxAtS1G/yT9of5
XplOA1YxaFsz5e1DUz6F17vkyVnr5XFnppuf7dvNkwvXy149XSdOk3wqF83rwhA5
PXGNsT4A2x6XwrLfWyUJQnEnN3N7ijaFhtwqoT0m1IKF6UXf1DC5YhjVqHVMBntK
TGZGSUl3cboaoh2FBUwZx09Gj3fmtM8CDIhYNQLKKiNvi490tleP4yJuDaUpXrrq
rovimIwzSmeaWFMbkhnH07Hgu+Qk9oIpP98zYkXXRvvLYGkGf8xw4n4EyBfKm9XJ
RvtL0ahJnYBZG//UT2VVKoUSNNbO6/h45buXQOyQIqU2EQd3t9qcFJ8nBbZRtibk
Y5CLRNoznPbzfbLQDzDLiB4rV6HpPC3g4C3+6kmonIWQKNqX/8bMFzVRJAs2M88m
e2eGfRBEjTT/yI+R4Qzpb6y+og33qvKsPzmzlA0ufM2Cki5xjqw15hP4f7gdO0EY
0XlVUU63PrxJZp7A050X
=S2g+
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list