Hello,
We're looking for a way to add some kind of cross-control between an application and the TLS tunnelling tool that protects the data. I'll give an example, that may be easier to understand.
My BigDatabase has it's login/password authentication process. Since my customers want to access the database through bad Internet, we set up a SSL/TLS frontend. Each customer has his own X509 certificate, with all proper bells and jingles in it. The frontend checks the certificate (CA sig, validity, revocation, etc.) and then, as it should, passes the unencrypted flow to the application.
There is no way (or, rather, we have not found any way) to cross-check that the certificate AND the requested, application-level login, are linked together. This means that my evil neighbour, which bribed my gullible cat to get my login and password, could connect to my account (app-level auth) using his X509 cert (TLS tunnel auth).
We would like to perform this cross-check between X509 certificate AND application-level auth.
From our point of view, this means that we need to "extract and send" some
parts of the certificate (DN, validity dates, etc.) to some secondary tool/proxy. This one will check if the data is coherent wrt application credentials.
M. Henrik Riomar sent a patch (http://www.stunnel.org/pipermail/stunnel-users/2012-October/003909.html) on the list last october that is one step closer to what we are looking for. We could build from it.
Maybe some of you have already solved this kind of problem, or know of a tool that answer to this kind of needs ?
Tia,