Hi!
I'm using stunnel to secure an AMQP message broker (RabbitMQ, specifically) using pre-shared certificates. This means that my backends never get to see the SSL certificate that the client used to connect -- unfortunately, it's that very backend that's the first who can decide if a message is malicious or not.
In order to sort-of fix this problem, I'm using UUIDs so that the keyspace is so absurdly huge that the odds that someone will guess a key are second to none. Still, if someone is misbehaving (trying a large number of bogus keys) it would be nice to know who it is so I could stop wasting CPU time and bandwidth on them. So, I was wondering if anyone has used stunnel (vanilla or modified) to keep statistical data about who connects (which certificates).
Additionally, does anyone know of a decent way to throttle per-certificate (or limit the amount of tunnels that can be opened per certificate). If all else fails I could just do normal throttling on a per-IP basis, which should get me roughly the same thing. The reason I want this is because I want to prevent users from even *trying* a large number of such keys (even though it's statistically unlikely that they'll get one) since it still takes me CPU time to process that junk.
Thanks in advance Laurens