On 10/08/2012 07:22 PM, Emmanuel Egensperger wrote:
Is there any solution to my problem ? Have I done something wrong ?
I use a small patch for this, it also passes some more "nice to know" stuff to the application running "behind" stunnel. I agree that this patch might be shooting a bit over your target, but anyhow that is how I do it myself.
Patch description; ----------------------------------------------------------------------- Allows passing of crypto parameters for the current client to the server "behind" stunnel. This allows the application in the server to take the crypto level and client-ip:port into account when offering a service (or not).
The client info is passed as the *first* line before the normal unencryped data stream from the client.
Example "192.168.10.53:53353;ECDHE-RSA-RC4-SHA" -----------------------------------------------------------------------
The crypto level is nice to know as stunnel can be configured to allow weaker cryptos (for backwards compatibility with older browsers). When the application sees a week crypto it can require a one-time password as authentication, instead of normal username:static-password. As this info is passed as a first line, the application need written to take this into account.
Mike: I have been using this patch for some time without any issues, if you like to include it in stunnel it is under public domain.The patch is re-based on top of 4.54b8. Is is enabled with a new option "send_client_info = yes", without this it does nothing.
Regards, Henrik