On 10/08/2012 07:22 PM, Emmanuel Egensperger wrote:
Is there any solution to my problem ? Have I done
something wrong ?
I use a small patch for this, it also passes some more "nice to
know" stuff to the application running "behind" stunnel. I agree
that this patch might be shooting a bit over your target, but anyhow
that is how I do it myself.
Patch description;
-----------------------------------------------------------------------
Allows passing of crypto parameters for the current client to the
server "behind" stunnel. This allows the application in the server
to take the crypto level and client-ip:port into account when
offering a service (or not).
The client info is passed as the *first* line before the normal
unencryped data stream from the client.
Example "192.168.10.53:53353;ECDHE-RSA-RC4-SHA"
-----------------------------------------------------------------------
The crypto level is nice to know as stunnel can be configured to
allow weaker cryptos (for backwards compatibility with older
browsers). When the application sees a week crypto it can require a
one-time password as authentication, instead of normal
username:static-password. As this info is passed as a first line,
the application need written to take this into account.
Mike: I have been using this patch for some time without any issues,
if you like to include it in stunnel it is under public domain.The
patch is re-based on top of 4.54b8. Is is enabled with a new option
"send_client_info = yes", without this it does nothing.