I should not have said I am using client certificates. I tested them and verified I can authenticate with them. However, I do not want to deploy a PKI with the current application. I need to authenticate users against an existing LDAP server using username and password.
It looks like a lot is already there. Basically I want to do something like the connect protocol option. I will probably just add a new protocol called ldap or something like that. I see the TODO list includes replacing protocol.c with a scripting engine. That would be perfect.
-----Original Message----- From: Brian Hatch [mailto:bri@stunnel.org] Sent: Friday, March 07, 2008 4:34 AM To: Joe Kemp Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] Username authentication
About 2008-03-04 17:05 -0500, Joe Kemp voiced:
I want to try to use stunnel as a "simple" client vpn. It solves all of my encryption issues but I would like to verify a username/password before it lets the traffic through. I didn't see any patches or hacks out there that did this. Has this been attempted before or am I on my own. I would also be interested in other solutions based on openssl that are not network device level VPNs clients.
You want to use X509 certificate verification. It's the way authentication is done in the SSL world. It's built into Stunnel.
You may also want to look at tappipe, which is Michal's VPN-over-Stunnel package. I use it very successfully for a few of my connections.
Already using client side certificates and I know that is the normal SSL authentication mechanism....
Then why don't you want to use them? ;-)
-- Brian Hatch Waltz, nymph, for quick jigs vex Bud. Systems and --28 letter panagram Security Engineer http://www.ifokr.org/bri/
Every message PGP signed