Stefan Behte wrote:
I believe the overflow was fixed in the newer version of the patch I've attached.
I have briefly reviewed the patch and I couldn't find any vulnerabilities indeed. On the other hand its coding style makes my eyes bleed. 8-)
IMHO the patch will still be very useful, even if it does not support keep-alive: often in high-performence setups keep-alive is not even
desired
because it fills up ressources needlessly. Even if this does not provide all features, a lot of people would be satisfied with it.
There is a great desire for this patch, if one searches for "stunnel x-forwarded-for" on google, you will find more than 60 pages and not
only a
few dozens of blogs/mailing lists that discuss applying the patch and getting it to work as an SSL terminator for loadbalancing software.
This feature is on my TODO list for quite a long time. http://stunnel.org/?page=sdf_todo I guess some people use stunnel for expensive, high-performance clusters. It seems strange that none of them decided to sponsor adding a clean implementation with support for persistent HTTP connections. Maybe they don't care.
BTW: Isn't it better to use non-local bind ("transparent=source") instead?
If it's too much of a hassle for you to review and/or integrate the
patch,
I can understand that very well, I'd just like to open a discussion and would like to know if you have concerns regarding the patch quality,
even
if you do not want to include the patch at this time. :)
I'm not going to integrate the patch as it is. That's for sure.
Re-implementing the same functionality (i.e. without persistent HTTP connections) seems to be quite simple, but the idea of adding a BOA (broken on arrival) feature seems awkward to me.
Mike