On Sun, 03 Feb 2013 19:54:06 +0100 Pierre-Yves Bonnetain py.bonnetain@ba-consultants.fr wrote:
Hello Javier,
On 02/02/13 22:40, Javier wrote:
Then, I can't help here. You'll need a separate app in the middle to allow only one username and password that could pass to the DB app if correct, as well as the rest of data traffic.
That's what we are working on : some small additions to stunnel, to (optionally) send some certificate-related data to the downlink application, and a protocol-aware relay downlink (in front of the real application). This relay will receive the certificate-related data and the stunnel-decrypted data flow, make its checks and let pass or drop everything.
Sincerely,
I see, but you don't need to send any certificate related data if you already have one relay app instance for each stunnel service. You only have to bother of find an application for relay.
I mean:
stunnel service 1 with level 3 verification only accepts user 1 certificate and relays data to relayer app instance 1 that only accepts user 1 user and password. stunnel service 2 with level 3 verification only accepts user 2 certificate and relays data to relayer app instance 2 that only accepts user 2 user and password.
As long as stunnel won't accept more certificates for each service than the one set to verify and the app behind each service only accepts that certificate user username and password, all is done, no other user can use that stunnel service unless knows every login data that is personalized for that user.
I think that now there is a closest approach to link certificate access and user/pass access without need to pass certificate data to other application.
But I have to admit that for me would be enough, but understanding your case, won't be for you, so I only can wish you to find the solution :) With my knowledge I couldn't do better...
I hope you can find what you need :)
Regards.