Attached is a patch which extends the "connect=" and "CApath=" options to allow these parameters to be obtained dynamically at connect-time via a URL lookup, rather than statically from the stunnel configuration file.  It is a generalization of an earlier patch to 4.04 submitted by Jan Piet-Mens which does something similar using LDAP lookups.  Feedback is appreciated!

Here is a summary of the functionality, along with some notes:
  1. The patch was written to allow stunnel to dynamically route and authenticate incoming connections based on parameters found in the client's certificate.
  2. Routing and authentication information is obtained by issuing a URL lookup, so the information can be obtained from a variety of local or remote sources.
  3. It is particularly useful in high-volume, load-balancing scenarios where many copies of stunnel are running on multiple front-end servers.  It allows the destination socket and client certificate verification info to be obtained on-the-fly from a centralized database.
  4. Although primarily intended for use with HTTP, this patch uses the libcurl URL library and should work with all of its supported protocols: HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP or FILE.
As a brief example, an end-user might configure their stunnel as follows:

cert = id.pem
verify = 2
CApath = ca_dir
CAlookup = http://database.stunnel.org/map_client.php?hash=%h

[dynamic]
accept = 50000
connect = @ http://database.stunnel.org/map_client.php?common_name=%n

In this scenario, an incoming stunnel connection would obtain it's connect info from database.stunnel.org by sending an HTTP request and passing the common name found in the client certificate.  Similarly, the client's certificate would be verified using CA certificates obtained via HTTP lookup to the same host.

Comments are appreciated.

Thanks,

Dan Jakubiec