Hi Mike,
 
our employees have to authenticate a second time in the web applications, but the cookies have long lifetimes, so it is not really annoying.
 
We really need authentication of individual TLS connections (as first step of authentication), because our main problem is that some of this web applications are quite old and the server software reached the end of support date already a long time ago. So we are using the reverse HTTPS proxy service of our firewall to prevent direct access to this problematic server. So "bad guys" in the internet are only able to "play around" with the up-to-date reverse HTTPS proxy and are not able to try bad things with the old server software and the old web applications. As long as the "bad guys" will not find a valid https-Password they are not able to search for security bugs in the application server or in the web application itself. This is (sadly) at the moment the only solution we have which fits to our time and money budget.
 
stunnel came to my mind, because I did something similar before in another project with client certificate https authentication. This solution was based on stunnel on the http-server-side and it was really easy to configure stunnel for this task! But client certificates are no option in this case. It has to be TOTP.
 
So your suggestion is to use some dedicated reverse HTTPS proxy in combination with i.e. privacyIDEA, right? I guess this will get much more complicated then the client certificate based https-authentification based on stunnel before, but I will try my very best  :-)
 
Best regards,
Martin
 
Gesendet: Samstag, 31. Oktober 2015 um 00:37 Uhr
Von: "Michal Trojnara" <Michal.Trojnara@mirt.net>
An: stunnel-users@stunnel.org
Betreff: Re: [stunnel-users] One Time Password for https two factor authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Martin,

As far as I understood your description what you need is additional
authentication of web application sessions, rather than authentication
of individual TLS connections.

I guess you need a specialized reverse HTTP(S) proxy. Stunnel is a
generic TCP/TLS proxy. It has no understanding of HTTP and web
applications.

Best regards,
Mike

On 29.10.2015 21:11, hamburg-barmbek@gmx.de wrote:
> at the moment we’re using a https-Wrapper-Service in our
> firewall-appliance to manage restricted access to some of our
> websites. For two factor authentication we’re using privacyIDEA as
> radius server. Most of our users/employees are using for one time
> password generation the "Google Authenticator" App. Some are using
> "Feitian C-200" (but I do not like the C-200, because I do not know
> how to program a new seed by myself). Both generators are based on
> the quite simple TOTP Algorithm
> (https://tools.ietf.org/html/rfc6238). The https-password is a
> combination of a fixed password directly followed by the TOTP
> password.
>
> Because we want to change the firewall-appliance, we have to find a
> new solution. Is it possible (or is it a planned feature for the
> near future) to handle authentication in stunnel with radius? Or
> even better/simpler, is TOTP supported by stunnel? I wasn't able to
> find anything like this in the documentation.
>
> Regards, Martin
>
>
>
>
> _______________________________________________ stunnel-users
> mailing list stunnel-users@stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJWM/8xAAoJEC78f/DUFuAUuLAQAKiUHGo3l+FZi8xcEm/8Il1A
Ht9CLNXlrKRRtrbRPNK3GloTaMtcPWvYl18UXvk3X0wBIC9ADLUU0RsBCxwJpqNC
uaxoBS8mlxVz7vuSygKuSIIajQElY/zQD8r5LecOCxlM1sQqflplMwu7by1X3nK5
1kxoy9wbt/JARFLcZG3tBd2m3nJEBh6VBD4q4L9yYwU92LrpoDlP47TZg+clMz/w
8sNgQj6TG3srhF1k6kHM7Ggi3/y4oJIcyF1PhDFROKLN6Sx1LukqcO3JDLTqfiF7
6OBQPCsOE4iXN0Urt0ldnOKivdikLHYUPCdAM/YUhafCagD4Lq6XDqIjZFcfxCNo
TYayROXZJPQPOvDvsLF9tM//luQrEV36UHjqWAvSl9l3cyZj3TqqSvyl+dh1VMke
0ru8vcaFsnoYDufGFOJG1byVj2jsnjTuYmD7Dwr+pocfjwIvbRXuh5+ayOZaUHGt
iEbreZar+x4Ok/yDY9DRCSjYgBIu5dcQNTSr7TvD/PcngdPV2QIAI1IwnuJzKPGx
zQBm1BoghDN0EWvDRXA6HbsyuiB0ecTIRAuHA8acM0kYQyXLoan7wpwAL7bhNyoR
3vj6pc1lypMdkgv5ke9aRIsQxxIX6PVJq7j66Z77sM2I6CnuoW4YXH9tqGIvawBx
WSOxj81HY+x6+bwLYVtf
=KtpX
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users