Hello,
NB : this patch is provided as alpha version : it handles only 1 request at a time for each administrative and ident servers.
Why to use this patch ? This patch can be useful when : - you provide access to Internet via your stunnel server and when your legislation enforces you to keep logs of who connected where and when. In this case, you will have Squid logs filled with identification of stunnel clients in a very simple way : nothing to ask to the client as it uses automatically its certificate to fill in the identity fields. - you want to implement several profile access for your clients accessing your web proxy/server : as the proxy will ask ident request to stunnel, you can create filter groups to allow / denied access (with redirection to a page that you can customize) depending on stunnel answer : see filtergroups option of DansGuardian or acl options in squid.
Patch to version : 4.26
Type : new feature
Description : Identification Propagation using stunnel client certificates
The patch proposes to extend the identification propagation provided by the directive 'EXEC=' to directive 'CONNECT=' when using client certificates. With EXEC directive, Subject name and Issuer Name of clients are put in environment variables, which allows the program to determine identity of the stunnel client. This patch adds an ident server functionality to stunnel, compliant with RFC 1413, to allow propagation of identification to remote hosts specified by the service directive 'CONNECT='. Additionnaly, this patch provides an admnistrative server "bound" to the Ident server : on the administrative socket (default port 127.0.0.1:790), you can request number of users currently connected and list them.
How to use this patch ? You just have to add a 'identServer=yes' directive to services that you want to propagate identification.
For example, you can use this patch when connecting to a DansGuardian web proxy (installed on proxy.example.com) with the option authplugin = '/etc/dansguardian/ authplugins/ident.conf' enabled in the configuration file (or when connecting to a Squid web proxy compiled with --enable-ident-lookups option), and the following stunnel configuration file (located in /etc/ssl/stunnel/stunnel-ident.conf) :
... [WEB] accept=8080 connect=proxy.example.com:8080 identServer=yes ...
Stunnel will create a listening socket on 0.0.0.0:113 and answer requests initiated by DansGuardian.
-- Christophe Nanteuil