Mike:
Given this: what is the best way for Stunnel to make authentication And authorization decisions based on information presented in the Certificate from the peer. My question comes from: how do I do level 3 Checking in a scalable manner when my order of magnitude is in the Thousands...
Much thanks
Sekhar -------------------------------
Message: 3 Date: Tue, 31 Jan 2006 09:51:06 +0100 From: "Michal Trojnara" Michal.Trojnara@mobi-com.net Subject: RE: [stunnel-users] FQDN validation and checking within STunnel To: stunnel-users@mirt.net Message-ID: 20060131085108.B053F1C130@linode.mirt.net Content-Type: text/plain; charset="us-ascii"
Nagasundaram, Sekhar wrote:
Is there a setting in Stunnel to do FQDN checking?
DNS is not a secure protocol (http://www.securesphere.net/download/papers/dnsspoof.htm). Security should not be based on DNS checks. I'm not going to implement this feature.
Best regards, Mike
------------------------------
Message: 4 Date: Tue, 31 Jan 2006 10:41:37 +0100 From: "Michal Trojnara" Michal.Trojnara@mobi-com.net Subject: RE: --with-threads=ucontext portability (was Re: [stunnel-users] stunnel4.x.x and IRIX) To: stunnel-users@mirt.net Message-ID: 20060131094139.33A011C17C@linode.mirt.net Content-Type: text/plain; charset="iso-8859-1"
Miloslav Trmac wrote:
I have just seen a crash at a similar place on x86_64. The apparent cause is sthreads.c:116: makecontext(&ctx->ctx, (void(*)(void))cli, 1, arg); arg is a void *, but:
- the size is given as 1; it should be (sizeof (arg) + sizeof (int) - 1) / sizeof (int) because the "size" is defined as a number of int arguments
- it won't work anyway; makecontext () is defined to work only for integer parameters. It is not possible to pass a pointer as integers on x86_64, which uses registers to pass the first 6 integer or pointer parameters.
Are we still talking about IRIX? http://nixdoc.net/man-pages/IRIX/man3c/makecontext.3c.html I can't find any of mentioned limitations in the manual. Just the opposite: "the arguments that follow the argc parameter for makecontext are restricted to longs and pointers only".
Best regards, Mike
------------------------------
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
End of stunnel-users Digest, Vol 18, Issue 19 *********************************************
Nagasundaram, Sekhar wrote:
Given this: what is the best way for Stunnel to make authentication And authorization decisions based on information presented in the Certificate from the peer. My question comes from: how do I do level 3 Checking in a scalable manner when my order of magnitude is in the Thousands...
For huge amount of certificates you should use "verify = 2" and CRLpath (or CRLfile) to implement revocation of compromised keys.
Best regards, Mike
-
Michal Trojnara -
Nagasundaram, Sekhar