Hi list,
I've written a patch to bring in the following directives: - evilconnect - evilexec/evilexecargs
The idea is when stunnel works in server mode and is asked to verify the client's certificate, it normally shuts the connection down when the latter is invalid. With these options, when the certificate can't be verified, stunnel redirects the "evil" connection to another destination.
What is the purpose of this new feature ?
For instance, if your company does not allow SSH connections out, you may use the following configuation: % connect = yourdomain.com:22 % evilconnect = www.yourdomain.com:80
So you will access your SSH server with your valid user certificate. On the other hand, if an over-zealous sneaky admin looks at the proxy logs and tries to connect to your stunnel, it will be redirected to an uninteresting website ;).
Here is the documentation: % evilconnect = [host:]port % connect to a remote host:port when the client's certificate cannot % be verified % % This is only meaningful in server mode when connect and verify are % used. Otherwise it has the same properties as the connect option. % % evilexec = executable_path (Unix only) % execute local inetd-type program when the client's certificate can- % not be verified % % This is only meaningful in server mode when exec and verify are % used. Otherwise it has the same properties as the exec option. % % execargs = $0 $1 $2 ... (Unix only) % arguments for evilexec including program name ($0) % % Quoting is currently not supported. Arguments are separated with % arbitrary number of whitespaces.
I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very good idea and implemented a proof of concept code with GnuTLS.
Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and verified that it works.
Looking forward for your remarks... thanks!
Best regards,
And well... the patch ;-).
On Tue, Jul 28, 2009 at 11:14:49PM +0200, Jeremie Le Hen wrote:
Hi list,
I've written a patch to bring in the following directives: - evilconnect - evilexec/evilexecargs
The idea is when stunnel works in server mode and is asked to verify the client's certificate, it normally shuts the connection down when the latter is invalid. With these options, when the certificate can't be verified, stunnel redirects the "evil" connection to another destination.
What is the purpose of this new feature ?
For instance, if your company does not allow SSH connections out, you may use the following configuation: % connect = yourdomain.com:22 % evilconnect = www.yourdomain.com:80
So you will access your SSH server with your valid user certificate. On the other hand, if an over-zealous sneaky admin looks at the proxy logs and tries to connect to your stunnel, it will be redirected to an uninteresting website ;).
Here is the documentation: % evilconnect = [host:]port % connect to a remote host:port when the client's certificate cannot % be verified % % This is only meaningful in server mode when connect and verify are % used. Otherwise it has the same properties as the connect option. % % evilexec = executable_path (Unix only) % execute local inetd-type program when the client's certificate can- % not be verified % % This is only meaningful in server mode when exec and verify are % used. Otherwise it has the same properties as the exec option. % % execargs = $0 $1 $2 ... (Unix only) % arguments for evilexec including program name ($0) % % Quoting is currently not supported. Arguments are separated with % arbitrary number of whitespaces.
I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very good idea and implemented a proof of concept code with GnuTLS.
Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and verified that it works.
Looking forward for your remarks... thanks!
Best regards,
Jeremie Le Hen
-
Jeremie Le Hen