Stefan Behte wrote:

I believe the overflow was fixed in the newer version of the patch I've attached.

I have briefly reviewed the patch and I couldn't find any vulnerabilities indeed. On the other hand its coding style makes my eyes bleed. 8-)

IMHO the patch will still be very useful, even if it does not support keep-alive: often in high-performence setups keep-alive is not even

desired

because it fills up ressources needlessly. Even if this does not provide all features, a lot of people would be satisfied with it.

There is a great desire for this patch, if one searches for "stunnel x-forwarded-for" on google, you will find more than 60 pages and not

only a

few dozens of blogs/mailing lists that discuss applying the patch and getting it to work as an SSL terminator for loadbalancing software.

This feature is on my TODO list for quite a long time. http://stunnel.org/?page=sdf_todo I guess some people use stunnel for expensive, high-performance clusters. It seems strange that none of them decided to sponsor adding a clean implementation with support for persistent HTTP connections. Maybe they don't care.

BTW: Isn't it better to use non-local bind ("transparent=source") instead?

If it's too much of a hassle for you to review and/or integrate the

patch,

I can understand that very well, I'd just like to open a discussion and would like to know if you have concerns regarding the patch quality,

even

if you do not want to include the patch at this time. :)

I'm not going to integrate the patch as it is. That's for sure.

Re-implementing the same functionality (i.e. without persistent HTTP connections) seems to be quite simple, but the idea of adding a BOA (broken on arrival) feature seems awkward to me.

Mike