[stunnel-users] stunnel patch to support URL lookups for parameters (take 2)

Dan Jakubiec dan.jakubiec at gmail.com
Wed Dec 13 21:04:56 CET 2006


Attached is a patch which extends the "connect=" and "CApath=" options
to allow these parameters to be obtained dynamically at connect-time
via a URL lookup, rather than statically from the stunnel
configuration file.  It is a generalization of an earlier patch to
4.04 submitted by Jan Piet-Mens which does something similar using
LDAP lookups.  Feedback is appreciated!

Here is a summary of the functionality, along with some notes:

1. The patch was written to allow stunnel to dynamically route and
authenticate incoming connections based on parameters found in the
client's certificate.

2. Routing and authentication information is obtained by issuing a URL
lookup, so the information can be obtained from a variety of local or
remote sources.

3. It is particularly useful in high-volume, load-balancing scenarios
where many copies of stunnel are running on multiple front-end
servers.  It allows the destination socket and client certificate
verification info to be obtained on-the-fly from a centralized
database.

4. Although primarily intended for use with HTTP, this patch uses the
libcurl URL library and should work with all of its supported
protocols: HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP or FILE.


As a brief example, an end-user might configure their stunnel as follows:

  cert = id.pem
  verify = 2
  CApath = ca_dir
  CAlookup = http://database.stunnel.org/map_client.php?hash=%h

  [dynamic]
  accept = 50000
  connect = @http://database.stunnel.org/map_client.php?common_name=%n

In this scenario, an incoming stunnel connection would obtain it's
connect info from database.stunnel.org by sending an HTTP request and
passing the common name found in the client certificate.  Similarly,
the client's certificate would be verified using CA certificates
obtained via HTTP lookup to the same host.

Comments are appreciated.

Thanks,

Dan Jakubiec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: url_lookup.pat
Type: application/octet-stream
Size: 21633 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061213/c5d05636/attachment.obj>


More information about the stunnel-users mailing list