[stunnel-users] Distinguished Name (DN) is a cleartext network communication?
Michael Renner
michael.renner at gmx.de
Thu Jan 8 20:45:48 CET 2009
On Wednesday 07 January 2009, Michal Trojnara wrote:
> On środa, 7 stycznia 2009, Michael Renner wrote:
> > I am confused. Trying to use the DN as a kind of password replacement I
> > saw that the DN goes unencrypted through the network, while the traffic
> > itself is encrypted of cause.
>
> [cut]
>
> > This is, more or less, the content of the DN. Is there a chance to
> > encrypt this?
>
> Why would you like/need to encrypt the certificate? It's sent before the
> encryption keys are negotiated, so it's obviously not encrypted. A
> certificate is by definition something publicly availabe, so I can't see
> any reason to encrypt it.
Moin Michal and Karl, thanks for the answer.
I see, the usage of the certificate is the wrong way for me. This is (or
should become) my setup:
A server should appear like a a 'normal' https webserver to others. More or
less interesting, or just a 404 error message. However: it should appear
harmless to others, just like a webserver.
Behind this should work a proxy server (squid). Only authorized users should
be able to use it.
So my first idea was to use a client certificate and a server side script
(startet by a stunnels 'exec' statement) to switch from 'webserver' mode to
the 'proxy' mode:
#!/bin/sh
if [ "${SSL_CLIENT_DN}" == "/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel
client/CN=mars.vbox4php.org/emailAddress=michael.renner at gmx.de" ]; then
nc localhost 3128
else
#echo "this server is offline, please try again later"
#nc www.example.org 80
cat /etc/stunnel/404.html
fi
This works so for: I can configure my browser to use the local tunnel endpoint
as the proxy address, because I have the right certificate with the clients
stunnel configuration. Others with a 'ordinary' Browser see only the 404
page.
But this setup is senseless, since the DN is readable with a network sniffer.
It does not appear harmless any longer after a closer look into the network
traffic. But it have to.
Now, I need an other idea to implement such s service.
Any hint?
Thanks
--
|Michael Renner E-mail: michael.renner at gmx.de |
|D-81541 Munich Germany ICQ: #112280325 |
|Germany Don't drink as root! ESC:wq
More information about the stunnel-users
mailing list