[stunnel-users] Feature request: set environment variable for inetd-type program

Michael Renner michael.renner at gmx.de
Sat Jan 24 19:39:47 CET 2009 

On Friday 23 January 2009, Lund, Claus wrote:
> I'm not a developer on stunnel so my opinion doesn't carry much weight  :-)
> But, to me, this seems a bit outside the scope of what's stunnel's main
> goal in life. Why not just have that authentication handled between the
> client and server programs using the tunnel stunnel provides? Or maybe I
> just don't quite get what you're trying to accomplish (a totally plausible
> option!).

Moin,

thanks for your answer. The scenario is simple; at least at the first view.

To reach a proxy server in a country or an other network with less internet 
restrictions. This is more or less a simple setup. stunnel at both ends 
(firefox can not use https to connect to a proxy). 

challenge no 1: protect the proxy from use/abuse by others 
challenge no 2: nobody must know that you use a proxy, even if somebody is 
using a network sniffer to track the network packages. Therefore, this proxy 
must act like a harmless https webserver for others.

scenario no 1: a curious person knows, that I have a lot of traffic to 
192.0.20.1:443. He connect with a browser to https://192.0.20.1 and get a 
squid error message, that this request was not unserstood -> suspect

scenario no 2: The curious person connect with a browser to https://192.0.20.1 
and get a password dialog: suspect

scenario no 3: The curious persion connect to https://192.0.20.1 and get a 
client certificate error -> suspect

I have success to set an additional http header using the firefox 
plugin "modify header". as a door opener. At the moment, every connect with 
this header is processed as a request to the proxy and it should be possible 
to find a way to treat connections without this header like a normal http 
request (or a redirection to a harmless web site).
 
But I am afraid to forget to switch off the header entry when I surf without 
the proxy between (because the proxy filter out this header and its value).

Well, the possibility to set some variables for an inetd-type program (a 
simple script) will solve this problem in a simple way. If the right variable 
is set: forward the connection to the proxy, if not forward the connection to 
a web server.

Maybe you have an other idea?

CU

>
> -Claus
>
> -----Original Message-----
> From: stunnel-users-bounces at mirt.net
> [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michael Renner Sent:
> Friday, January 23, 2009 1:34 PM
> To: stunnel-users at mirt.net
> Subject: [stunnel-users] Feature request: set environment variable for
> inetd-type program
>
> Moin,
>
> I am not a programmer, I am a writer and user, so I have to ask kindly for
> a additional stunnel feature
> I need the ability to push some information from the stunnel client side to
> the server side. To be more concrete: a self written script that is called
> by stunnels 'exec' statement need some settings, e.g. username and
> password. My idea is to configure this in the client side stunnel.conf and
> pass this as a environment variable to this script.
> There is no chance to pack these stings in a client certificate, because
> everybody who is able to handle snoop/tcpdump will be able to read this.
>
> I imagine a configuration like this:
>
> client stunnel.conf
> [foo]
> accept = 127.0.0.1:1234
> connect = 192.0.20.0:443
> env = "SUSER=renner"
> env = "SPASS=geheim"
>
>
> server stunnel.conf
> [foo]
> accept = 192.0.20.0:443
> exec = /opt/foo/script.sh
> env = yes
>
> My question to the developers: do you think this is a helpful feature, also
> for others?
>
> Greetings



-- 
|Michael Renner      E-mail: michael.renner at gmx.de  |
|D-81541 Munich      Germany        ICQ: #112280325 |
|Germany             Don't drink as root!      ESC:wq

More information about the stunnel-users mailing list