[stunnel-users] stunnel throttling and statistics

Laurens Van Houtven lvh at laurensvh.be
Thu Jul 9 16:01:51 CEST 2009


Hi!


I'm using stunnel to secure an AMQP message broker (RabbitMQ,
specifically) using pre-shared certificates. This means that my
backends never get to see the SSL certificate that the client used to
connect -- unfortunately, it's that very backend that's the first who
can decide if a message is malicious or not.

In order to sort-of fix this problem, I'm using UUIDs so that the
keyspace is so absurdly huge that the odds that someone will guess a
key are second to none. Still, if someone is misbehaving (trying a
large number of bogus keys) it would be nice to know who it is so I
could stop wasting CPU time and bandwidth on them. So, I was wondering
if anyone has used stunnel (vanilla or modified) to keep statistical
data about who connects (which certificates).

Additionally, does anyone know of a decent way to throttle
per-certificate (or limit the amount of tunnels that can be opened per
certificate). If all else fails I could just do normal throttling on a
per-IP basis, which should get me roughly the same thing. The reason I
want this is because I want to prevent users from even *trying* a
large number of such keys (even though it's statistically unlikely
that they'll get one) since it still takes me CPU time to process that
junk.

Thanks in advance
Laurens



More information about the stunnel-users mailing list