[stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified
Jeremie Le Hen
jeremie at le-hen.org
Tue Jul 28 23:14:49 CEST 2009
Hi list,
I've written a patch to bring in the following directives:
- evilconnect
- evilexec/evilexecargs
The idea is when stunnel works in server mode and is asked to verify the
client's certificate, it normally shuts the connection down when the
latter is invalid. With these options, when the certificate can't be
verified, stunnel redirects the "evil" connection to another
destination.
What is the purpose of this new feature ?
For instance, if your company does not allow SSH connections out, you
may use the following configuation:
% connect = yourdomain.com:22
% evilconnect = www.yourdomain.com:80
So you will access your SSH server with your valid user certificate. On
the other hand, if an over-zealous sneaky admin looks at the proxy logs
and tries to connect to your stunnel, it will be redirected to an
uninteresting website ;).
Here is the documentation:
% evilconnect = [host:]port
% connect to a remote host:port when the client's certificate cannot
% be verified
%
% This is only meaningful in server mode when connect and verify are
% used. Otherwise it has the same properties as the connect option.
%
% evilexec = executable_path (Unix only)
% execute local inetd-type program when the client's certificate can-
% not be verified
%
% This is only meaningful in server mode when exec and verify are
% used. Otherwise it has the same properties as the exec option.
%
% execargs = $0 $1 $2 ... (Unix only)
% arguments for evilexec including program name ($0)
%
% Quoting is currently not supported. Arguments are separated with
% arbitrary number of whitespaces.
I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very
good idea and implemented a proof of concept code with GnuTLS.
Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and
verified that it works.
Looking forward for your remarks... thanks!
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the stunnel-users
mailing list