[stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified
Jeremie Le Hen
jeremie at le-hen.org
Wed Jul 29 11:47:20 CEST 2009
And well... the patch ;-).
On Tue, Jul 28, 2009 at 11:14:49PM +0200, Jeremie Le Hen wrote:
> Hi list,
>
> I've written a patch to bring in the following directives:
> - evilconnect
> - evilexec/evilexecargs
>
> The idea is when stunnel works in server mode and is asked to verify the
> client's certificate, it normally shuts the connection down when the
> latter is invalid. With these options, when the certificate can't be
> verified, stunnel redirects the "evil" connection to another
> destination.
>
> What is the purpose of this new feature ?
>
> For instance, if your company does not allow SSH connections out, you
> may use the following configuation:
> % connect = yourdomain.com:22
> % evilconnect = www.yourdomain.com:80
>
> So you will access your SSH server with your valid user certificate. On
> the other hand, if an over-zealous sneaky admin looks at the proxy logs
> and tries to connect to your stunnel, it will be redirected to an
> uninteresting website ;).
>
> Here is the documentation:
> % evilconnect = [host:]port
> % connect to a remote host:port when the client's certificate cannot
> % be verified
> %
> % This is only meaningful in server mode when connect and verify are
> % used. Otherwise it has the same properties as the connect option.
> %
> % evilexec = executable_path (Unix only)
> % execute local inetd-type program when the client's certificate can-
> % not be verified
> %
> % This is only meaningful in server mode when exec and verify are
> % used. Otherwise it has the same properties as the exec option.
> %
> % execargs = $0 $1 $2 ... (Unix only)
> % arguments for evilexec including program name ($0)
> %
> % Quoting is currently not supported. Arguments are separated with
> % arbitrary number of whitespaces.
>
> I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very
> good idea and implemented a proof of concept code with GnuTLS.
>
> Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and
> verified that it works.
>
> Looking forward for your remarks... thanks!
>
> Best regards,
> --
> Jeremie Le Hen
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.27.bad_cert.patch
Type: text/x-diff
Size: 12467 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090729/b3057719/attachment.patch>
More information about the stunnel-users
mailing list