[stunnel-users] [patch] Redirect to a fake destination if client's certificate couldn't be verified

Jeremie Le Hen jeremie at le-hen.org
Wed Jul 29 11:47:20 CEST 2009


And well... the patch ;-).

On Tue, Jul 28, 2009 at 11:14:49PM +0200, Jeremie Le Hen wrote:
> Hi list,
> 
> I've written a patch to bring in the following directives:
>     - evilconnect
>     - evilexec/evilexecargs
> 
> The idea is when stunnel works in server mode and is asked to verify the
> client's certificate, it normally shuts the connection down when the
> latter is invalid.  With these options, when the certificate can't be
> verified, stunnel redirects the "evil" connection to another
> destination.
> 
> What is the purpose of this new feature ?
> 
> For instance, if your company does not allow SSH connections out, you
> may use the following configuation:
> % connect = yourdomain.com:22
> % evilconnect = www.yourdomain.com:80
> 
> So you will access your SSH server with your valid user certificate.  On
> the other hand, if an over-zealous sneaky admin looks at the proxy logs
> and tries to connect to your stunnel, it will be redirected to an
> uninteresting website ;).
> 
> Here is the documentation:
> %  evilconnect = [host:]port
> %      connect to a remote host:port when the client's certificate cannot
> %      be verified
> %
> %      This is only meaningful in server mode when connect and verify are
> %      used.  Otherwise it has the same properties as the connect option.
> %
> %  evilexec = executable_path (Unix only)
> %      execute local inetd-type program when the client's certificate can-
> %      not be verified
> %
> %      This is only meaningful in server mode when exec and verify are
> %      used.  Otherwise it has the same properties as the exec option.
> %
> %  execargs = $0 $1 $2 ... (Unix only)
> %      arguments for evilexec including program name ($0)
> %
> %      Quoting is currently not supported.  Arguments are separated with
> %      arbitrary number of whitespaces.
> 
> I'd like to thank Mathieu CHOUQUET-STRINGER who actually had this very
> good idea and implemented a proof of concept code with GnuTLS.
> 
> Also, thank to Vin0x64 <vincent vin0x64 fr> who tested this patch and
> verified that it works.
> 
> Looking forward for your remarks... thanks!
> 
> Best regards,
> -- 
> Jeremie Le Hen

-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.27.bad_cert.patch
Type: text/x-diff
Size: 12467 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090729/b3057719/attachment.patch>


More information about the stunnel-users mailing list