[stunnel-users] Individual user certs for each person who uses Windows PC
Michal Trojnara
Michal.Trojnara at mirt.net
Wed Sep 1 11:02:51 CEST 2010
Bucci, David G wrote:
> Thanks, guys, good ideas. Wow, subst, that's a blast from the past.
Some
> deployment sites will have networked homedirs, some won't, Michal.
Sure. That's exactly why I wrote "most" and not "all".
> Can I confirm, if stunnel is run by the user (whether manually or as
part
> of a login script), then when the user logs off, the process can be
relied
> on to be killed? I'm concerned that a leftover tunnel could be used to
> masquerade by a subsequent logon-ee).
http://msdn.microsoft.com/en-us/library/aa376876%28VS.85%29.aspx
> And ... does stunnel for Windows have any inherent way to only allow
> localhost access? (host.allow type mechanism). Our clients are not
running
> firewalls on their PCs, at least not all of them (closed network
> situation). Or alternatively, any way to specify what user is allowed
> access (like iptables can do in Linux)? Sorry, I'm not a Windows guy,
I'm
> still reeling from the fact that Windows doesn't have any inherent way
to
> do transparent proxying (not even on the Server versions).
The same mechanism is used on Windows and Unix/Linux. You need to bind
the service to the loopback interface instead of all interfaces, e.g.:
accept=127.0.0.1:12345
> As a feature request for the Windows version ... some way to tie in to
the
> system keystore, so that user certificates that are populated there can
be
> directly used. Implicit in that would be DER (and probably PKCS#12)
> support, I suppose.
I think this request should rather be addressed to the OpenSSL team.
AFAIK Windows Certificate Store was specifically designed to prevent
non-Microsoft SSL implementations from using it directly, i.e. without
manual key export.
Best regards,
Mike
More information about the stunnel-users
mailing list