[stunnel-users] Patch: Include source IP in connection failure log lines
Alex Gottschalk
alex.gottschalk at gmail.com
Wed Nov 23 22:57:12 CET 2011
I'm setting up an internet-facing server that will be running a
service wrapped with stunnel. Given that, it made sense to me to use
fail2ban to block repeat connection attempts from clients who don't
have the right certificate (the system is using client-certificate
authentication). Unfortunately, stunnel4 doesn't put the client
source IP in connection failure log lines, so I made this quick patch
to enable that.
---cut here----
--- src/client.c.orig 2011-10-05 16:47:48.000000000 -0700
+++ src/client.c 2011-10-05 16:50:37.000000000 -0700
@@ -358,10 +358,13 @@
continue;
}
}
- if(c->opt->option.client)
+ if(c->opt->option.client) {
sslerror("SSL_connect");
- else
- sslerror("SSL_accept");
+ } else {
+ char buf[255];
+ sprintf(buf, "SSL_accept from %s ", c->accepted_address);
+ sslerror(buf);
+ }
longjmp(c->err, 1);
}
if(SSL_session_reused(c->ssl)) {
----cut here----
More information about the stunnel-users
mailing list