[stunnel-users] X509 certificate info extract and use
Javier
meresponde2001-stn at yahoo.es
Sun Feb 3 22:26:26 CET 2013
On Sun, 03 Feb 2013 19:54:06 +0100
Pierre-Yves Bonnetain <py.bonnetain at ba-consultants.fr> wrote:
> Hello Javier,
>
> On 02/02/13 22:40, Javier wrote:
> > Then, I can't help here. You'll need a separate app in the middle
> > to allow only one username and password that could pass to the DB
> > app if correct, as well as the rest of data traffic.
>
> That's what we are working on : some small additions to stunnel, to
> (optionally) send some certificate-related data to the downlink
> application, and a protocol-aware relay downlink (in front of the real
> application). This relay will receive the certificate-related data and
> the stunnel-decrypted data flow, make its checks and let pass or drop
> everything.
>
> Sincerely,
I see, but you don't need to send any certificate related data if
you already have one relay app instance for each stunnel service.
You only have to bother of find an application for relay.
I mean:
stunnel service 1 with level 3 verification only accepts user 1
certificate and relays data to relayer app instance 1 that only
accepts user 1 user and password.
stunnel service 2 with level 3 verification only accepts user 2
certificate and relays data to relayer app instance 2 that only
accepts user 2 user and password.
As long as stunnel won't accept more certificates for each service
than the one set to verify and the app behind each service only
accepts that certificate user username and password, all is done, no
other user can use that stunnel service unless knows every login
data that is personalized for that user.
I think that now there is a closest approach to link certificate
access and user/pass access without need to pass certificate data to
other application.
But I have to admit that for me would be enough, but understanding
your case, won't be for you, so I only can wish you to find the
solution :) With my knowledge I couldn't do better...
I hope you can find what you need :)
Regards.
More information about the stunnel-users
mailing list