[stunnel-users] X509 certificate info extract and use

Pierre-Yves Bonnetain py.bonnetain at ba-consultants.fr
Tue Jan 15 14:16:55 CET 2013


Hello,

We're looking for a way to add some kind of cross-control between an
application and the TLS tunnelling tool that protects the data. I'll give
an example, that may be easier to understand.

My BigDatabase has it's login/password authentication process. Since my
customers want to access the database through bad Internet, we set up a
SSL/TLS frontend. Each customer has his own X509 certificate, with all
proper bells and jingles in it. The frontend checks the certificate (CA
sig, validity, revocation, etc.) and then, as it should, passes the
unencrypted flow to the application.

There is no way (or, rather, we have not found any way) to cross-check
that the certificate AND the requested, application-level login, are
linked together. This means that my evil neighbour, which bribed my
gullible cat to get my login and password, could connect to my account
(app-level auth) using his X509 cert (TLS tunnel auth).

We would like to perform this cross-check between X509 certificate AND
application-level auth.

>From our point of view, this means that we need to "extract and send" some
parts of the certificate (DN, validity dates, etc.) to some secondary
tool/proxy. This one will check if the data is coherent wrt application
credentials.

M. Henrik Riomar sent a patch
(http://www.stunnel.org/pipermail/stunnel-users/2012-October/003909.html)
on the list last october that is one step closer to what we are looking
for. We could build from it.

Maybe some of you have already solved this kind of problem, or know of a
tool that answer to this kind of needs ?

Tia,
-- 
Pierre-Yves Bonnetain-Nesterenko
B&A Consultants - Sécurité informatique - www.ba-consultants.fr
Tel. : +33 (0) 563 277 241 - Fax : +33 (0) 567 737 829




More information about the stunnel-users mailing list