[stunnel-users] X509 certificate info extract and use

Javier meresponde2001-stn at yahoo.es
Fri Jan 25 20:52:12 CET 2013


On Tue, 15 Jan 2013 14:16:55 +0100
"Pierre-Yves Bonnetain" <py.bonnetain at ba-consultants.fr> wrote:

> My BigDatabase has it's login/password authentication process. Since my
> customers want to access the database through bad Internet, we set up a
> SSL/TLS frontend. Each customer has his own X509 certificate, with all
> proper bells and jingles in it. The frontend checks the certificate (CA
> sig, validity, revocation, etc.) and then, as it should, passes the
> unencrypted flow to the application.

Hi, I'm quite late to your help request but, here I go :)

Assuming the frontend that checks the certificate is stunnel 
(otherwise I couldn't understand your explanation here)... I think 
you are missing the point there.

Let me ask one thing. When you say you pass "the unencrypted flow 
to the application", do you mean you pass the flow to an unencrypted 
connection too? If so, it is a big mistake.

Anyway I don't know how your scenario works but in my head there is 
this one:

- app with database can't accept direct internet connections 
(important!!!!)
- stunnel needed in the client/user and in the server.
- user certificate created with password (so each time the user 
open stunnel, it is requested by Stunnel to start)
- stunnel checks certificate against CA
- stunnel passes the flow to the app and this requests the 
user/password

Here you have a double identification check.

You have an encrypted connection where is checked that there is a 
valid certificate and, therefore, a valid user; also you have an 
application that, after being checked the certificate, it checks for 
an user and password to be able to use it.

So, why do you need or why are you seeking for a check of a 
certificate by the application?

Maybe I didn't explain before. The application can't accept a 
connection if there is not a valid connection with stunnel first, 
which requires a valid certificate. So, by insist in check the 
certificate?

I had this kind of connection you are telling here with a HTTP 
server that requested a login too and I had as I explained. You 
can't login to the HTTP server unless you have a valid certificate 
for stunnel to check.

The link between both is obvious, unless your neighbour has stolen 
your certificate, the password for your certificate and the password 
for the database app and he also uses the same client database app. 
(Not impossible but… well, you know)

I hope I cleared your doubts a little ;)

Regards.




More information about the stunnel-users mailing list