[stunnel-users] TLS "translation" & 2-way auth

Peter Pentchev roam at ringlet.net
Wed Nov 15 13:36:20 CET 2017


On Wed, Nov 15, 2017 at 08:57:10AM -0300, Igor Gatis wrote:
> It would be nice to know whether it is actually possible to achieve this
> with stunnel. If not, is there any other tool I could use or combine?

It is possible to achieve this with stunnel running on server B with
two service definitions: one that runs in server mode, accepts a TLS
connection from server A, and forwards it to a local TCP port where
the second stunnel service definition runs in client mode and
establishes a TLS tunnel to server C.

I can try to come up with some configuration examples later; right now
I cannot really do any testing.

Best regards,
Peter

> On Nov 13, 2017 08:58, "Igor Gatis" <igorgatis at gmail.com> wrote:
> 
> Yep, that's exactly what I'm seeking for help here.
> 
> If we can abstract the 2-way bit for a second, I'd call this a "certificate
> transcription" TLS tunnel.
> 
> On Thu, Nov 9, 2017 at 5:19 PM, Vincent Deschenes <vdeschenes at stelvio.com>
> wrote:
> 
> > Ho,
> >
> > But that does not account for the A ->[TLS] ->B part.
> >
> > I believe that my sample will listen for unencrypted connection only.
> >
> >
> >
> >
> >
> > *From:* stunnel-users [mailto:stunnel-users-bounces at stunnel.org] *On
> > Behalf Of *Vincent Deschenes
> > *Sent:* Thursday, 9 November 2017 3:16 PM
> > *To:* Igor Gatis <igorgatis at gmail.com>; stunnel-users at stunnel.org
> > *Subject:* Re: [stunnel-users] TLS "translation" & 2-way auth
> >
> >
> >
> > You need to have a section in your config file which listen for requests
> > but also have the “client = yes” option with a cert and key like this:
> >
> >
> >
> > [http_a_to_c]
> >
> > client = yes
> >
> > accept = port_number_to_listen_on_server_b
> >
> > connect = server_c_address:443
> >
> > cert = certificate.crt
> >
> > key = private.key
> >
> >
> >
> >
> >
> > cert and key are the certificate and private key server B uses to identify
> > itself on server C.
> >
> > You could also add more options to specify a trustore to specify which
> > cert coming from server C server B will trust, otherwise server B will
> > simply allow the connection.
> >
> >
> >
> > Good Luck
> >
> >
> >
> >
> >
> > *From:* stunnel-users [mailto:stunnel-users-bounces at stunnel.org
> > <stunnel-users-bounces at stunnel.org>] *On Behalf Of *Igor Gatis
> > *Sent:* Thursday, 9 November 2017 1:14 PM
> > *To:* stunnel-users at stunnel.org
> > *Subject:* [stunnel-users] TLS "translation" & 2-way auth
> >
> >
> >
> > Consider scenario below:
> >
> >
> >
> > Server A   ==TLS==> Server B  ==TLS+2WayAuth==> Server C
> >
> >
> >
> > Server A needs to connect to Server C through Server B which runs Stunnel.
> > Server C requires 2-way authentication. I have full control over Server A
> > and Server B and Server C belongs to a third-party.
> >
> >
> >
> > What does Stunnel config should look like?
> >
> >
> >

> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


-- 
-- 
Peter Pentchev  roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20171115/6d681256/attachment.sig>


More information about the stunnel-users mailing list