Re: [stunnel-users] Feature request - verify fall-back

This is a discussion on Re: [stunnel-users] Feature request - verify fall-back within the Stunnel Users forums, part of the Networking and Network Related category; --===============0163621386== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H/P/fp31Su+ob3Cg&...


Go Back   Usenet Forums > Networking and Network Related > Stunnel Users

Reload this Page Re: [stunnel-users] Feature request - verify fall-back

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 4 Days Ago
Brian Hatch
 
Posts: n/a
Default Re: [stunnel-users] Feature request - verify fall-back

--===============0163621386==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="H/P/fp31Su+ob3Cg"
Content-Disposition: inline


--H/P/fp31Su+ob3Cg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:

> I wish to use stunnel for following use-case (to create a
> highly-protected website which can be accessed only using a valid
> client-cert).
>=20
> gateway.example.com:443 -> public.example.com:80 (when client-cert
> verification fails)
> gateway.example.com:443 -> intranet.example.com:80 (when client-cert
> verification ok - normally hidden from public)
>=20
=2E..
> I guess it will be a nice addition to stunnel's feature list.


I disagree. I don't think it's a good idea to add to Stunnel.

This is application layer logic you want, essentially. Your best
bet would be to use SSL in apache/webserver of choice directly.
Then you can place the verification constraint in the configuration
and configure the webserver to serve up selected pages if and only
if a cert has been used via normal apache 'require' ACLs.

Alternatively this could be configured with apache as a reverse
proxy using mod_proxy in front of two different back end webservers
(public and intranet in your example above) if you really want
distinct webservers for each.

--=20
Brian Hatch "I think that we missed something.
Systems and We should have called it 'Licensed
Security Engineer Software Delivery', not 'Electronic.'"
http://www.ifokr.org/bri/ --Bruce

Every message PGP signed

--H/P/fp31Su+ob3Cg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFII1o7VkMj8/ymYEsRAmKyAJ9IfSok2pZPkknbD5cRHZag+C2hIACeLQhh
jYZwdCyQhKFk0a/twP/G8qQ=
=b0uW
-----END PGP SIGNATURE-----

--H/P/fp31Su+ob3Cg--

--===============0163621386==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--===============0163621386==--
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 07:13 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0