Re: [stunnel-users] Feature request - verify fall-back

--===============0646072720==
Content-Type: multipart/alternative;
boundary="----=_Part_2032_7765907.1210301405049"

------=_Part_2032_7765907.1210301405049
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Web was just an example. I agree that Apache is better place to do this.

What about running stunnel on port 443 which will look like HTTPS to world
but it connects to VNC if a valid client-cert is presented. This way my VNC
will be totally private and protected from *possible detection* & attack.

Technically it is very much possible and I've done it using Java APIs. It
would be neat if stunnel can be modified to do the same. Any help in
creating such patch will be much appreciated.

Thanks,
Sudhaker

On Thu, May 8, 2008 at 3:53 PM, Brian Hatch <bri@stunnel.org> wrote:
> Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:
>
>> I wish to use stunnel for following use-case (to create a
>> highly-protected website which can be accessed only using a valid
>> client-cert).
>>
>> gateway.example.com:443 -> public.example.com:80 (when client-cert
>> verification fails)
>> gateway.example.com:443 -> intranet.example.com:80 (when client-cert
>> verification ok - normally hidden from public)
>>
> ...
>> I guess it will be a nice addition to stunnel's feature list.
>
>
> I disagree. I don't think it's a good idea to add to Stunnel.
>
> This is application layer logic you want, essentially. Your best
> bet would be to use SSL in apache/webserver of choice directly.
> Then you can place the verification constraint in the configuration
> and configure the webserver to serve up selected pages if and only
> if a cert has been used via normal apache 'require' ACLs.
>
> Alternatively this could be configured with apache as a reverse
> proxy using mod_proxy in front of two different back end webservers
> (public and intranet in your example above) if you really want
> distinct webservers for each.
>
> --
> Brian Hatch "I think that we missed something.
> Systems and We should have called it 'Licensed
> Security Engineer Software Delivery', not 'Electronic.'"
> http://www.ifokr.org/bri/ --Bruce
>
> Every message PGP signed
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFII1o7VkMj8/ymYEsRAmKyAJ9IfSok2pZPkknbD5cRHZag+C2hIACeLQhh
> jYZwdCyQhKFk0a/twP/G8qQ=
> =b0uW
> -----END PGP SIGNATURE-----
>
>

------=_Part_2032_7765907.1210301405049
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br>Web was just an example. I agree that Apache is better place to do this.<br><br>What about running stunnel on port 443 which will look like HTTPS to world but it connects to VNC if a valid client-cert is presented. This way my VNC will be totally private and protected from <i><b>possible detection</b></i> &amp; attack. <br>
<br>Technically it is very much possible and I've done it using Java APIs. It would be neat if stunnel can be modified to do the same. Any help in creating such patch will be much appreciated.<br><br>Thanks,<br>Sudhaker<br>
<br>On Thu, May 8, 2008 at 3:53 PM, Brian Hatch &lt;<a href="mailto:bri@stunnel.org">bri@stunnel.org</a>&gt; wrote:<br>&gt; Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:<br>&gt;<br>&gt;&gt; I wish to use stunnel for following use-case (to create a<br>
&gt;&gt; highly-protected website which can be accessed only using a valid<br>&gt;&gt; client-cert).<br>&gt;&gt;<br>&gt;&gt; <a href="http://gateway.example.com:443">gateway.example.com:443</a> -&gt; <a href="http://public.example.com:80">public.example.com:80</a> (when client-cert<br>
&gt;&gt; verification fails)<br>&gt;&gt; <a href="http://gateway.example.com:443">gateway.example.com:443</a> -&gt; <a href="http://intranet.example.com:80">intranet.example.com:80</a> (when client-cert<br>&gt;&gt; verification ok - normally hidden from public)<br>
&gt;&gt;<br>&gt; ...<br>&gt;&gt; I guess it will be a nice addition to stunnel's feature list.<br>&gt;<br>&gt;<br>&gt; I disagree. &nbsp;I don't think it's a good idea to add to Stunnel.<br>&gt;<br>&gt; This is application layer logic you want, essentially. &nbsp;Your best<br>
&gt; bet would be to use SSL in apache/webserver of choice directly.<br>&gt; Then you can place the verification constraint in the configuration<br>&gt; and configure the webserver to serve up selected pages if and only<br>
&gt; if a cert has been used via normal apache 'require' ACLs.<br>&gt;<br>&gt; Alternatively this could be configured with apache as a reverse<br>&gt; proxy using mod_proxy in front of two different back end webservers<br>
&gt; (public and intranet in your example above) if you really want<br>&gt; distinct webservers for each.<br>&gt;<br>&gt; --<br>&gt; Brian Hatch &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&quot;I think that we missed something.<br>&gt; &nbsp; Systems and &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;We should have called it 'Licensed<br>
&gt; &nbsp; Security Engineer &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Software Delivery', not 'Electronic.'&quot;<br>&gt; <a href="http://www.ifokr.org/bri/">http://www.ifokr.org/bri/</a> &nbsp; &nbsp;--Bruce<br>&gt;<br>&gt; Every message PGP signed<br>&gt;<br>
&gt; -----BEGIN PGP SIGNATURE-----<br>&gt; Version: GnuPG v1.2.1 (GNU/Linux)<br>&gt;<br>&gt; iD8DBQFII1o7VkMj8/ymYEsRAmKyAJ9IfSok2pZPkknbD5cRHZag+C2hIACeLQhh<br> &gt; jYZwdCyQhKFk0a/twP/G8qQ=<br>&gt; =b0uW<br>&gt; -----END PGP SIGNATURE-----<br>
&gt;<br>&gt;<br><br>

------=_Part_2032_7765907.1210301405049--

--===============0646072720==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--===============0646072720==--