To: stunnel-users@mirt.net Date: Wed, 19 Mar 2003 14:20:32 -0500 From: "Peter D. Gray" Subject: Patch: writes connection details for current tunnel to filesystem I often use stunnel to tunnel to servers running on localhost. The most typical case is using stunnel at 443 tunneled to a port 80 web server. Unfortunately, this normally means lots of useful information has been lost by the time the tunneled server gets a new connection. This patch writes lots of useful facts about the new client into a file in a configurable temp directory (config fle: "infodir" option). The file is deleted when the client disconnects. Here is an example of the file it creates, for the typically HTTPS case (with client certificates enabled): # connection details STUNNEL_PID=1083 SERVICE="https" REMOTE_HOST="10.0.0.1" REMOTE_PORT=1560 CIPHER_DESC="RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 " CIPHER_ALGO="RC4-MD5" CIPHER_BITS=128 SSL_CLIENT_DN="/CN=peter/Email=junk@dmtz.com" SSL_CLIENT_I_DN="/C=CA/ST=Ontario/L=Richmond Hill/O=Digital Multitools Inc./OU=DMTZ Root CA (no trust implied)/CN=DMTZ CA/Email=ca@dmtz.com" TUNNEL_HOST="127.0.0.1" TUNNEL_PORT=80 LOCAL_HOST="127.0.0.1" LOCAL_PORT=2089 # EOF This file format should be easy to read with shell scripts. I hope the above variable names are self-explanatory. The "info file" will be written to a file named: "conn.LH:LP" where LH is the value of "LOCAL_HOST" above, and LP is LOCAL_PORT. This allows the receiving server to use getpeername() and map that directly to the file that needs to be read. In most cases, LOCAL_HOST will be 127.0.0.1 but if stunnel was used on a (proxy) machine with shared NFS-mounted directories, the above information could be read by a server machine that is on another host. I thought long and hard about using environment variables and/or shared libraries to accomplish the same, but I could never be sure to always be able to get the information I needed. In particular, I like my tunneled servers to be long-running (not exec'd) so the filesystem and the tunneled socket itself seem to be the only communication options I've got. This patch is in the public domain, use it in good health. PG