Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Patch List> <Patch Directory>
Patch info for xforwardedfor_jrd

Patch info for xforwardedfor_jrd

CreatorJohn R Durand
Patch to Version4.03
TypeNew Feature
Patchxforwardedfor_jrd.patch
Description

(Full Text)

Add an X-Forwarded-For header for HTTP connections.

Author Comments



Date: Tue, 29 Oct 2002 07:46:20 -0800
From: "john r. durand" <jrd@real.com>
Subject: patch

i have attached an stunnel patch for version 4.02 that optionally adds
an X-Forwarded-For header for HTTP connections. this header includes
the originating IP address for the connection. we needed this feature
at RealNetworks because we use and stunnel-based SSL accelerator
architecture. all SSL traffic is proxied by a set of boxes that
negotiate the SSL connection with stunnel and pass the unencrypted
data to a standard web server farm. that farm needs to log the
original IP address for the request.

my changes are provided without any restrictions and can be freely
integrated into the base source for stunnel. in fact, i would be very
happy to see that happen as it would prevent me from having to merge
the changes into each new release. please let me know if you have any
interest in accepting these changes (or if you would like me to post
them to the mailing list, etc.)

thanks.



john r. durand


-------------------------------------------------------------------------------

Date: Mon, 11 Nov 2002 12:33:29 +0100
From: Michal Trojnara <Michal.Trojnara@mirt.net>
Subject: Re: patch



There's a remote buffer overflow security hole in your patch.  memmove() can
be called when c->ssl_ptr+num+c->header_length>=BUFFSIZE.

The next problem is that non-mt-safe inet_ntoa() is called outside of a
critical section.

There are possibly other bugs.  The most difficult to fix seems to be that
your patch doesn't support persistent connections:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10

This is why I'm not going to support HTTP protocol.  It's not as easy to do
it correctly as it seems to be.  8-(
http://whatis.techtarget.com/definition/0,,sid9_gci521694,00.html

Best regards,
    Mike

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.