Patch info for xforwardedfor_jrd
Patch info for xforwardedfor_jrd
Author Comments
Date: Tue, 29 Oct 2002 07:46:20 -0800
From: "john r. durand" <jrd@real.com>
Subject: patch
i have attached an stunnel patch for version 4.02 that optionally adds
an X-Forwarded-For header for HTTP connections. this header includes
the originating IP address for the connection. we needed this feature
at RealNetworks because we use and stunnel-based SSL accelerator
architecture. all SSL traffic is proxied by a set of boxes that
negotiate the SSL connection with stunnel and pass the unencrypted
data to a standard web server farm. that farm needs to log the
original IP address for the request.
my changes are provided without any restrictions and can be freely
integrated into the base source for stunnel. in fact, i would be very
happy to see that happen as it would prevent me from having to merge
the changes into each new release. please let me know if you have any
interest in accepting these changes (or if you would like me to post
them to the mailing list, etc.)
thanks.
john r. durand
-------------------------------------------------------------------------------
Date: Mon, 11 Nov 2002 12:33:29 +0100
From: Michal Trojnara <Michal.Trojnara@mirt.net>
Subject: Re: patch
There's a remote buffer overflow security hole in your patch. memmove() can
be called when c->ssl_ptr+num+c->header_length>=BUFFSIZE.
The next problem is that non-mt-safe inet_ntoa() is called outside of a
critical section.
There are possibly other bugs. The most difficult to fix seems to be that
your patch doesn't support persistent connections:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10
This is why I'm not going to support HTTP protocol. It's not as easy to do
it correctly as it seems to be. 8-(
http://whatis.techtarget.com/definition/0,,sid9_gci521694,00.html
Best regards,
Mike
This website makes patches available for use by the
Internet community. However it does not endorse any of the patches
contained herein. They could be work perfectly, or totally foul up
everything. We don't know. Contact the authors if you have any
questions. Use at your own risk.
The Stunnel software package does not contain any
cryptography itself, however please remember that import and/or export of
cryptographic software, code providing hooks to cryptographic
algorithms, and discussion about cryptography is illegal in some countries.
It is imperative for you to know your local laws governing cryptography.
We're not liable for anything you do that violates your local laws.
|