On 20/9/2011 8:58 μμ, Jenny Lee wrote:
I don't know if stunnel uses TCP or not.
Thanks for your thoughts Jenny."Stunnel works with SSL, which runs only on TCP." (Ref.: http://www.stunnel.org/?page=faq.)
But OpenVPN has an option to use TCP. You will find that VPN over UDP is 3 times faster tha VPN over TCP. All is not vain, though. There is a kernel option not to not combine packets to bigger chunks and send them immediately as smaller chunks. OpenVPN option "tcp-nodelay" activates that and i can reach almost UDP speeds with TCP. I would check if something similiar exists for stunnel.
The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server.
I could directly use OpenVPN instead; I would expect it will take a much greater preparation in terms of system design and implementation, but it would be more versatile and manageable. Eventually I believe I might do it.
For now, as I explained initially, I am examining a solution of web proxy authentication based on certificates. This was discussed for example here: http://squid-web-proxy-cache.1019090.n4.nabble.com/Client-Certificate-Authentication-td3353759.html and it seems it should work, but no configuration details were given; so I am trying to see how it should be implemented to test this setup. Note that our users/servers already have (or can easily obtain) officially signed X.509 certificates and that should ease such a solution.
Thanks again, Nick
<<attachment: smime.p7s>>
