server tunneling with cert

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

server tunneling with cert

Marten Lehmann
Hello,

our mailserver daemons (exim, dovecot, courier-imap) are limited to one
key/cert configuration per instance. But for certain reason, we need the
same service to be accessable be two different ip-addresses/domain names
each with its own certs.

What I'm trying to do is the following:

server-a.com is the real daemon, e.g. exim listening on 1.1.1.1:smtps

server-b.com is listening to 1.1.1.2:smtps (with its own cert), but is
routing/tunneling all traffic to server-a.com:smtps

Is this possible with openssl? I don't know how to do it. The problem
is, that the work isn't done by simply tunneling the data to
server-a.com, because then the client would get a certificate-doesn't
-match-with-domain-error. server-b.com has to use the actual data (not
the whole traffic including the ssl-conversation) and establish a new
connection to server-a.com.

If this cannot be done with openssl out of the box, how else could I do
this?

Regards
Marten
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: server tunneling with cert

David Somers
On Thursday 09 February 2006 21:13, Marten Lehmann wrote:
> Is this possible with openssl? I don't know how to do it. The problem
> is, that the work isn't done by simply tunneling the data to
> server-a.com, because then the client would get a certificate-doesn't
> -match-with-domain-error. server-b.com has to use the actual data (not
> the whole traffic including the ssl-conversation) and establish a new
> connection to server-a.com.
>
> If this cannot be done with openssl out of the box, how else could I do
> this?

One way might be to use POUND.

The Pound program is a reverse proxy, load balancer and HTTPS front-end for
Web server(s). Pound was developed to enable distributing the load among
several Web-servers and to allow for a convenient SSL wrapper for those Web
servers that do not offer it natively. Pound is distributed under the GPL -
no warranty, it's free to use, copy and give away.

Read more about it at http://www.apsis.ch/pound

HTH,

David.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]