Hi Michal, Thank you for the answer.
I found a solution for this using local port forwarding. What I do now is that I monitor my individual tunnels to check if they are alive. When one is dead I just have to change the port forward to the next stunnel entry. I use netcat to check the connection availability as follow: nc -z -x 127.0.0.1:$STUNNEL_PORT1 -X connect $DISTANT_SERVER $PORT Under OS X, since 10.10 port forwarding is managed with the pfctl utility (on other linux distro we can use iptables): echo "rdr pass inet proto tcp from 127.0.0.1 to 127.0.0.1 port $FAILOVER_PORT -> 127.0.0.1 port $STUNNEL_PORT1" | pfctl -ef - >/dev/null 2>&1 In case $STUNNEL_PORT1 is down or doesn't provide Internet access, I just switch to $STUNNEL_PORT2 and push the port forwarding rule with that port entry. I wrote a daemon that monitors all my stunnel ports and check if they have Internet access, my PAC RETURN rules remain the same (they use my $FAILOVER_PORT), I just shifted stunnel ports to another location and use port forwarding to reach the stunnel entries that are alive. It's working great so far. Cheers, Thireus ([email protected] <mailto:[email protected]>), IT Security Engineer Consultant. http://blog.thireus.com <http://blog.thireus.com/> > Le 15 nov. 2015 à 19:58, Michal Trojnara <[email protected]> a écrit : > > Signé partie PGP > On 15.11.2015 11:58, Thireus wrote: > > 1. I would like to know if there is a way to use failover with two > > servers with two different set of TLS cert/key. > > No. Both client and server certificates are currently set way before > stunnel connects the target. > > I guess what you really need is client certificate selection based on > the list of acceptable issuers sent by the stunnel server, because > each of your stunnel servers expects client certificates issued by a > separate CA. Am I right? > > Client certificate autoselection currently works on Windows with the > CAPI engine. I have also added a new TODO item to implement client > certificate autoselection for certificates/keys stored in PEM files: > https://www.stunnel.org/sdf_todo.html > > Alternatively, you may reconfigure your stunnel servers to accept > client certificates issued by the same CA. > > > 2. On the same topic, I would like to know if there is an option > > that could open the local port (accept) only when the connection > > (connect) is established? > > No. > > > The problem I'm facing is that I use a PAC profile with failover on > > several stunnel entries: "return PROXY 127.0.0.1:4441; PROXY > > 127.0.0.1:4442; PROXY 127.0.0.1:4443;". > > Did you mean: > return "PROXY 127.0.0.1:4441; PROXY 127.0.0.1:4442; PROXY 127.0.0.1:4443 > "; > ? > > You are trying establish end-to-end failover across two (in fact > three, including connection between the stunnel server and the HTTP > proxy) separate TCP connections. It is not possible without a > heartbeat service. > > > 3. Is there another way to tweak stunnel behavior when a remote > > server is down? > > You could write a heartbeat service to periodically initiate short > connections to the remote services, and then reconfigure stunnel > accordingly. Still, this is a crude workaround and not the proper > solution. > > Best regards, > Mike > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
