Author Topic: How about SSL support  (Read 101844 times)

0 Members and 2 Guests are viewing this topic.

GeeS

  • Guest
Re: How about SSL support
« Reply #45 on: March 28, 2007, 06:52:29 AM »
... I am positive this isnt enough info for anyone to help ...
Indeed not much info, but did you try to connect to https://localhost:your_port_stunnel_listens_to ?


tenacious_b

  • Guest
Re: How about SSL support
« Reply #46 on: March 28, 2007, 08:47:51 PM »
Yes I did try that and to no avail it says nothing is on that page like nothing is lestening there.

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #47 on: March 30, 2007, 05:05:47 PM »
Yes I did try that and to no avail it says nothing is on that page like nothing is lestening there.
I just followed my procedure as described earlier in this thread ( and updated to stunnel 4.20).
Everything works fine! Even download speed with stunnel is still high enough (tested on localhost) : 3500kB/s.
Try again!
~GeeS~

GrapeApe

  • Guest
Re: How about SSL support
« Reply #48 on: April 02, 2007, 03:09:05 PM »
I have followed your very simple procedure several times and I cant get this to work.I am using win xp sp2 I am putting the https in the url , my port is 8245 but I have put that in the .config.
https://grapeape.myftp.org
I put the stunnel.pem in the stunnel folder
When I open the stunnel log this is all I get

2007.04.02 09:51:15 LOG5[3004:2676]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.04.02 09:51:15 LOG5[3004:2676]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.04.02 09:51:15 LOG5[3004:3576]: No limit detected for the number of clients

I'm not a total idiot but I am at a loss here

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #49 on: April 02, 2007, 07:57:45 PM »
Please change debug to debug = 7 in your stunnel.conf and publish again please.

Did I understand well and has your stunnel.conf the entry

[https]
accept = 8245
connect = same portnumber as HFS???

If yhat is true, then your URL should be https://grapeape.myftp.org:8245 because you have to add the portnumber if you use a non-default port for https.
Or did you forward port 8245 or blocked it with your firewall?
Try port 443 (https default) for stunnel to accept, connect to 44300, do not block these ports and forward 443 only. HFS listens to 44300.

Before I read your post I just finished an update on HFS with Stunnel. Will publish within some days. No time yet. Good luck.
If it still does not work, please publish your logs and portnumbers for debugging.
~GeeS~

GrapeApe

  • Guest
Re: How about SSL support
« Reply #50 on: April 02, 2007, 09:43:18 PM »
I  connect via a proxy and evidently thats where my problem is.I hope I don't confuse you here but my internet explorer is set to connect directly and my Firefox is through a proxy I was testing on both of them with nothing working.Now when I change the Firefox setting to connect directly both the internet explorer and my Firefox connect (why one is effecting the other I don't know).So stunnel works great without a proxy for me which is fine unless you have suggestion for that , but what I would really to fix is I cant connect via my noip address. I have to put in my ip plus the :443 port number  for it to connect.
Ive tried https://grapeape.myftp.org:443 and it doesn't work.
This is what I have in the  .conf and The port setting on hfs is 8245

[https]
accept  = 443
connect = 8245
TIMEOUTclose = 0

By the way thx for the response

GrapeApe

  • Guest
Re: How about SSL support
« Reply #51 on: April 02, 2007, 11:15:11 PM »
I got it all sorted out now thx for thread  and the response.

GeeS

  • Guest
Re: How about SSL support
« Reply #52 on: April 03, 2007, 06:25:48 AM »
I  connect via a proxy and evidently thats where my problem is. ... So stunnel works great without a proxy for me which is fine unless you have suggestion for that , ...
Many (free) proxies will not handle https and/or other ports than 80 (http default) or 443 (https default) and just drop the connection without warning when your browser tries so.
My suggestion is to use the default ports 80 for http and 443 for https.

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #53 on: April 03, 2007, 06:48:20 PM »
I've reviewed the earlier description of HFS with Stunnel, applied some changes for convenience and added some more thoughts. Here we go:

Easy & secure data sharing on Windoze with HFS & Stunnel for free ... an essay

The opportunity:
Today’s widespread cable- and ADSL internet access offers a permanent connection to the worldwide web for home users. External hosting to serve private web pages or to share files is not necessary anymore.   
HFS is a free, opensource http-file/web server for the win32 platform (windoze), it's very easy to use and runs "right out-of-the box" for down- and uploading files as well as for serving web pages directly from a PC at home. It can even travel on a disk or pendrive to serve from any PC at hand and addressable from the Net (keyword: portforwarding) or within a network.

The risk:
All web servers (not only HFS), which use HTTP, have a common weakness:
HTTP-traffic is transmitted in plain text and every bit of data travelling between a web server and a client (browser) can be intercepted and read by everyone who is in the chain passing data to the final destination. Even encoded usernames and passwords, which should protect web servers against unauthorized access, are easy to reveal. Only encrypted traffic (HTTPS) between server and client can protect precious private data against sniffing.
By encrypting the traffic between a server and its clients, a sniffer still is able to see which client IP is exchanging data with a certain web server at a certain time, but it is practically impossible (as long as the sniffer does not have the randomly generated private key) to decrypt the transmitted data.
While most modern browsers can handle encrypted traffic, the HFS server only supports insecure HTTP.

The solution:
Stunnel - a free, opensource multiplatform SSL tunneling proxyprogram- "is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. Stunnel uses OpenSSL or SSLeay libraries for cryptography ..."
This just means, that Stunnel will be used to accept the client requests and establish an encrypted (HTTPS) connection, while Stunnel and the HFS server are exchanging non-encrypted data (HTTP).
A typical configuration of a PC with an https-enabled HFS server:
- Stunnel accepts requests from any IP on port 443, the HTTPS default port.
- Stunnel connects to HFS on an arbitrary chosen free port (e.g. 44300).
- HFS accepts requests on the chosen port, in this example 44300.
- Direct requests from clients to HFS on port 44300 have been blocked, except from 127.0.0.1 (localhost), where Stunnel resides.
- The PC and drives where HFS, Stunnel and the data reside are secured against unauthorized access.

How-to setup Stunnel for a SSL-secured HFS server, create a privatekey and self-signed server certificate:

1. Stunnel is available from http://stunnel.mirt.net as a precompiled binary for windoze: “stunnel-4.20-installer.exe” at the time of writing. Install it and you will end up with:
- stunnel.exe  (= the Stunnel program)
- stunnel.html (= the Stunnel manual)
- stunnel.conf (= the Stunnel configuration file)
- zlib1.dll, libssl32.dll and libeay32.dll (= openssl library files)
- stunnel.pem (= the default privatekey/certificate file)

Note: to get rid of the registry entries made by the installer, save the above files and deinstall Stunnel.

2. Run “stunnel.exe” and open the log. Find the version of openssl used for compiling with stunnel: “0.9.8d” at the time of writing.
Extract this version of “openssl.exe” from “openssl.zip” or download it directly to your Stunnel directory from http://www.openssl.org or http://stunnel.mirt.net (.../openssl/binary-0.9.8d-zdll/openssl.exe).

3. Open a text editor (e.g. notepad) and copy/paste the following entries:
Quote
[req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default  = XX
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)

[ cert_type ]
nsCertType = server
Save this file as “pem.conf” in the stunnel directory.

4. Delete the “stunnel.pem”, which contains a default server certificate and privatekey.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing!
In order to produce pem-file with a unique secure private key / server certificate, open a text editor (e.g. notepad) and copy/paste the following entries:
Quote
openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem
Save this file as “create_pem.bat” in the stunnel directory. Run “create_pem.bat”,
answer the questions in the dialog and enter whatever you like.

Note: The Common Name (FQDN) is required and should be the hostname of the machine running stunnel e.g. www.myhomeserver.net.
If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.


Each time you run “create_pem.bat”, a new “stunnel.pem” file with a unique random private key and self assigned server certificate with 10 years validity will be created.
It is extremely important to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic! Do not back-up, but create a new one if necessary.

5. Edit “stunnel.conf” with a text editor and to obtain the following content:
Quote
; Lines preceded with a “;” are comments
; Empty lines are ignored
; For more options and details: see the manual (stunnel.html)
 
; File with certificate and private key
cert = stunnel.pem
key = stunnel.pem

; Log (1= minimal, 5=recommended, 7=all) and log file)
; Preceed with a “;” to disable logging
debug = 5
output = stunnel.log

; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Data compression algorithm: zlib or rle
 compression = zlib

; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2

; Service-level configuration
; Stunnel listens to port 443 (HTTPS) to any IP
; and connects to port 44300 (HFS) on localhost
[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0
Save the edited “stunnel.conf”.

6. Stunnel is now configured to accept HTTPS requests from any IP on port 443 of your PC and connects with HTTP to port 44300 on the same PC (127.0.0.1).
Do not forget: Port 443 and 44300 on this PC have to be opened in a firewall and routers have to forward port 443 to your PC. Do not forward port 44300 on your router.

7. Start HFS (2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply”  in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.

8. Test your configuration carefully. You might to want to change the debug mode to debug = 7 in the stunnel.conf file for more log details.

9. Additionally, you might want  also to have an HTTP welcome page, which links to your HTTPS enabled pages and contains instructions for your visitors how to handle a self signed server certificate and the related error messages of some browsers with it: Run a second, independent instance of HFS on port 80, modify the template and link from there to your secure Stunnel-HFS server.
 
10. Optionally, you can put your data, Stunnel and HFS on a pendrive with e.g.  ./Myserver/Stunnel/stunnel.exe…, ./Myserver/HFS443/hfs443.exe…, ./Myserver/HFS44300/hfs44300.exe…, ./Myserver/Filesystem/… (renamed the two “hfs.exe” for convenience).
Configure HFS to save on file and the registry will kept clean. No admin rights are required. Run stunnel.exe, hfs443.exe and hfs44300.exe on any PC in a network for secure data exchange from PC to PC.
Note: Works fine, even in “hostile” networks. You could even rename the executables to some “innocent” names like “excel.exe”, “powerpnt.exe” or “winword.exe” to obfuscate the running processes. Windoze will not complain running different processes with the same name. Use your imagination and be aware of the risks!

11. Visit also http://stunnel.mirt.net, http://www.stunnel.org , http://www.openssl.org and http://www.rejetto.com for further readings.
 
Some important notes:

Because Stunnel connects from 127.0.0.1 (localhost) to HFS, functions of HFS which deal with IP numbers will be influenced.

# Logs will will only show one client:127.0.0.1 (Stunnel on localhost). Use the Stunnel logs additionally to find out the requesting IP addresses.

# Limits (bans, speed, number of simultaneous downloads …) will have influence on one IP only: 127.0.0.1 (Stunnel on localhost). Keep that in mind!

# The ~progress window will show the actual total transfers of all clients (again: 127.0.01) Nice new feature, but also a privacy risk: the filenames of your data will be revealed. Either disable the progress-template (any decent browser has already a comparable window) or protect the server with a password to inhibit the use of the ~progress command for unauthorized clients.

# Do not link parts of your pages to external, insecure (HTTP) servers. It is annoying and makes your site less trustful.

# Data transfer will be somewhat slower, due to the de- and encryption of the data, but evidently the bandwith of the connection will be in most cases the limiting factor.

# Finally, never ever share your Stunnel or HFS directories and take special care to protect them against unauthorized access … and keep your private key private.

So, enjoy secure serving and exchanging data. The more you give, the more you get

~GeeS~ Copyleft 4/2007 Share if you like.

Some small print:
Unfortunately in some countries encryption or the discussion of encryption is still considered illegal.
In some countries the free exchange of data is still considered illegal under certain conditions.
I’m not a lawyer; in case of doubt get professional advice.
These publication is based on my today’s best knowledge and reflect only a small part of the plenty more options of Openssl, Stunnel and HFS. No guarantees or whatsoever.



« Last Edit: April 05, 2007, 07:20:54 PM by ~GeeS~ »
~GeeS~

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12946
    • View Profile
Re: How about SSL support
« Reply #54 on: April 03, 2007, 07:27:53 PM »
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
Re: How about SSL support
« Reply #55 on: April 03, 2007, 07:58:13 PM »
Good job ~GeeS~

The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )

In the config you show:
; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2
I don't have this entry.  Is it necessary?

Also, I don't use compression.  Maybe I should.  Does it speed things up a bit?
« Last Edit: April 03, 2007, 08:23:24 PM by maverick »
maverick

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #56 on: April 03, 2007, 08:45:10 PM »
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
I tried, but formatting the code and lay-out is horrifying. Tools? Help?

The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )
The Stunnel 4.20 binaries were compiled with the older version of openssl. Did not want to take any risk with openssl.exe from a newer version.
In the config you show:
; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2
I don't have this entry.  Is it necessary?
Got this entries from the openssl manual http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html# and discussions on the stunnel mailarchive:
options = all is a collection of workarounds for bugs in several older browsers
NO_SSLv2 disables SSL version2 options are:ALL|NO_SSLv2|NO_SSLv3|TLSv1
Also, I don't use compression.  Maybe I should.  Does it speed things up a bit?
It should, i measured DL of 3500KB/s on localhost on xp sp2 centrino 1.6Mhz. Seems enough.
It's very difficult to find good info about all the options, but it works flawlessly.  :)

« Last Edit: April 03, 2007, 09:23:47 PM by ~GeeS~ »
~GeeS~

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
Re: How about SSL support
« Reply #57 on: April 03, 2007, 09:12:53 PM »
The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )
The Stunnel 4.20 binaries were compiled with the older version of openssl. Did not want to take any risk with openssl.exe from a newer version.

Yes, I noticed that too when I first installed stunnel v4.20.  No problem upgrading openSSL.  The newest version includes important bugfixes.    Works perfectly here.

I'll also include the SSL Bug options and turn on compression in the config.

Thanks

« Last Edit: April 04, 2007, 06:01:53 PM by maverick »
maverick

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #58 on: April 03, 2007, 09:25:50 PM »
I'll also include the SSL Bug options and turn on compression in the config.
As i said: No guarantees whatsoever!  ;)
~GeeS~

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
Re: How about SSL support
« Reply #59 on: April 03, 2007, 09:28:13 PM »
As i said: No guarantees whatsoever!  ;)

I know.  I'll monitor.  So far I don't see anything out of the ordinary.
maverick