rejetto forum

Stunnel

0 Members and 1 Guest are viewing this topic.

Offline Rod Bodden

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
 
My Name is Rod Bodden.

I'm new to the forum, HFS and Stunnel.

I searched for Stunnel and read through some of the forum commentary.

I've been successful at setting up HFS, but unsuccessful with setting up Stunnel.

Part of the reason is when following the below instructions: Run “create_pem.bat”, I do not get a dialog box to enter whatever I like.


4. Delete the “stunnel.pem”, which contains a default server certificate and privatekey.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing!
In order to produce pem-file with a unique secure private key / server certificate, open a text editor (e.g. notepad) and copy/paste the following entries:

openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem

Save this file as “create_pem.bat” in the stunnel directory.
Run “create_pem.bat”,
answer the questions in the dialog and enter whatever you like.



Can someone please help me.

Thanks!

Rod



Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile

Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
HI :)

Download Win32 OpenSSL v0.9.8g :

http://www.slproweb.com/products/Win32OpenSSL.html

and stunnel-4.21-installer.exe

http://www.stunnel.org/download/binaries.html

And follows precisely this tutorial from the wiki on the forum:

http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server

(ALTERNATE SOLUTION FOR SSL CERTIFICATE: A simpler solution is to generate a certificate ssl with a program like fillezilla server ( http://sourceforge.net/project/showfiles.php?group_id=21558&package_id=21737 ), and edit and past the contents in the file *.Pem
Then fill out the file pem.conf with the same informations as those captured to generate the certificate.

For configuring the tutorial remains valid)


Essentials parts of the wiki:

2. Run “stunnel.exe” and open the log. Find the version of openssl used for compiling with stunnel: “0.9.8g” at the time of writing.
Extract this version of “openssl.exe” from “openssl.zip” or download it directly to your Stunnel directory

3. Open a text editor (e.g. notepad) and copy/paste the following entries:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = XX
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)

[ cert_type ]
nsCertType = server

Save this file as “pem.conf” in the stunnel directory.

4. Delete the “stunnel.pem”, which contains a default server certificate and privatekey.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing!
In order to produce pem-file with a unique secure private key / server certificate, open a text editor (e.g. notepad) and copy/paste the following entries:

openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem

Save this file as “create_pem.bat” in the stunnel directory. Run “create_pem.bat”,
answer the questions in the dialog and enter whatever you like.

Note: The Common Name (FQDN) is required and should be the hostname of the machine running stunnel e.g. www.myhomeserver.net.
If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.

Each time you run “create_pem.bat”, a new “stunnel.pem” file with a unique random private key and self assigned server certificate with 10 years validity will be created.
It is extremely important to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic! Do not back-up, but create a new one if necessary.

5. Edit “stunnel.conf” with a text editor and to obtain the following content:

; Lines preceded with a “;” are comments
; Empty lines are ignored
; For more options and details: see the manual (stunnel.html)

; File with certificate and private key
cert = stunnel.pem
key = stunnel.pem

; Log (1= minimal, 5=recommended, 7=all) and log file)
; Preceed with a “;” to disable logging
debug = 5
output = stunnel.log

; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Data compression algorithm: zlib or rle
compression = zlib

; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2

; Service-level configuration
; Stunnel listens to port 443 (HTTPS) to any IP
; and connects to port 44300 (HFS) on localhost
[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0


Save the edited “stunnel.conf”.

6. Stunnel is now configured to accept HTTPS requests from any IP on port 443 of your PC and connects with HTTP to port 44300 on the same PC (127.0.0.1).
Do not forget: Port 443 and 44300 on this PC have to be opened in a firewall and routers have to forward port 443 to your PC. Do not forward port 44300 on your router.

7. Start HFS to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply” in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.

8. Test your configuration carefully. You might to want to change the debug mode to debug = 7 in the stunnel.conf file for more log details.

9. Additionally, you might want also to have an HTTP welcome page, which links to your HTTPS enabled pages and contains instructions for your visitors how to handle a self signed server certificate and the related error messages of some browsers with it: Run a second, independent instance of HFS on port 80, modify the template and link from there to your secure Stunnel-HFS server.
« Last Edit: March 03, 2008, 02:28:14 PM by SilentPliz »


saty

  • Guest
Hi,

I was just wondering if stunnel can be used for redirecting traffic to another port on the same server besides the port used for HFS. To put it simply, whether we can configure stunnel to secure more than one application?

I am not very sure but I dont think it is possible, the reason being how stunnel would know(from the incoming traffic) about the destination port on which it has to direct traffic?

regards,
Saty


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Hi,

I was just wondering if stunnel can be used for redirecting traffic to another port on the same server besides the port used for HFS. To put it simply, whether we can configure stunnel to secure more than one application?

I am not very sure but I dont think it is possible, the reason being how stunnel would know(from the incoming traffic) about the destination port on which it has to direct traffic?

regards,
Saty

Hi,

For additional protocol / application as POP, IMAP ... It is possible with the same configuration files whith the correct settings.

For other applications with SSL, I am not sure, but I think that this is possible using a second instance of Stunnel, a second SSL certificate with a different hostname (dynamic DNS ), and a second configuration file.
And of course other ports.

If anyone knows more, I left him instead... ;)

regards,
Olivier
« Last Edit: March 03, 2008, 03:07:03 PM by SilentPliz »