rejetto forum

HFS and Stunnel

0 Members and 1 Guest are viewing this topic.

Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
Hello please help i succesfully configured stunnel and it works but my certificate is not sighned by a valid CA company so windows barely exepts me using it. i made a CSR and requested a certificate and i got it. Now i have no ideo where to put it in reallation to stunnel. stunnels manual says stunnel looks for the certificate in "(/usr/local/ssl/localCA/cacert.pem)". where is that? and do i need to mess with any of stunnels configuration file. please help.


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
/usr/local/ssl/localCA/cacert.pem is a path under linux OS  :)

With Windows OS you can put the certificate where you want, provided to correctly set the right path in stunnel.conf

The easiest way is to put it in the folder of Stunnel.

e.g:

; File with certificate and private key
cert = cacert.pem
key = cacert.pem

............

If your certificate is signed by a valid authority, and if you want to use it with other applications; you can install it with Internet Explorer or since the configuration panel ... how to do so must be indicated by whoever provided you the certificate.

« Last Edit: May 11, 2010, 11:37:23 PM by SilentPliz »


Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
do i keep the private key named stunnel.pem and just change the certificate field in the configuration to the name of my certificate or do i make them one and put the private key first skip a line and then the certificate and name that one file stunnel.pem.


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
e.g with 1 file named stunnel.pem (you can change the name)

Quote
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCxUFMuqJJbI9KnB8VtwSbcvwNOltWBtWyaSmp7yEnqwWel5TFf
cOObCuLZ69sFi1ELi5C91qRaDMow7k5Gj05DZtLDFfICD0W1S+n2Kql2o8f2RSvZ
qD2W9l8i59XbCz1oS4l9S09L+3RTZV9oer/Unby/QmicFLNM0WgrVNiKywIDAQAB
AoGAKX4KeRipZvpzCPMgmBZi6bUpKPLS849o4pIXaO/tnCm1/3QqoZLhMB7UBvrS
PfHj/Tejn0jjHM9xYRHi71AJmAgzI+gcN1XQpHiW6kATNDz1r3yftpjwvLhuOcp9
tAOblojtImV8KrAlVH/21rTYQI+Q0m9qnWKKCoUsX9Yu8UECQQDlbHL38rqBvIMk
zK2wWJAbRvVf4Fs47qUSef9pOo+p7jrrtaTqd99irNbVRe8EWKbSnAod/B04d+cQ
ci8W+nVtAkEAxdqPOnCISW4MeS+qHSVtaGv2kwvfxqfsQw+zkwwHYqa+ueg4wHtG
/9+UgxcXyCXrj0ciYCqURkYhQoPbWP82FwJAWWkjgTgqsYcLQRs3kaNiPg8wb7Yb
NxviX0oGXTdCaAJ9GgGHjQ08lNMxQprnpLT8BtZjJv5rUOeBuKoXagggHQJAaUAF
91GLvnwzWHg5p32UgPsF1V14siX8MgR1Q6EfgKQxS5Y0Mnih4VXfnAi51vgNIk/2
AnBEJkoCQW8BTYueCwJBALvz2JkaUfCJc18E7jCP7qLY4+6qqsq+wr0t18+ogOM9
JIY9r6e1qwNxQ/j1Mud6gn6cRrObpRtEad5z2FtcnwY=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICDzCCAXigAwIBAgIBADANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJQTDEf
MB0GA1UEChMWU3R1bm5lbCBEZXZlbG9wZXJzIEx0ZDESMBAGA1UEAxMJbG9jYWxo
b3N0MB4XDTk5MDQwODE1MDkwOFoXDTAwMDQwNzE1MDkwOFowQjELMAkGA1UEBhMC
UEwxHzAdBgNVBAoTFlN0dW5uZWwgRGV2ZWxvcGVycyBMdGQxEjAQBgNVBAMTCWxv
Y2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsVBTLqiSWyPSpwfF
bcEm3L8DTpbVgbVsmkpqe8hJ6sFnpeUxX3Djmwri2evbBYtRC4uQvdakWgzKMO5O
Ro9OQ2bSwxXyAg9FtUvp9iqpdqPH9kUr2ag9lvZfIufV2ws9aEuJfUtPS/t0U2Vf
aHq/1J28v0JonBSzTNFoK1TYissCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
MA0GCSqGSIb3DQEBBAUAA4GBAAhYFTngWc3tuMjVFhS4HbfFF/vlOgTu44/rv2F+
ya1mEB93htfNxx3ofRxcjCdorqONZFwEba6xZ8/UujYfVmIGCBy4X8+aXd83TJ9A
eSjTzV9UayOoGtmg8Dv2aj/5iabNeK1Qf35ouvlcTezVZt2ZeJRhqUHcGaE+apCN
TC9Y
-----END CERTIFICATE-----

This file is placed in the folder of Stunnel

--------------------------------------------

In the stunnel.conf file:

cert = stunnel.pem  (you can change the name)
key = stunnel.pem   (you can change the name)

Your private key is secure in both case.

If your certificate is splited into two files, you must specify the path for both.

cert = certificat_name
key = private_key_name
« Last Edit: May 11, 2010, 11:57:03 PM by SilentPliz »


Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
ok thank you how do i make the rsa key. when i make it is just makes a file called stunnel.pem which consists of Begin Private Key and End Provate Key no RSA Private Key. oh yeah and is your site running and if yes what is the url


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Run openssl.exe (command line)

Paste this into the command prompt after you changed the red examples words:

Quote
req \
  -x509 -nodes -days 3650 \
  -subj '/C=United States/O=Organisation/OU=facultative/ST=Ilinois/L=Chicago/CN=your_domain.com or IP' \
  -newkey rsa:4096 -keyout mycert.pem -out mycert.pem


... you get a certificate valid for 10 years - RSA 4096 :D
« Last Edit: May 12, 2010, 12:25:57 AM by SilentPliz »


Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
I know this will be very time consuming but can you please type up a guide on how to install stunnel with openssl the correct way for Windows XP 32 Bit. Please Please Please :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :-\ :'( :'( :'( :'( :'( :'( :'( :'(   lets make believe i have never installed it before and please provide download links


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
About the message you've deleted:

The certificates created in this way, ie self-signed, always cause this kind of messages from browsers.
The only way to avoid this is that your certificate whether signed by one certification authority like Verisign for example.
These services are generally paying.
Some authority of certification free of charge exists, but it is better to get informed before about the serious of these companies.
« Last Edit: May 12, 2010, 01:23:16 AM by SilentPliz »


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Quote
Hello please help i succesfully configured stunnel and it works but my certificate is not sighned by a valid CA company so windows barely exepts me using it. i made a CSR and requested a certificate and i got it.

Ok .. your previous posts left me thinking that you were more advanced in the installation of Stunnel + OpenSSL.

I'm not gonna make a tutorial ... I think this might be long.

I suggest you instead use this tool, it will help you to install Stunnel & HFS ready to operate and it will create a certificate.

http://www.rejetto.com/forum/index.php/topic,7100.0.html
 
Once you will have everything installed, you replace the executable of HFS by the latest beta version, because the version included in this pack is less recent.


Edit: the link I gave you seem obsolete, it seems that the author has put his project on standby.
The link to the sources is still valid ... I tried to compile, but they are incomplete. :-\


Links for Stunnel & OpenSSL:

http://www.stunnel.org/download/stunnel/win32/stunnel-4.33-installer.exe
http://www.slproweb.com/download/Win32OpenSSL_Light-1_0_0.exe

If needed Visual C++ 2008 Redistributables:

http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF


tutorial:

http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server


« Last Edit: May 12, 2010, 03:18:51 AM by SilentPliz »


Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
how should i intall openssl. to a diect directory or in the stunnel folder or the bin\ or whatever its called


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2056
    • View Profile
all informations about stunnel are here take time to read all posts


Offline rollsroycephantom95

  • Occasional poster
  • *
    • Posts: 19
    • View Profile
ok last question my browser says this when i want to go to the site  " There is a problem with this website's security certificate". The security certificate presented by this website was not issued by a trusted certificate authority". i want it to be a green adress bar not a red one.


Offline maverick

  • Tireless poster
  • ****
    • Posts: 1052
  • Computer Solutions
    • View Profile
ok last question my browser says this when i want to go to the site  " There is a problem with this website's security certificate". The security certificate presented by this website was not issued by a trusted certificate authority". i want it to be a green adress bar not a red one.

You will need a real security certificate issued by a trusted certificate authority.  You can go to this site to purchase one -> http://www.verisign.com/
maverick


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
how should i intall openssl. to a diect directory or in the stunnel folder or the bin\ or whatever its called

Each program must have its own folder.

OpenSSL is used only to create the certificate.