How about SSL support

~GeeS~ · **Reply #60 on:** April 04, 2007, 05:46:06 PM

Quote from: ~GeeS~ on April 03, 2007, 08:45:10 PM

Quote from: rejetto on April 03, 2007, 07:27:53 PM
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
I tried, but formatting the code and lay-out is horrifying. Tools? Help?

Has already been done. HTML!

T1m · **Reply #61 on:** April 08, 2007, 12:45:19 AM

An SSH server and PUTTY is a great combo for secure access. Its not as convinient as an HFS that supports HTTPS , but it will give you a secure connection over the internet. I use it all the time for secure access to my home network including a windows HFS server, a Squid Proxy Server, and a couple of VNC sessions. I use OpenSSH and Cygwin on XP and BearDrop on Unbunu as my SSH servers, and PUTTY is available on Windows, Linux , and probably OS10.x Macs.

GapeApe · **Reply #62 on:** April 12, 2007, 11:34:12 PM

Everything is running fine but I noticed My lock icon(Firefox) has a slash through it. It says warning contains unauthenticated content.When I double click on it I get the page info and all the links are https.That was the only step I could think of on my own.I remember seeing a post on this (possibly in this thread) but I havnt been able to find it.
Thx

Todd · **Reply #63 on:** May 21, 2007, 03:13:58 PM

First off, let me say thanks for this great forum! I have done a lot of reading and searching for answers to using HFS, and have been trying for a couple of weeks now attempting to get STunnel to work with HFS. I have followed to the letter the instructions by GeeS, and am having fits trying to get it to work. When I attempt to connect to my server via port 443, I get the page with the server certificate, and after I click on that, I get a IE 'Page cannot be displayed'.

Here is a log of Stunnel when doing this...

2007.05.21 10:05:09 LOG6[3680:3044]: Compression enabled using zlib method
2007.05.21 10:05:09 LOG7[3680:3044]: Snagged 64 random bytes from C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: Wrote 1024 new random bytes to C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: RAND_status claims sufficient entropy for the PRNG
2007.05.21 10:05:09 LOG7[3680:3044]: PRNG seeded successfully
2007.05.21 10:05:09 LOG7[3680:3044]: Configuration SSL options: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: SSL options set: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate loaded
2007.05.21 10:05:09 LOG7[3680:3044]: Key file: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Private key loaded
2007.05.21 10:05:09 LOG7[3680:3044]: SSL context initialized for service https
2007.05.21 10:05:09 LOG5[3680:3044]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.05.21 10:05:09 LOG5[3680:3044]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.05.21 10:05:09 LOG5[3680:3980]: No limit detected for the number of clients
2007.05.21 10:05:09 LOG7[3680:3980]: FD 188 in non-blocking mode
2007.05.21 10:05:09 LOG7[3680:3980]: SO_REUSEADDR option set on accept socket
2007.05.21 10:05:09 LOG7[3680:3980]: https bound to 0.0.0.0:443
2007.05.21 10:05:47 LOG7[3680:3980]: https accepted FD=232 from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:47 LOG7[3680:3980]: New thread created
2007.05.21 10:05:47 LOG7[3680:2936]: https started
2007.05.21 10:05:47 LOG7[3680:2936]: FD 232 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on local socket
2007.05.21 10:05:47 LOG5[3680:2936]: https accepted connection from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): before/accept initialization
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write certificate A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server done A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client key exchange A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]: 1 items in the session cache
2007.05.21 10:05:47 LOG7[3680:2936]: 0 client connects (SSL_connect())
2007.05.21 10:05:47 LOG7[3680:2936]: 0 client connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]: 0 client renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]: 1 server connects (SSL_accept())
2007.05.21 10:05:47 LOG7[3680:2936]: 1 server connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]: 0 server renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]: 0 session cache hits
2007.05.21 10:05:47 LOG7[3680:2936]: 0 session cache misses
2007.05.21 10:05:47 LOG7[3680:2936]: 0 session cache timeouts
2007.05.21 10:05:47 LOG6[3680:2936]: SSL accepted: new session negotiated
2007.05.21 10:05:47 LOG6[3680:2936]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2007.05.21 10:05:47 LOG7[3680:2936]: FD 260 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: https connecting 127.0.0.1:44300
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: waiting 10 seconds
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: connected
2007.05.21 10:05:47 LOG5[3680:2936]: https connected remote server from 127.0.0.1:1645
2007.05.21 10:05:47 LOG7[3680:2936]: Remote FD=260 initialized
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:47 LOG7[3680:2936]: Socket closed on read
2007.05.21 10:05:47 LOG7[3680:2936]: SSL write shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: SSL alert (write): warning: close notify
2007.05.21 10:05:47 LOG6[3680:2936]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: Socket write shutdown
2007.05.21 10:05:47 LOG5[3680:2936]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:47 LOG7[3680:2936]: https finished (0 left)
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=208 from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]: https started
2007.05.21 10:05:50 LOG7[3680:2996]: FD 208 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:2996]: https accepted connection from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:2996]: 1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:2996]: 0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:2996]: 0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:2996]: 0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=260 from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:2996]: 2 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:2996]: 2 server connects that finished
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]: 0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:2996]: 1 session cache hits
2007.05.21 10:05:50 LOG7[3680:2996]: 0 session cache misses
2007.05.21 10:05:50 LOG7[3680:2996]: 0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:2996]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:2996]: FD 288 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: connected
2007.05.21 10:05:50 LOG7[3680:4008]: https started
2007.05.21 10:05:50 LOG5[3680:2996]: https connected remote server from 127.0.0.1:1646
2007.05.21 10:05:50 LOG7[3680:2996]: Remote FD=288 initialized
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:2996]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:2996]: SSL socket closed on SSL_read
2007.05.21 10:05:50 LOG7[3680:2996]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:2996]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:2996]: https finished (1 left)
2007.05.21 10:05:50 LOG7[3680:4008]: FD 260 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:4008]: https accepted connection from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:4008]: 1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:4008]: 0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:4008]: 0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]: 0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]: 3 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:4008]: 3 server connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]: 0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]: 2 session cache hits
2007.05.21 10:05:50 LOG7[3680:4008]: 0 session cache misses
2007.05.21 10:05:50 LOG7[3680:4008]: 0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:4008]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:4008]: FD 216 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: connected
2007.05.21 10:05:50 LOG5[3680:4008]: https connected remote server from 127.0.0.1:1647
2007.05.21 10:05:50 LOG7[3680:4008]: Remote FD=216 initialized
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:4008]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:4008]: SSL write shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: SSL alert (write): warning: close notify
2007.05.21 10:05:50 LOG6[3680:4008]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:4008]: Connection closed: 0 bytes sent to SSL, 540 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:4008]: https finished (0 left)

I have HFS set up to listen to port 44300, and have everything set up EXACTLY as described in this forum by GeeS (his update) and I can not get it to allow me to get to the server after activating STunnel. I can access it all day long without STunnel via port 81 (ISP blocks 80), but when I go through the steps to set up STunnel, I can not access it via HTTPS, but can HTTP.

Does anyone have any thoughts on why this wouldn't be working in my case?

Thanks, in advance, for any help!

Todd · **Reply #64 on:** May 21, 2007, 05:58:36 PM

I am able to get this way to work, but not using the method in my previous post. What would keep the other way from working, but this method works?

Quote from: blueeagle69 on April 21, 2006, 02:43:11 PM

Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Todd · **Reply #65 on:** May 22, 2007, 12:42:24 AM

In messing around with this more, I am able to connect using the GeeS method upon removing the \127.0.0.1 entry from the Ban list. I can connect to the server via HTTPS, and only HTTPS, when \127.0.0.1 is not in the Ban list.

Did I do something wrong? I put it in the list without the quotes, and everything locks me out. Upon removing it, it works fine.

I will leave it like this as it works fine without it, but not sure why circumventing it works...

traxxus · **Reply #66 on:** May 22, 2007, 06:51:16 AM

Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB

Todd · **Reply #67 on:** May 22, 2007, 11:31:43 AM

Quote from: traxxus on May 22, 2007, 06:51:16 AM

Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB

Agreed.

However, the '\' in front of the address is supposed to block everything except 127.0.0.1 per the HFS guide, as wel as the "How Do I Invert Logic" (or words to that effect) button in the Limits/Ban screen.

Quote

7. Start HFS (2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply” in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.

This is what's throwing me off in trying to get the specific instructions by GeeS to work where the instructions state to use the "\127.0.0.1" sans quotations and check the "Disconnect with no reply" box to get it to work.

Todd · **Reply #68 on:** May 24, 2007, 11:09:21 AM

I finally figured it out. I was putting the \192.168.* on a separate line as the \127.0.0.1. After combining them on one line (\127.0.0.1;192.168.*), all works fine now.

ersecchio · **Reply #69 on:** April 09, 2008, 08:55:42 PM

Salve, siccome non ho ben capito questo post su come implementare STUNNEL con un hfs
qualcuno mi saprebbe dire(in italiano) cosa modificare nel file .conf di stunnel sul mio server per far si che chi scarica il materiale dal mio server hfs sia protetto (quindi in https) .
inoltre il client deve solo accettare il certificato?
grazie mille
Fabrizio

rejetto · **Reply #70 on:** April 11, 2008, 05:51:59 PM

ho cercato per te "stunnel" sul forum italiano e mi è uscito questo thread
www.rejetto.com/forum/?topic=5031
io non ho mai usato stunnel perciò non so aiutarti diversamente

Fysack · **Reply #71 on:** April 15, 2008, 12:03:32 PM

OpenSSL for 64 bit Windows here:

http://www.deanlee.cn/programming/openssl-for-windows/

Tested on Windows Vista Ultimate 64 bit. WORKS!

chrZ · **Reply #72 on:** May 23, 2008, 12:12:03 PM

the only thing i miss is ssl ... then hfs would be perfect in my eyes ... don`t want to use stunnel or anything else ... ssl should work simply in hfs

greetz
chrZ

ElDiablo1985 · **Reply #73 on:** November 20, 2008, 12:16:25 AM

Kann bitte mal jemand in Deutsch erklären wie man das mit den Stunnel macht ?

Ich habe die Software installiert und auch den Generierten Code bei Stunnel.pem eingefügt.

Bei der stunnel.conf habe ich bei accept mein Port eingetragen dich ich immer verwende.
Was ich bei Connect eintragen mus weis ich gerade nicht.

Wenn ich jetzt den Normalen Link aufrufe ändert sich nicht, es scheint auch nichts mit einer verschlüsselung verwendet zu werden. Mit https kommt seite nicht gefunden.

Zuerst habe ich den Server gestartet und dann das Stunnel Programm.

mfg

zekexz · **Reply #74 on:** January 07, 2009, 07:49:45 PM

Quote from: blueeagle69 on April 21, 2006, 02:43:11 PM

Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Is there any ports to forward needed??
Should i add in my portforwarding 443 incoming to 1245? (1245 is my hfs listening port)
Ive done everything hes done except its not working for me.
when i go to https://havokxz.podzone.net i get my router... lol.

How about SSL support

~GeeS~

Re: How about SSL support

T1m

Re: How about SSL support

GapeApe

Re: How about SSL support

Todd

Re: How about SSL support

Todd

Re: SSL

Todd

Re: How about SSL support

traxxus

Re: How about SSL support

Todd

Re: How about SSL support

Todd

Re: How about SSL support

ersecchio

Re: How about SSL support

rejetto

Re: How about SSL support

Fysack

Re: How about SSL support

chrZ

Re: How about SSL support

ElDiablo1985

Re: How about SSL support

zekexz

Re: SSL