rejetto forum

How about SSL support

Guest · 136 · 130204

0 Members and 1 Guest are viewing this topic.

Offline ~GeeS~

  • Tireless poster
  • ****
    • Posts: 270
  • "The web was made for sharing..."
    • View Profile
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
I tried, but formatting the code and lay-out is horrifying. Tools? Help?
Has already been done. HTML!
~GeeS~


T1m

  • Guest
An SSH server and PUTTY is a great combo for secure access. Its not as convinient as an HFS that supports HTTPS , but it will give you a secure connection over the internet. I use it all the time for secure access to my home network including a windows HFS server, a Squid Proxy Server, and a couple of VNC sessions. I use OpenSSH and Cygwin on XP and BearDrop on Unbunu as my SSH servers, and PUTTY is available on Windows, Linux , and probably OS10.x Macs.


GapeApe

  • Guest
Everything is running fine but I noticed  My lock icon(Firefox) has a slash through it. It says warning contains unauthenticated content.When I double click on it I get the page info and all the links are https.That was the only step I could think of on my own.I remember seeing a post on this (possibly in this thread) but I havnt been able to find it.
Thx


Todd

  • Guest
First off, let me say thanks for this great forum!  I have done a lot of reading and searching for answers to using HFS, and have been trying for a couple of weeks now attempting to get STunnel to work with HFS. I have followed to the letter the instructions by GeeS, and am having fits trying to get it to work.  When I attempt to connect to my server via port 443, I get the page with the server certificate, and after I click on that, I get a IE 'Page cannot be displayed'.

Here is a log of Stunnel when doing this...

2007.05.21 10:05:09 LOG6[3680:3044]: Compression enabled using zlib method
2007.05.21 10:05:09 LOG7[3680:3044]: Snagged 64 random bytes from C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: Wrote 1024 new random bytes to C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: RAND_status claims sufficient entropy for the PRNG
2007.05.21 10:05:09 LOG7[3680:3044]: PRNG seeded successfully
2007.05.21 10:05:09 LOG7[3680:3044]: Configuration SSL options: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: SSL options set: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate loaded
2007.05.21 10:05:09 LOG7[3680:3044]: Key file: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Private key loaded
2007.05.21 10:05:09 LOG7[3680:3044]: SSL context initialized for service https
2007.05.21 10:05:09 LOG5[3680:3044]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.05.21 10:05:09 LOG5[3680:3044]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.05.21 10:05:09 LOG5[3680:3980]: No limit detected for the number of clients
2007.05.21 10:05:09 LOG7[3680:3980]: FD 188 in non-blocking mode
2007.05.21 10:05:09 LOG7[3680:3980]: SO_REUSEADDR option set on accept socket
2007.05.21 10:05:09 LOG7[3680:3980]: https bound to 0.0.0.0:443
2007.05.21 10:05:47 LOG7[3680:3980]: https accepted FD=232 from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:47 LOG7[3680:3980]: New thread created
2007.05.21 10:05:47 LOG7[3680:2936]: https started
2007.05.21 10:05:47 LOG7[3680:2936]: FD 232 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on local socket
2007.05.21 10:05:47 LOG5[3680:2936]: https accepted connection from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): before/accept initialization
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write certificate A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server done A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client key exchange A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]:    1 items in the session cache
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client connects (SSL_connect())
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]:    1 server connects (SSL_accept())
2007.05.21 10:05:47 LOG7[3680:2936]:    1 server connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]:    0 server renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache hits
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache misses
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache timeouts
2007.05.21 10:05:47 LOG6[3680:2936]: SSL accepted: new session negotiated
2007.05.21 10:05:47 LOG6[3680:2936]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2007.05.21 10:05:47 LOG7[3680:2936]: FD 260 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: https connecting 127.0.0.1:44300
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: waiting 10 seconds
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: connected
2007.05.21 10:05:47 LOG5[3680:2936]: https connected remote server from 127.0.0.1:1645
2007.05.21 10:05:47 LOG7[3680:2936]: Remote FD=260 initialized
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:47 LOG7[3680:2936]: Socket closed on read
2007.05.21 10:05:47 LOG7[3680:2936]: SSL write shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: SSL alert (write): warning: close notify
2007.05.21 10:05:47 LOG6[3680:2936]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: Socket write shutdown
2007.05.21 10:05:47 LOG5[3680:2936]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:47 LOG7[3680:2936]: https finished (0 left)
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=208 from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]: https started
2007.05.21 10:05:50 LOG7[3680:2996]: FD 208 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:2996]: https accepted connection from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:2996]:    1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=260 from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:2996]:    2 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:2996]:    2 server connects that finished
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]:    0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:2996]:    1 session cache hits
2007.05.21 10:05:50 LOG7[3680:2996]:    0 session cache misses
2007.05.21 10:05:50 LOG7[3680:2996]:    0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:2996]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:2996]: FD 288 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: connected
2007.05.21 10:05:50 LOG7[3680:4008]: https started
2007.05.21 10:05:50 LOG5[3680:2996]: https connected remote server from 127.0.0.1:1646
2007.05.21 10:05:50 LOG7[3680:2996]: Remote FD=288 initialized
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:2996]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:2996]: SSL socket closed on SSL_read
2007.05.21 10:05:50 LOG7[3680:2996]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:2996]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:2996]: https finished (1 left)
2007.05.21 10:05:50 LOG7[3680:4008]: FD 260 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:4008]: https accepted connection from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:4008]:    1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]:    3 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:4008]:    3 server connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]:    0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]:    2 session cache hits
2007.05.21 10:05:50 LOG7[3680:4008]:    0 session cache misses
2007.05.21 10:05:50 LOG7[3680:4008]:    0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:4008]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:4008]: FD 216 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: connected
2007.05.21 10:05:50 LOG5[3680:4008]: https connected remote server from 127.0.0.1:1647
2007.05.21 10:05:50 LOG7[3680:4008]: Remote FD=216 initialized
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:4008]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:4008]: SSL write shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: SSL alert (write): warning: close notify
2007.05.21 10:05:50 LOG6[3680:4008]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:4008]: Connection closed: 0 bytes sent to SSL, 540 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:4008]: https finished (0 left)

I have HFS set up to listen to port 44300, and have everything set up EXACTLY as described in this forum by GeeS (his update) and I can not get it to allow me to get to the server after activating STunnel.  I can access it all day long without STunnel via port 81 (ISP blocks 80), but when I go through the steps to set up STunnel, I can not access it via HTTPS, but can HTTP.

Does anyone have any thoughts on why this wouldn't be working in my case?

Thanks, in advance, for any help!


Todd

  • Guest
I am able to get this way to work, but not using the method in my previous post.  What would keep the other way from working, but this method works?   ???

Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org


Todd

  • Guest
In messing around with this more, I am able to connect using the GeeS method upon removing the \127.0.0.1 entry from the Ban list.  I can connect to the server via HTTPS, and only HTTPS, when \127.0.0.1 is not in the Ban list.

Did I do something wrong?  I put it in the list without the quotes, and everything locks me out.  Upon removing it, it works fine.   ???

I will leave it like this as it works fine without it, but not sure why circumventing it works...


Offline traxxus

  • Occasional poster
  • *
    • Posts: 62
    • View Profile
Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB

« Last Edit: May 22, 2007, 06:54:49 AM by traxxus »
traxxus.dyndns.org:100


Todd

  • Guest
Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB



Agreed. 

However, the '\' in front of the address is supposed to block everything except 127.0.0.1 per the HFS guide, as wel as the "How Do I Invert Logic" (or words to that effect) button in the Limits/Ban screen. 

Quote

7. Start HFS (2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply”  in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.


This is what's throwing me off in trying to get the specific instructions by GeeS to work where the instructions state to use the "\127.0.0.1" sans quotations and check the "Disconnect with no reply" box to get it to work.


Todd

  • Guest
I finally figured it out.  I was putting the \192.168.* on a separate line as the \127.0.0.1.  After combining them on one line (\127.0.0.1;192.168.*), all works fine now.


Offline ersecchio

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
Salve, siccome non ho ben capito questo post su come implementare STUNNEL con un hfs
qualcuno mi saprebbe dire(in italiano) cosa modificare nel file .conf di stunnel sul mio server per far si che chi scarica il materiale dal mio server hfs sia protetto (quindi in https) .
inoltre il client deve solo accettare il certificato?
grazie mille
Fabrizio


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
ho cercato per te "stunnel" sul forum italiano e mi è uscito questo thread
www.rejetto.com/forum/?topic=5031
io non ho mai usato stunnel perciò non so aiutarti diversamente


Offline Fysack

  • Tireless poster
  • ****
    • Posts: 644
  • present picture
    • View Profile
    • Admin
OpenSSL for 64 bit Windows here:

http://www.deanlee.cn/programming/openssl-for-windows/

Tested on Windows Vista Ultimate 64 bit. WORKS!  :-*
GOD CAN READ YOUR MIND


chrZ

  • Guest
the only thing i miss is ssl ... then hfs would be perfect in my eyes ... don`t want to use stunnel or anything else ... ssl should work simply in hfs

greetz
chrZ


Offline ElDiablo1985

  • Occasional poster
  • *
    • Posts: 20
    • View Profile
Kann bitte mal jemand in Deutsch erklären wie man das mit den Stunnel macht ?

Ich habe die Software installiert und auch den Generierten Code bei Stunnel.pem eingefügt.

Bei der stunnel.conf habe ich bei accept mein Port eingetragen dich ich immer verwende.
Was ich bei Connect eintragen mus weis ich gerade nicht.

Wenn ich jetzt den Normalen Link aufrufe ändert sich nicht, es scheint auch nichts mit einer verschlüsselung verwendet zu werden. Mit https kommt seite nicht gefunden.

Zuerst habe ich den Server gestartet und dann das Stunnel Programm.

mfg
« Last Edit: November 20, 2008, 12:41:49 AM by ElDiablo1985 »


Offline zekexz

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Is there any ports to forward needed??
Should i add in my portforwarding   443 incoming to 1245?   (1245 is my hfs listening port)
Ive done everything hes done except its not working for me.
when i go to https://havokxz.podzone.net  i get my router... lol.