Stunnel SSL Basic
Stunnel is very flexible this page provides additional information for Uniform Server 3.5-Apollo’s implementation. Stunnel is configured for server operation allowing a secure connection between Apache and a browser client.
Normal web pages are sent unencrypted over the Internet allowing anyone to intercept them and read their content. This presents a security issue where security and privacy is necessary for credit card and bank transactions. The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and a web browser.
SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public the other private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.
A certificate is not really necessary because data is secure and cannot easily be decrypted. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think.
You need to generate a self-signed certificate it contains the public key. UniServer’s Stunnel certificate is compromised because every one has access to it after downloading the plugin, this poses a security risk therefore you must generate a new certificate and key.
If you don't plan on having your certificate signed by a CA it will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted view screen shots. I am going to cover only self-signed certificate here.
To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task.
This batch file is named mpg_create.bat and located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin
: File Name : mpg_create.bat
openssl req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
This batch file runs the program openssl with the following parameters. Create a certificate request (req) that is new in the X.509 digital certificate format, using the RSA cipher with a 1,024-bit key, good for 3650 days use the config file (stunnel.cnf) for additional information and write out both its key (private) and (public) certificate to the same file, stunnel.pem.
Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension cnf Stunnel uses the file stunnel.cnf in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details.
The file stunnel.cnf is located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin
# create RSA certs - Server
RANDFILE = stunnel.rnd
[ req ]
[ req_dn ]
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)
# To create a certificate for more than one name uncomment:
[ cert_type ]
When you run the batch file (mpg_create.bat) it runs openssl which reads this configuration file.
Note 1: All lines highlighted (bold) are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used.
When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the http:// bit) or IP address of your server.
Note 2: FQDN example, given a device with a hostname of "fred" and a domain name of "example.com", the fully qualified domain name is "fred.example.com" Like an IP address it is unique and removes any ambiguity.
Note: Windows does not display the file extention (cnf) hence file stunnel.cnf will display as stunnel (the icon is a speed dial)
Generating a certificate
The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone.
The file is located in folder: *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin
- If running shut down your servers.
- To start the process double click on the batch file mpg_create.bat.
- First the private key is automatically created and requires no input from you.
- The next phase is a Certificate Signing Request (CSR).
During this generation process you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.
- I have highlighted in bold the type of information you enter.
Country Name (2 letter code) [PL]:UK
You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the http:// bit).
Note 1: A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser.
Note 2: The only thing of importance each certificate you generate is unique.
It really is that easy to produce a self signed certificate to secure your personal server. If you want some background information take a look at this page SSL basics.
Stunnel also extremely flexible requires a configuration file amongst other things it sets Stunnels mode of operation either client or server mode. Uniform Server uses Stunnel's default server mode.
The section that you may need to change is uniform35 in this section you set accept and connect port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports)
; File Name : stunnel.conf
cert = stunnel.pem
ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH
RNDbytes = 64
TIMEOUTbusy = 300 seconds
Note: You can disable the taskbar icon by adding the line: taskbar = no