Stunnel: Basics: Difference between revisions
no edit summary
(New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || Stunnel: Home | [[Stunne...) |
Upazixorys (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
=[http://etizupo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]= | |||
<span id="top"></span> | |||
<div style="padding:0;margin:0; border-bottom:3px inset #000000"> | |||
{| | {| | ||
| [[Image:uc_small_logo.gif | MPG UniCenter]] || | | [[Image:uc_small_logo.gif | MPG UniCenter]] || | ||
| Line 14: | Line 15: | ||
[[Stunnel: Original | Original]] | [[Stunnel: Original | Original]] | ||
|} | |} | ||
</div> | |||
{| cellpadding= | {| cellpadding="2" | ||
| | | | ||
__TOC__ | __TOC__ | ||
| Line 40: | Line 41: | ||
To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task. | To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task. | ||
This batch file is named '''mpg_create.bat''' and located in folder ''' | This batch file is named '''mpg_create.bat''' and located in folder '''<nowiki>*\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin</nowiki>''' | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
mpg_create.bat | mpg_create.bat | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
| &nbsp;<nowiki>:</nowiki> File Name : mpg_create.bat<br> | ||
| &nbsp;<nowiki>:</nowiki> Created By: UniCenter - MPG<br> | ||
| &nbsp;<nowiki>:</nowiki> Create Stunnel pem certificate and public key file stunnel.pem<br> | ||
| &nbsp;<nowiki>:</nowiki> Increased days to give 10year MPG 22/8/07 3.5-Apollo<br> | ||
| &nbsp;<nowiki>:</nowiki> Updated to Stunnel 4.24 MPG 31/5/08<br> | ||
| &nbsp;<nowiki>:</nowiki> Upgraded OpenSSL to openssl-0.9.8g MPG 31/5/08<br> | ||
| &nbsp;<nowiki>:</nowiki> Updated for 3.5-Apollo MPG 18/8/07<br> | ||
| &nbsp;<nowiki>:</nowiki> Version 1.1 18/8/07<br> | ||
| &nbsp;<nowiki>:===============================================================</nowiki> | ||
openssl req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem | &nbsp;openssl req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem | ||
pause | &nbsp;pause | ||
|} | |} | ||
| Line 69: | Line 70: | ||
Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension '''cnf''' Stunnel uses the file '''stunnel.cnf''' in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details. | Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension '''cnf''' Stunnel uses the file '''stunnel.cnf''' in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details. | ||
The file stunnel.cnf is located in folder ''' | The file stunnel.cnf is located in folder '''<nowiki>*\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin</nowiki>''' | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
stunnel.cnf | stunnel.cnf | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
| &nbsp;<nowiki>#</nowiki> create RSA certs - Server | ||
RANDFILE = stunnel.rnd | &nbsp;RANDFILE = stunnel.rnd | ||
[ req ] | &nbsp;[ req ]<br> | ||
default_bits = 1024 | &nbsp;default_bits = 1024<br> | ||
encrypt_key = yes | &nbsp;encrypt_key = yes<br> | ||
distinguished_name = req_dn | &nbsp;distinguished_name = req_dn<br> | ||
x509_extensions = cert_type | &nbsp;x509_extensions = cert_type | ||
[ req_dn ] | &nbsp;[ req_dn ]<br> | ||
'''countryName = Country Name (2 letter code''') | &nbsp;'''countryName = Country Name (2 letter code''')<br> | ||
countryName_default = PL | &nbsp;countryName_default = PL<br> | ||
countryName_min = 2 | &nbsp;countryName_min = 2<br> | ||
countryName_max = 2 | &nbsp;countryName_max = 2 | ||
'''stateOrProvinceName = State or Province Name (full name)''' | &nbsp;'''stateOrProvinceName = State or Province Name (full name)'''<br> | ||
stateOrProvinceName_default = Some-State | &nbsp;stateOrProvinceName_default = Some-State | ||
'''localityName = Locality Name (eg, city)''' | &nbsp;'''localityName = Locality Name (eg, city)''' | ||
'''0.organizationName = Organization Name (eg, company)''' | &nbsp;'''0.organizationName = Organization Name (eg, company)'''<br> | ||
0.organizationName_default = Stunnel Developers Ltd | &nbsp;0.organizationName_default = Stunnel Developers Ltd | ||
organizationalUnitName = Organizational Unit Name (eg, section) | &nbsp;organizationalUnitName = Organizational Unit Name (eg, section)<br> | ||
| &nbsp;<nowiki>#</nowiki>organizationalUnitName_default = | ||
'''0.commonName = Common Name (FQDN of your server)''' | &nbsp;'''0.commonName = Common Name (FQDN of your server)'''<br> | ||
0.commonName_default = localhost | &nbsp;0.commonName_default = localhost | ||
| &nbsp;<nowiki>#</nowiki> To create a certificate for more than one name uncomment:<br> | ||
| &nbsp;<nowiki>#</nowiki> 1.commonName = DNS alias of your server<br> | ||
| &nbsp;<nowiki>#</nowiki> 2.commonName = DNS alias of your server<br> | ||
| &nbsp;<nowiki>#</nowiki> ...<br> | ||
| &nbsp;<nowiki>#</nowiki> See <nowiki>http://home.netscape.com/eng/security/ssl_2.0_certificate.html</nowiki><br> | ||
| &nbsp;<nowiki>#</nowiki> to see how Netscape understands commonName. | ||
[ cert_type ] | &nbsp;[ cert_type ]<br> | ||
nsCertType = server | &nbsp;nsCertType = server | ||
|} | |} | ||
| Line 122: | Line 123: | ||
'''''Note 1''''': All lines highlighted ('''bold''') are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used. | '''''Note 1''''': All lines highlighted ('''bold''') are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used. | ||
When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the | When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the <nowiki>http://</nowiki> bit) or IP address of your server. | ||
'''''Note 2''''': FQDN example, given a device with a hostname of | '''''Note 2''''': FQDN example, given a device with a hostname of "fred" and a domain name of "example.com", the fully qualified domain name is "'''fred.example.com'''" Like an IP address it is unique and removes any ambiguity. | ||
Note: Windows does not display the file extention ('''cnf''') hence file '''stunnel.cnf''' will display as s'''tunnel''' (the icon is a speed dial) | Note: Windows does not display the file extention ('''cnf''') hence file '''stunnel.cnf''' will display as s'''tunnel''' (the icon is a speed dial) | ||
| Line 133: | Line 134: | ||
The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone. | The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone. | ||
The file is located in folder: ''' | The file is located in folder: '''<nowiki>*</nowiki>\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin''' | ||
# If running shut down your servers. | # If running shut down your servers. | ||
# To start the process double click on the batch file '''mpg_create.bat'''. | # To start the process double click on the batch file '''mpg_create.bat'''. | ||
# First the private key is automatically created and requires no input from you. | # First the private key is automatically created and requires no input from you. | ||
# The next phase is a Certificate Signing Request (CSR). | # The next phase is a Certificate Signing Request (CSR).<br>During this generation process you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. | ||
# I have highlighted in bold the type of information you enter. | # I have highlighted in bold the type of information you enter. | ||
{|cellpadding= | {|cellpadding="4" | ||
|width= | |width="20"| | ||
|style= | |style="background:#f8f8f8;border:1px solid #cccccc"| | ||
Country Name (2 letter code) [PL]:'''UK''' | Country Name (2 letter code) [PL]:'''UK'''<br> | ||
State or Province Name (full name) [Some-State]:'''Cambridgeshire''' | State or Province Name (full name) [Some-State]:'''Cambridgeshire'''<br> | ||
Locality Name (eg, city) []:Cambridge | Locality Name (eg, city) []:Cambridge<br> | ||
Organization Name (eg, company) [Stunnel Developers Ltd]:'''Mike Gleaves UniCenter''' | Organization Name (eg, company) [Stunnel Developers Ltd]:'''Mike Gleaves UniCenter'''<br> | ||
Organizational Unit Name (eg, section) []:'''Uniform Server 3.5-Apollo example''' | Organizational Unit Name (eg, section) []:'''Uniform Server 3.5-Apollo example'''<br> | ||
Common Name (FQDN of your server) [127.0.0.1]:'''fred.gotdns.com''' | Common Name (FQDN of your server) [127.0.0.1]:'''fred.gotdns.com'''<br> | ||
Press any key to continue | Press any key to continue | ||
|} | |} | ||
You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the | You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the <nowiki>http://</nowiki> bit). | ||
'''''Note 1''''': A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser. | '''''Note 1''''': A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser. | ||
| Line 168: | Line 169: | ||
The section that you may need to change is '''uniform35''' in this section you set '''accept''' and '''connect''' port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports) | The section that you may need to change is '''uniform35''' in this section you set '''accept''' and '''connect''' port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports) | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
stunnel.conf | stunnel.conf | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
; File Name : stunnel.conf | &nbsp;; File Name : stunnel.conf<br> | ||
; Created By: UniCenter - MPG | &nbsp;; Created By: UniCenter - MPG<br> | ||
; Updated to Stunnel 4.24 MPG 1/6/08 | &nbsp;; Updated to Stunnel 4.24 MPG 1/6/08<br> | ||
; Added an addtional start file mpg_perl_php_start.bat | &nbsp;; Added an addtional start file mpg_perl_php_start.bat<br> | ||
; Updated to Stunnel 4.20 MPG 25/3/07 | &nbsp;; Updated to Stunnel 4.20 MPG 25/3/07<br> | ||
; Updated for 3.5-Apollo MPG 20/8/07 | &nbsp;; Updated for 3.5-Apollo MPG 20/8/07<br> | ||
; Version 1.1 20/8/07 | &nbsp;; Version 1.1 20/8/07<br> | ||
; Notes: | &nbsp;; Notes:<br> | ||
; Drive independent use mpg_stunnel_start.bat and mpg_stunnel_stop.bat | &nbsp;; Drive independent use mpg_stunnel_start.bat and mpg_stunnel_stop.bat<br> | ||
; If not run from these files full path must be specified eg | &nbsp;; If not run from these files full path must be specified eg<br> | ||
;cert = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem | &nbsp;;cert = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem<br> | ||
;key = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem | &nbsp;;key = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem<br> | ||
; ======================================================================== | &nbsp;; ======================================================================== | ||
cert = stunnel.pem | &nbsp;cert = stunnel.pem<br> | ||
key = stunnel.pem | &nbsp;key = stunnel.pem | ||
ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH | &nbsp;ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH<br> | ||
;debug 5=notice 7= full debug | &nbsp;;debug 5=notice 7= full debug<br> | ||
debug = 5 | &nbsp;debug = 5 | ||
RNDbytes = 64 | &nbsp;RNDbytes = 64<br> | ||
RNDoverwrite = yes | &nbsp;RNDoverwrite = yes<br> | ||
session = 300 seconds | &nbsp;session = 300 seconds<br> | ||
verify = level 1 | &nbsp;verify = level 1 | ||
'''[uniform35]''' | &nbsp;'''[uniform35]'''<br> | ||
;htpps port 443 | &nbsp;;htpps port 443<br> | ||
accept = 443 | &nbsp;accept = 443<br> | ||
;default connects to local host | &nbsp;;default connects to local host<br> | ||
connect = 80 | &nbsp;connect = 80 | ||
TIMEOUTbusy = 300 seconds | &nbsp;TIMEOUTbusy = 300 seconds<br> | ||
TIMEOUTclose = 60 seconds | &nbsp;TIMEOUTclose = 60 seconds<br> | ||
TIMEOUTidle = 43200 seconds | &nbsp;TIMEOUTidle = 43200 seconds | ||
|} | |} | ||
