Stunnel: Basics: Difference between revisions
Jump to navigation
Jump to search
m
Reverted edits by Upazixorys (Talk); changed back to last version by Ric
Upazixorys (talk | contribs) No edit summary |
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric) |
||
| Line 1: | Line 1: | ||
<span id="top"></span> | |||
<div style="padding:0;margin:0; border-bottom:3px inset #000000"> | |||
{| | {| | ||
| [[Image:uc_small_logo.gif | MPG UniCenter]] || | | [[Image:uc_small_logo.gif | MPG UniCenter]] || | ||
| Line 15: | Line 14: | ||
[[Stunnel: Original | Original]] | [[Stunnel: Original | Original]] | ||
|} | |} | ||
</div> | |||
{| cellpadding= | {| cellpadding="2" | ||
| | | | ||
__TOC__ | __TOC__ | ||
| Line 41: | Line 40: | ||
To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task. | To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task. | ||
This batch file is named '''mpg_create.bat''' and located in folder ''' | This batch file is named '''mpg_create.bat''' and located in folder '''<nowiki>*\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin</nowiki>''' | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
mpg_create.bat | mpg_create.bat | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
& | <nowiki>:</nowiki> File Name : mpg_create.bat<br> | ||
& | <nowiki>:</nowiki> Created By: UniCenter - MPG<br> | ||
& | <nowiki>:</nowiki> Create Stunnel pem certificate and public key file stunnel.pem<br> | ||
& | <nowiki>:</nowiki> Increased days to give 10year MPG 22/8/07 3.5-Apollo<br> | ||
& | <nowiki>:</nowiki> Updated to Stunnel 4.24 MPG 31/5/08<br> | ||
& | <nowiki>:</nowiki> Upgraded OpenSSL to openssl-0.9.8g MPG 31/5/08<br> | ||
& | <nowiki>:</nowiki> Updated for 3.5-Apollo MPG 18/8/07<br> | ||
& | <nowiki>:</nowiki> Version 1.1 18/8/07<br> | ||
& | <nowiki>:===============================================================</nowiki> | ||
& | openssl req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem | ||
& | pause | ||
|} | |} | ||
| Line 70: | Line 69: | ||
Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension '''cnf''' Stunnel uses the file '''stunnel.cnf''' in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details. | Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension '''cnf''' Stunnel uses the file '''stunnel.cnf''' in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details. | ||
The file stunnel.cnf is located in folder ''' | The file stunnel.cnf is located in folder '''<nowiki>*\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin</nowiki>''' | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
stunnel.cnf | stunnel.cnf | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
& | <nowiki>#</nowiki> create RSA certs - Server | ||
& | RANDFILE = stunnel.rnd | ||
& | [ req ]<br> | ||
& | default_bits = 1024<br> | ||
& | encrypt_key = yes<br> | ||
& | distinguished_name = req_dn<br> | ||
& | x509_extensions = cert_type | ||
& | [ req_dn ]<br> | ||
& | '''countryName = Country Name (2 letter code''')<br> | ||
& | countryName_default = PL<br> | ||
& | countryName_min = 2<br> | ||
& | countryName_max = 2 | ||
& | '''stateOrProvinceName = State or Province Name (full name)'''<br> | ||
& | stateOrProvinceName_default = Some-State | ||
& | '''localityName = Locality Name (eg, city)''' | ||
& | '''0.organizationName = Organization Name (eg, company)'''<br> | ||
& | 0.organizationName_default = Stunnel Developers Ltd | ||
& | organizationalUnitName = Organizational Unit Name (eg, section)<br> | ||
& | <nowiki>#</nowiki>organizationalUnitName_default = | ||
& | '''0.commonName = Common Name (FQDN of your server)'''<br> | ||
& | 0.commonName_default = localhost | ||
& | <nowiki>#</nowiki> To create a certificate for more than one name uncomment:<br> | ||
& | <nowiki>#</nowiki> 1.commonName = DNS alias of your server<br> | ||
& | <nowiki>#</nowiki> 2.commonName = DNS alias of your server<br> | ||
& | <nowiki>#</nowiki> ...<br> | ||
& | <nowiki>#</nowiki> See <nowiki>http://home.netscape.com/eng/security/ssl_2.0_certificate.html</nowiki><br> | ||
& | <nowiki>#</nowiki> to see how Netscape understands commonName. | ||
& | [ cert_type ]<br> | ||
& | nsCertType = server | ||
|} | |} | ||
| Line 123: | Line 122: | ||
'''''Note 1''''': All lines highlighted ('''bold''') are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used. | '''''Note 1''''': All lines highlighted ('''bold''') are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used. | ||
When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the | When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the <nowiki>http://</nowiki> bit) or IP address of your server. | ||
'''''Note 2''''': FQDN example, given a device with a hostname of | '''''Note 2''''': FQDN example, given a device with a hostname of "fred" and a domain name of "example.com", the fully qualified domain name is "'''fred.example.com'''" Like an IP address it is unique and removes any ambiguity. | ||
Note: Windows does not display the file extention ('''cnf''') hence file '''stunnel.cnf''' will display as s'''tunnel''' (the icon is a speed dial) | Note: Windows does not display the file extention ('''cnf''') hence file '''stunnel.cnf''' will display as s'''tunnel''' (the icon is a speed dial) | ||
| Line 134: | Line 133: | ||
The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone. | The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone. | ||
The file is located in folder: ''' | The file is located in folder: '''<nowiki>*</nowiki>\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin''' | ||
# If running shut down your servers. | # If running shut down your servers. | ||
# To start the process double click on the batch file '''mpg_create.bat'''. | # To start the process double click on the batch file '''mpg_create.bat'''. | ||
# First the private key is automatically created and requires no input from you. | # First the private key is automatically created and requires no input from you. | ||
# The next phase is a Certificate Signing Request (CSR). | # The next phase is a Certificate Signing Request (CSR).<br>During this generation process you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. | ||
# I have highlighted in bold the type of information you enter. | # I have highlighted in bold the type of information you enter. | ||
{|cellpadding= | {|cellpadding="4" | ||
|width= | |width="20"| | ||
|style= | |style="background:#f8f8f8;border:1px solid #cccccc"| | ||
Country Name (2 letter code) [PL]:'''UK''' | Country Name (2 letter code) [PL]:'''UK'''<br> | ||
State or Province Name (full name) [Some-State]:'''Cambridgeshire''' | State or Province Name (full name) [Some-State]:'''Cambridgeshire'''<br> | ||
Locality Name (eg, city) []:Cambridge | Locality Name (eg, city) []:Cambridge<br> | ||
Organization Name (eg, company) [Stunnel Developers Ltd]:'''Mike Gleaves UniCenter''' | Organization Name (eg, company) [Stunnel Developers Ltd]:'''Mike Gleaves UniCenter'''<br> | ||
Organizational Unit Name (eg, section) []:'''Uniform Server 3.5-Apollo example''' | Organizational Unit Name (eg, section) []:'''Uniform Server 3.5-Apollo example'''<br> | ||
Common Name (FQDN of your server) [127.0.0.1]:'''fred.gotdns.com''' | Common Name (FQDN of your server) [127.0.0.1]:'''fred.gotdns.com'''<br> | ||
Press any key to continue | Press any key to continue | ||
|} | |} | ||
You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the | You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the <nowiki>http://</nowiki> bit). | ||
'''''Note 1''''': A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser. | '''''Note 1''''': A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser. | ||
| Line 169: | Line 168: | ||
The section that you may need to change is '''uniform35''' in this section you set '''accept''' and '''connect''' port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports) | The section that you may need to change is '''uniform35''' in this section you set '''accept''' and '''connect''' port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports) | ||
{|style= | {|style="border:1px solid #aaaaaa" | ||
|- | |- | ||
!style= | !style="background:#cccccc"| | ||
stunnel.conf | stunnel.conf | ||
|- | |- | ||
|style= | |style="background:#f8f8f8"| | ||
& | ; File Name : stunnel.conf<br> | ||
& | ; Created By: UniCenter - MPG<br> | ||
& | ; Updated to Stunnel 4.24 MPG 1/6/08<br> | ||
& | ; Added an addtional start file mpg_perl_php_start.bat<br> | ||
& | ; Updated to Stunnel 4.20 MPG 25/3/07<br> | ||
& | ; Updated for 3.5-Apollo MPG 20/8/07<br> | ||
& | ; Version 1.1 20/8/07<br> | ||
& | ; Notes:<br> | ||
& | ; Drive independent use mpg_stunnel_start.bat and mpg_stunnel_stop.bat<br> | ||
& | ; If not run from these files full path must be specified eg<br> | ||
& | ;cert = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem<br> | ||
& | ;key = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem<br> | ||
& | ; ======================================================================== | ||
& | cert = stunnel.pem<br> | ||
& | key = stunnel.pem | ||
& | ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH<br> | ||
& | ;debug 5=notice 7= full debug<br> | ||
& | debug = 5 | ||
& | RNDbytes = 64<br> | ||
& | RNDoverwrite = yes<br> | ||
& | session = 300 seconds<br> | ||
& | verify = level 1 | ||
& | '''[uniform35]'''<br> | ||
& | ;htpps port 443<br> | ||
& | accept = 443<br> | ||
& | ;default connects to local host<br> | ||
& | connect = 80 | ||
& | TIMEOUTbusy = 300 seconds<br> | ||
& | TIMEOUTclose = 60 seconds<br> | ||
& | TIMEOUTidle = 43200 seconds | ||
|} | |} | ||