Stunnel: Original

From The Uniform Server Wiki
Jump to navigation Jump to search

MPG UniCenter

Stunnel: Home | Upgrade 4.24 | Install | SSL Certificate | Single Vhost | Resolved | Basics | Cost | Original

Stunnel original for Uniform Server 3.3

I have included this 3.3 write-up for reference although superseded by 3.5-Apollo the section on Installing the plug-in shows the folder structure and where to place files remains relevant. This plugin is the basis for implementing Stunnel on 3.5-Apollo hence worth a read.

Introduction

How to install Stunnel on Uniserver seemed a reasonable question and my reply was also not unreasonable, go to the download site extract the files and follow the installation guide. Two days latter I received another email requesting help on how to find the installation guide. Not a joke, I discovered that one did not exist in the download. More emails followed resulting in a working installation and this little tutorial.

What is Stunnel?

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Socket Layer). Stunnel can allow you to secure non-SSL aware programs and protocols (like POP, IMAP, LDAP, etc). No changes are required to existing programs because Stunnel provides the encryption.

The Stunnel source code is not a complete product it needs to be compiled along with a functioning SSL library such as OpenSSL to produce a working product. This means that Stunnel can support whatever the SSL library can, without making any changes in the Stunnel code.

The nice people at Stunnel gives Windows users a sporting chance by providing pre-compiled DLL libraries. Hence no need to worry about all that technical stuff.

Top

What does all that mean?

Stunnel for Windows is a complete package designed to encrypt any TCP connection. With this package you can run a secure web server. I am not referring to Apache but the transmission of secure data over the Internet for example when paying by credit card you receive a padlock symbol in your browser address bar.

It is a shame but this security is only an illusion sure the data over the Internet is secured however if the server is compromised in anyway then that security is irrelevant. My point is that security is only as good as the weakest link. (Do pay heed to the certificate generation section)

Top

Where to get it

You can download Stunnel by going to the Plug-Ins page and follow the links or alternatively use this link to directly go to the Sourceforge download page.

First create a new folder and name it stunnel_temp (alternatively use any folder that you wish) its sole purpose is to provide a place to save the file to.

Download the current version (UN_stunnel-4.05.exe ) and save it in folder stunnel_temp.

Top

Extract the files

The file (UN_stunnel-4.05.exe is a self-extracting archive, hover your mouse pointer over the file name and double clicking the left mouse button. This starts the self-extracting archive, accept the folder name and click OK. On completion a folder named home is created containing several other folders, most of these are empty the last two (Stunnel-4.05 and bin) contain the program files :

  • Stunnel-4.05
  • .htaccess
  • index.html
  • sslstart.cgi
  • sslstop.cgi
   
  • bin
  • .htaccess
  • libeay32.dll
  • libssl32.dll
  • openssl.exe
  • ssltunel.conf
  • stunnel-4.05.exe
  • stunnel.pem

The folder Stunnel-4.05 contains files that are used to start and stop stunnel. All the stunnel program files are contained in the bin folder.

Top

Installing the plug-in

Installation is just a copy and paste exercise.

This image shows the folder structure I always find an image helps

  1. From your stunnel_temp folder
  2. Copy the folder Stunnel-4.05 and all its content
  3. To the plugins folder.

That's all there is to do.


At this stage Stunnel is safe and ready to use for testing.

However for production it is not secure I address this later see certificate generation.

Top

Running

Start the Apache server by double clicking its batch file Server_Start.bat

Type the following in to your browser address bar: http://localhost/apanel/plugins/Stunnel-4.05/

This opens a page where you can start and stop Stunnel or go back to the main page (apanel)

Start Stunnel by clicking on the link (Start Stunnel) As an alternative to using this page consider using my preferred method of batch files it saves having to remember that page address.

Note: If challenged by your firewall allow connection on all ports

Note: The start and stop scripts you downloaded do not work on Windows XP home SP2 go to the problems page to download new scripts. It you use the folowing batch files there is no need to download these new scripts.

Top

Batch Start and Stop (Alternative)

I personally prefer running Stunnel from batch files these are placed in the Uniform Server folder (allows instant access to Server_Start.bat and Disk Start.vbs as well Stunnel start and stop).

I have included my two batch files used for testing copy the following text into the appropriate files.

Start Stunnel stunnel_start.bat

@echo off
rem Name: stunnel_Start.bat
rem Created By: MPG 2/11/06

diskw\home\admin\program\pskill.exe stunnel-4.05.exe

IF NOT ERRORLEVEL 1 goto started
set Disk=%1
IF "%Disk%"=="" set Disk=w

set stunnelpath=%Disk%:\home\admin\www\plugins\Stunnel-4.05\bin\
start %stunnelpath%stunnel-4.05 %stunnelpath%ssltunel.conf
echo Stunnel Started
goto end

:started
CLS
echo NOTE !!! 
echo Stunnel already running. Use Stunnel_Stop.bat

:end

pause

Stop Stunnel stunnel_stop.bat

@echo off
rem Name: stunnel_stop.bat
rem Created By: MPG 2/11/06

diskw\home\admin\program\pskill.exe stunnel-4.05.exe c
echo Stunnel Stopped
pause

Note 1: Place the above two batch files in folder Uniform Server

Note 2: Before running these batch files make sure the Apache server is running otherwise you will receive an error messages path cannot be found.

An icon in the system tray (bottom right) confirms Stunnel is running.

Top

Testing

Testing is straightforward type https://localhost into your browser address bar.

Your browser starts a secure transaction resulting in either a warning pop-up stating that the “Server Certificate Expired” or “Security Alert” click OK or continue button.

Another pop-up displays “Website Certificate by an Unknown Authority” or “Security Alert”. Select accept this certificate temporarily for this session and click OK or YES to “do you want to proceed”.

The net result will be a padlock symbol indicating a secure connection and Stunnel is working.

Top

Security certificate

If you view the security certificate using Firefox you will see something like this:

SSL Server Certificate  	 
Issued To 	 
Common Name (CN)          localhost
Organization (O)          Stunnel Developers Ltd
Organizational Unit (OU)  <Not Part of Certificate>
Serial Numer              00
Issued By 	 
Common Name (CN)          localhost
Organization (O)          Stunnel Developers Ltd
Organizational Unit (OU)  <Not Part of Certificate>
Validity 	 
Issued On                 08/04/1999
Expires On                07/04/2000
Fingerprints 	 
SHA1 Fingerprint          4D:BD:77:CF:7D:A5:E3:63:C6:D0:5A:ED:FB:D8:F3:3D:E4:3B:58:F7
MD5 Fingerprint           B0:BE:C3:70:1E:48:DF:78:D7:7D:CE:AE:5B:29:25:42

The above information gives you an idea what will be required when you create your own certificate and private key, note these are both contained in the file stunnel.pem. I must stress that because the private key is already compromised you do need to generate both a new certificate and private key. Anyone downloading the plugin has the same key this is ideal for testing but not for production.

Top

Stunnel SSL Certificate and Public key generation

Before going live with your secure server it is imperative that you generate a new certificate and public key for Stunnel.

The following sections show you how to generate a new certificate (public key) and private key for Stunnel for running on Uniserver. It is a shame but the plugin is not complete in this respect it requires two additional files (including my batch file) to complete the task. These are small and can be downloaded from this page.

SSL Basics

Normal web pages are sent unencrypted over the Internet allowing anyone to intercept them and read their content. This presents a security issue where security and privacy is necessary for credit card and bank transactions. The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and a web browser.

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public the other private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

A certificate is not really necessary because data is secure and cannot easily be decrypted. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think.

Top

Self-Signed Certificate

You need to generate a self-signed certificate because it contains the public key. If you don't plan on having your certificate signed by a CA it will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted. I am going to cover only self-signed certificate here.

Batch Generator

To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task.

Create a new text file named mpg_create.bat copy the following into this file and save it in the folder Stunnel-4.05

rem Create Stunnel pem certificate and public key file stunnel.pem
rem 3/11/06

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

pause

The batch file runs the program openssl with the following parameters. Create a certificate request (req) that is new in the X.509 digital certificate format, using the RSA cipher with a 1,024-bit key, good for 365 days use the config file for additional information and write out both its key (private) and (public) certificate to the same file, stunnel.pem. stunnel.cnf

Top

stunnel.cnf

Stunnel is extremely flexible and because of this flexibility requires a configuration file (stunnel.cnf) in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details.

Create a new text file named stunnel.cnf copy the following into this file and save it in the folder Stunnel-4.05

# create RSA certs - Server

RANDFILE = stunnel.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = PL
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Stunnel Developers Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            = localhost

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.

[ cert_type ]
nsCertType = server

When you run the batch file, openssl reads the configuration, presents you with questions during certificate generation defaults are used if you press enter as a response otherwise the value you enter will be used. When you reach the line fully qualified domain name (FQDN) of your server enter the full name or IP address of your server.

Note: FQDN example, given a device with a hostname of "fred" and a domain name of "example.com", the fully qualified domain name is "fred.example.com" Like an IP address it is unique and removes any ambiguity.

Note: Windows does not display the file extention .cnf hence you will only see stunnel

Top

Generating a certificate

The batch files allows you to create the private key and public key (certificate) in one go.

To start the process double click on the batch file mpg_create.bat. (note make sure Apache is not running)

First the private key is automatically created and requires no input from you.

The next phase is a Certificate Signing Request (CSR) during this generation process; you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.

Country Name (2 letter code) [PL]:UK
State or Province Name (full name) [Some-State]:Cambridgeshire
Locality Name (eg, city) []:Cambridge
Organization Name (eg, company) [Stunnel Developers Ltd]:MPG UniCenter
Organizational Unit Name (eg, section) []:Information
Common Name (FQDN of your server) [127.0.0.1]:fred.gotdns.com
Press any key to continue

You can repeat the process at any time have a play and get a feel for what’s going on and then I would recommend upgrading Stunnel before generating your final certificate.

Top

Stunnel Upgrade

There have been several updates of Stunnel since the release of the UniServer plugin. The current release of Stunnel is Version 4.16 (note at version 4.14 the upgrade urgency was stated as being height however the UniServer plugin is 4.05). My recommendation is to upgrade now it does mean getting your hands dirty.

It sounds complicated however it is not. The only slight in convince is that Stunnel now includes a Windows installer this is not required for the plugin however we need to use it to extract the required files required. Unlike earlier versions it is a complete package that now includes the OpenSSL Libraries.

Preparation

Create a new folder named stunnel_new this is used purely as a container and can be deleted when the installation has been completed.

Download

The file we need is located on this page: Stunnel Org

Download the latest version of Stunnel stunnel-4.16-installer.exe and save it to our folder stunnel_new.

Install stunnel-4.16

Double click on file stunnel-4.16-installer.exe when the installer starts click on agree to accept licence. Unselect menu short cuts and click on next. No need to change the path (C:\Program Files\stunnel) click on install, when installation completes click on close.

Go to folder C:\Program Files\stunnel and copy these four files into *\Uniform Server\diskw\home\admin\www\plugins\Stunnel-4.05\bin

  • libeay32.dll
  • libssl32.dll
  • stunnel.exe
  • zlib1.dll

Go to folder *\Uniform Server\diskw\home\admin\www\plugins\Stunnel-4.05\bin

  • Delete file stunnel-4.05.exe
  • Rename stunnel.exe to stunnel-4.05.exe

Note: It is good practice to rename files and folders to reflect the version being used. I leave this for you to do; if you do remember to change all bat files and cgi scripts.

Delete (Clan up)

Delete the stunnel program we just installed using: Start > control panel > add remove programs > navigate to stunnel and remove it.

Delete the folder we created stunnel_new these are no longer required.

Testing

Create and new certificate and check a page in your browser as previously described.

Top

Stunnel problems

1) Port Forward

If you are using a wireless router remember to forward port 443.

2) Start and Stop problems Windows XP Home SP2

When using Windows XP home SP2 and starting Stunnel using system directly in Perl (also PHP) I found that it would not work. The reason was traced to the fact that once starting Stunnel it never returned back to the Perl script. This gave the impression that the browser was stuck in a continuous loop. In reality the page never finished loading. It seems that system acts similar to Perl exec function in that it never returns to the script. The only way I found of resolving this was to use the Perl script to run a batch file, which runs the stunnel program, and returns back to the Perl script.

Download these files and save them in the folder shown in bold. They replace the existing files.

  • Stunnel-4.05
  • mpg_stunnel_start.bat
  • index.html
  • sslstart.cgi
  • sslstop.cgi

You can use the above links to download each file separately or download this zip file new_stunnel_scripts.zip


Note 1: The files have been tested only on the above OS.

Note 2 : I have re-enabled the security feature in the two files sslstart.cgi and sslstop.cgi if this proves to be a problem first check out the HTTP_REFERER problem page. As last resort you can comment the line in each file as follows.

#-------- security

#if ($ENV{HTTP_REFERER}!~/^http:\/\/localhost\/apanel/){print "<a href=\"http://localhost/apanel/\">Security alert!</a></body></html>";exit;};

#-------- security

Conclusion

The upgrade is easy remember to backup before doing this.

Top


Ric