Stunnel: Install 4.24: Difference between revisions
mNo edit summary |
m (Protected "Stunnel: Install 4.24" [edit=sysop:move=sysop]) |
(No difference)
| |
Latest revision as of 18:36, 21 August 2008
 |
Stunnel: Home | Upgrade 4.24 | Install | SSL Certificate | Single Vhost | Resolved | Basics | Cost | Original |
|
3.5 Apollo |
Since the release of Apollo I have received a number of emails asking what needs to be changed to get Stunnel working. Also had several emails where users do not like the server being accessed by both http and https. Result is the remainder of this write-up that addresses these issues and targets only Apollo. I have also taken the opportunity to upgrade (Stunnel 4.24) as covered on the previous page.
Where to get the upgrade
My unofficial plugin is based on the original Uniform Server plugin (Stunnel-4.05) this can be found at the Sourceforge download page. I have previously upgraded 3.3 to use the latest version of Stunnel (Stunnel-4.20). For 3.5-Apollo I have changed the file paths to reflect the new folder names. In addition there are a few minor changes that I will explain later.
- Download: This file uc35Stunnel_424.exe and save it to folder Uniform Server.
- MD5: 7c1f5ab98e500cfbc084f18719c7112d
Note 1:
Stunnel upgraded to 4.25 this also includes a minor modification to Stunnel configuration file, prevents a blank "Choose a digital certificate" pop-up in IE.
- Download: This file uc35Stunnel_425.exe and save it to folder Uniform Server.
- MD5: dd5542ed9e83426d77437769d2af0cee
Note 2: The file contains all files required for a full update, it is a self extracting archive, double click to run.
To avoid conflicts with official releases I use the suffix uc for both folders and files where appropriate (uc stands for UniCenter).
On completion you will find the following folders and files have been created:
Folder : *\Uniform Server
- ucStunnel_stop.bat
- ucStunnel_start.bat
Folder : *\UniformServer\udrive\home\admin\www\plugins\stunnel_424
- .htaccess
- index.html
- stunnel.php
- sslstart.cgi
- sslstop.cgi
Folder : *\UniformServer\udrive\home\admin\www\plugins\stunnel_424\bin
|
|
|
How to Run
This plugin like the official version has several ways of starting and stopping Stunnel.
Preferred method
Navigate to folder Uniform Server double clink on ucStunnel_start.bat or ucStunnel_stop.bat to start and stop the Stunnel server respectively.
Note 1: Stunnel is independent of Uniform Server; this allows you to start Stunnel before or after staring UniServer.
Note 2: The above two batch files do not directly start Stunnel they use intermediary files mpg_stunnel_start.bat and mpg_stunnel_start.bat found in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin. They allow other external programs to start and stop Stunnel in addition they provide Stunnel with path independence.
From a browser via your Apache server
Start Uniform Server and type the following into your browser address bar:
http://localhost/apanel/plugins/stunnel_424/index.html
This opens Stunnel’s control page, you will find the controls have been duplicated, left set of links use Perl cgi pages while links on the right use PHP pages. Either allows you to start and stop Stunnel.
Note: The above duplication is not really required its provided only to show examples of using either Perl or PHP to control Stunnel.
Other programs
If you are using other programs to control Stunnel such as UniTray they should use the two batch files mpg_stunnel_start.bat and mpg_stunnel_stop.bat located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin for this purpose. Using these files allows Stunnel to be started before or after UniServer.
Note: Check out this page for background information on mpg_stunnel_start.bat
Testing
Testing is straightforward, start both servers Uniform and Stunnel. Type https://localhost into your browser address bar.
Your browser will start a secure transaction resulting in either a warning pop-up stating the “Server Certificate has Expired” or you will receive several security alerts “Security Alert check this page for screen shots” accept certificate for a single session (do not save the certificate to your browser)
The actual wording will vary across browsers just accept this certificate temporarily for this session.
The net result will be a padlock symbol indicating a secure connection and Stunnel is working correctly.
Security certificate
If you view the certificate (this example shows the result from Firefox) you will see something like this:
SSL Server Certificate Issued To Common Name (CN) fred.gotdns.com Organization (O) Mike Gleaves UniCenter Organizational Unit (OU) Uniform Server 3.5-Apollo example Serial Numer 00 Issued By Common Name (CN) fred.gotdns.com Organization (O) Mike Gleaves UniCenter Organizational Unit (OU) Uniform Server 3.5-Apollo example Validity Issued On 22/08/2007 Expires On 19/08/2017 Fingerprints SHA1 Fingerprint 80:87:52:6D:30:54:B1:8E:BD:56:B6:3E:F3:08:42:02:15:C7:1A:30 MD5 Fingerprint EC:29:34:94:D8:33:F9:16:EC:BF:9E:56:06:B8:B6:42
The above information gives you an idea what will be required when creating your own certificate and private key, note these are both contained in the file stunnel.pem.
Important Note
At this point I must stress the private key (certificate) shipped with Stunnel and UniServer are both compromised and pose a security risk.
Anyone downloading Stunnel have the same key (certificate) this is ideal for testing but not for production or a personal server. However it is extremely easy to create your own personal unique certificate I cover this on the next page.
This certificate is unique to you and is the one you can save to your browser if you wish to avoid those annoying security alerts.
|
Ric |