Stunnel: Install 4.24

From The Uniform Server Wiki
Revision as of 18:36, 21 August 2008 by Ric (talk | contribs) (Protected "Stunnel: Install 4.24" [edit=sysop:move=sysop])
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

MPG UniCenter

Stunnel: Home | Upgrade 4.24 | Install | SSL Certificate | Single Vhost | Resolved | Basics | Cost | Original

3.5 Apollo
Stunnel upgrded to 4.24
Stunnel upgrded to 4.25

Since the release of Apollo I have received a number of emails asking what needs to be changed to get Stunnel working. Also had several emails where users do not like the server being accessed by both http and https. Result is the remainder of this write-up that addresses these issues and targets only Apollo. I have also taken the opportunity to upgrade (Stunnel 4.24) as covered on the previous page.

Where to get the upgrade

My unofficial plugin is based on the original Uniform Server plugin (Stunnel-4.05) this can be found at the Sourceforge download page. I have previously upgraded 3.3 to use the latest version of Stunnel (Stunnel-4.20). For 3.5-Apollo I have changed the file paths to reflect the new folder names. In addition there are a few minor changes that I will explain later.

  • Download: This file uc35Stunnel_424.exe and save it to folder Uniform Server.
  • MD5: 7c1f5ab98e500cfbc084f18719c7112d


Note 1: Stunnel upgraded to 4.25 this also includes a minor modification to Stunnel configuration file, prevents a blank "Choose a digital certificate" pop-up in IE.

  • Download: This file uc35Stunnel_425.exe and save it to folder Uniform Server.
  • MD5: dd5542ed9e83426d77437769d2af0cee


Note 2: The file contains all files required for a full update, it is a self extracting archive, double click to run.
To avoid conflicts with official releases I use the suffix uc for both folders and files where appropriate (uc stands for UniCenter).


On completion you will find the following folders and files have been created:

Folder : *\Uniform Server

  • ucStunnel_stop.bat
  • ucStunnel_start.bat

Folder : *\UniformServer\udrive\home\admin\www\plugins\stunnel_424

  • .htaccess
  • index.html
  • stunnel.php
  • sslstart.cgi
  • sslstop.cgi

Folder : *\UniformServer\udrive\home\admin\www\plugins\stunnel_424\bin

  • .htaccess
  • libeay32.dll
  • libssl32.dll
  • mpg_create.bat
  • mpg_stunnel_stop.bat
  • mpg_stunnel_start.bat
  • mpg_perl_stop.bat
  • mpg_perl_start.bat
  • mpg_php_stop.bat
  • mpg_php_start.bat

   

  • openssl.exe
  • stunnel
  • ssleay32.dll
  • stunnel.conf
  • stunnel.pem
  • stunnel.rnd
  • stunnel_424.exe
  • zlib1.dll

Top

How to Run

This plugin like the official version has several ways of starting and stopping Stunnel.

Preferred method

Navigate to folder Uniform Server double clink on ucStunnel_start.bat or ucStunnel_stop.bat to start and stop the Stunnel server respectively.


Note 1: Stunnel is independent of Uniform Server; this allows you to start Stunnel before or after staring UniServer.

Note 2: The above two batch files do not directly start Stunnel they use intermediary files mpg_stunnel_start.bat and mpg_stunnel_start.bat found in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin. They allow other external programs to start and stop Stunnel in addition they provide Stunnel with path independence.

From a browser via your Apache server

Start Uniform Server and type the following into your browser address bar:

http://localhost/apanel/plugins/stunnel_424/index.html

This opens Stunnel’s control page, you will find the controls have been duplicated, left set of links use Perl cgi pages while links on the right use PHP pages. Either allows you to start and stop Stunnel.

Note: The above duplication is not really required its provided only to show examples of using either Perl or PHP to control Stunnel.

Other programs

If you are using other programs to control Stunnel such as UniTray they should use the two batch files mpg_stunnel_start.bat and mpg_stunnel_stop.bat located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin for this purpose. Using these files allows Stunnel to be started before or after UniServer.

Note: Check out this page for background information on mpg_stunnel_start.bat

Top

Testing

Testing is straightforward, start both servers Uniform and Stunnel. Type https://localhost into your browser address bar.

Your browser will start a secure transaction resulting in either a warning pop-up stating the “Server Certificate has Expired” or you will receive several security alerts “Security Alert check this page for screen shots” accept certificate for a single session (do not save the certificate to your browser)

The actual wording will vary across browsers just accept this certificate temporarily for this session.

The net result will be a padlock symbol indicating a secure connection and Stunnel is working correctly.

Top

Security certificate

If you view the certificate (this example shows the result from Firefox) you will see something like this:

SSL Server Certificate  	 
Issued To 	 
Common Name (CN)         fred.gotdns.com
Organization (O)         Mike Gleaves UniCenter
Organizational Unit (OU) Uniform Server 3.5-Apollo example
Serial Numer             00
Issued By 	 
Common Name (CN)         fred.gotdns.com
Organization (O)         Mike Gleaves UniCenter
Organizational Unit (OU) Uniform Server 3.5-Apollo example
Validity 	 
Issued On                22/08/2007
Expires On               19/08/2017
Fingerprints 	 
SHA1 Fingerprint         80:87:52:6D:30:54:B1:8E:BD:56:B6:3E:F3:08:42:02:15:C7:1A:30
MD5 Fingerprint          EC:29:34:94:D8:33:F9:16:EC:BF:9E:56:06:B8:B6:42

The above information gives you an idea what will be required when creating your own certificate and private key, note these are both contained in the file stunnel.pem.

Important Note

At this point I must stress the private key (certificate) shipped with Stunnel and UniServer are both compromised and pose a security risk.

Anyone downloading Stunnel have the same key (certificate) this is ideal for testing but not for production or a personal server. However it is extremely easy to create your own personal unique certificate I cover this on the next page.

This certificate is unique to you and is the one you can save to your browser if you wish to avoid those annoying security alerts.

Top


Ric