Stunnel: Basics

Revision as of 19:44, 4 June 2008 by Ric (talk | contribs) (New page: <span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000"> {| | MPG UniCenter || Stunnel: Home | [[Stunne...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Stunnel SSL Basic

Stunnel is very flexible this page provides additional information for Uniform Server 3.5-Apollo’s implementation. Stunnel is configured for server operation allowing a secure connection between Apache and a browser client.

SSL Basics

Normal web pages are sent unencrypted over the Internet allowing anyone to intercept them and read their content. This presents a security issue where security and privacy is necessary for credit card and bank transactions. The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and a web browser.

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public the other private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

A certificate is not really necessary because data is secure and cannot easily be decrypted. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think.

Self-Signed Certificate

You need to generate a self-signed certificate it contains the public key. UniServer’s Stunnel certificate is compromised because every one has access to it after downloading the plugin, this poses a security risk therefore you must generate a new certificate and key.

If you don't plan on having your certificate signed by a CA it will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted view screen shots. I am going to cover only self-signed certificate here.

Top

Batch Generator

To generate the certificate and public key you can use the command prompt and enter parameters manually. This is open to errors hence I created a batch file to ease the task.

This batch file is named mpg_create.bat and located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin

mpg_create.bat

 : File Name : mpg_create.bat
 : Created By: UniCenter - MPG
 : Create Stunnel pem certificate and public key file stunnel.pem
 : Increased days to give 10year MPG 22/8/07 3.5-Apollo
 : Updated to Stunnel 4.24 MPG 31/5/08
 : Upgraded OpenSSL to openssl-0.9.8g MPG 31/5/08
 : Updated for 3.5-Apollo MPG 18/8/07
 : Version 1.1 18/8/07
 :===============================================================

 openssl req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

 pause

This batch file runs the program openssl with the following parameters. Create a certificate request (req) that is new in the X.509 digital certificate format, using the RSA cipher with a 1,024-bit key, good for 3650 days use the config file (stunnel.cnf) for additional information and write out both its key (private) and (public) certificate to the same file, stunnel.pem.

Top

stunnel.cnf

Openssl is extremely flexible because of this flexibility requires a configuration file you can use any name so long as it ends with the file extension cnf Stunnel uses the file stunnel.cnf in this file you specify the type of certificate (in this case a server) encryption strength and other certificate details.

The file stunnel.cnf is located in folder *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin

stunnel.cnf

 # create RSA certs - Server

 RANDFILE = stunnel.rnd

 [ req ]
 default_bits = 1024
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = cert_type

 [ req_dn ]
 countryName = Country Name (2 letter code)
 countryName_default = PL
 countryName_min = 2
 countryName_max = 2

 stateOrProvinceName = State or Province Name (full name)
 stateOrProvinceName_default = Some-State

 localityName = Locality Name (eg, city)

 0.organizationName = Organization Name (eg, company)
 0.organizationName_default = Stunnel Developers Ltd

 organizationalUnitName = Organizational Unit Name (eg, section)
 #organizationalUnitName_default =

 0.commonName = Common Name (FQDN of your server)
 0.commonName_default = localhost

 # To create a certificate for more than one name uncomment:
 # 1.commonName = DNS alias of your server
 # 2.commonName = DNS alias of your server
 # ...
 # See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
 # to see how Netscape understands commonName.

 [ cert_type ]
 nsCertType = server

When you run the batch file (mpg_create.bat) it runs openssl which reads this configuration file.

Note 1: All lines highlighted (bold) are questions presented to you during certificate generation. If you press enter as a response the default value will be used otherwise the value you enter is used.

When you reach the line fully qualified domain name (FQDN) enter your server's full name (the name you type in a browser to access your site without the http:// bit) or IP address of your server.

Note 2: FQDN example, given a device with a hostname of "fred" and a domain name of "example.com", the fully qualified domain name is "fred.example.com" Like an IP address it is unique and removes any ambiguity.

Note: Windows does not display the file extention (cnf) hence file stunnel.cnf will display as stunnel (the icon is a speed dial)

Top

Generating a certificate

The batch file allows you to create both the private key and public key in one go. You can generate each file individually and then manually combine them into a single file in the PEM format. However using a batch file makes it just that little bit easier and less error prone.

The file is located in folder: *\Uniform Server\udrive\home\admin\www\plugins\stunnel_424\bin

  1. If running shut down your servers.
  2. To start the process double click on the batch file mpg_create.bat.
  3. First the private key is automatically created and requires no input from you.
  4. The next phase is a Certificate Signing Request (CSR).
    During this generation process you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.
  5. I have highlighted in bold the type of information you enter.


Country Name (2 letter code) [PL]:UK
State or Province Name (full name) [Some-State]:Cambridgeshire
Locality Name (eg, city) []:Cambridge
Organization Name (eg, company) [Stunnel Developers Ltd]:Mike Gleaves UniCenter
Organizational Unit Name (eg, section) []:Uniform Server 3.5-Apollo example
Common Name (FQDN of your server) [127.0.0.1]:fred.gotdns.com
Press any key to continue

You can repeat this process at any time, for a self-signed certificate the information you enter is unimportant with the exception of FQDN (fully qualified domain name) if you have one use it (its the full address you would enter in a browser apart from the http:// bit).

Note 1: A default value is displayed in square brackets press return to accept this value. If you are feeling lazy press return at each prompt. The resulting certificate is fully functional however it does not look very professional when displayed in a browser.

Note 2: The only thing of importance each certificate you generate is unique.

It really is that easy to produce a self signed certificate to secure your personal server. If you want some background information take a look at this page SSL basics.

Top

stunnel.conf

Stunnel also extremely flexible requires a configuration file amongst other things it sets Stunnels mode of operation either client or server mode. Uniform Server uses Stunnel's default server mode.

The section that you may need to change is uniform35 in this section you set accept and connect port values. These have been set to the standard ports values, if you change the Apache listening port change connect to match. If you wish to set the Internet secure port change accept to match this. (Note: You will also need to change your firewall and router forwarding ports)

stunnel.conf

 ; File Name : stunnel.conf
 ; Created By: UniCenter - MPG
 ; Updated to Stunnel 4.24 MPG 1/6/08
 ; Added an addtional start file mpg_perl_php_start.bat
 ; Updated to Stunnel 4.20 MPG 25/3/07
 ; Updated for 3.5-Apollo MPG 20/8/07
 ; Version 1.1 20/8/07
 ; Notes:
 ; Drive independent use mpg_stunnel_start.bat and mpg_stunnel_stop.bat
 ; If not run from these files full path must be specified eg
 ;cert = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem
 ;key = w:\home\admin\www\plugins\stunnel_424\bin\stunnel.pem
 ; ========================================================================

 cert = stunnel.pem
 key = stunnel.pem

 ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH
 ;debug 5=notice 7= full debug
 debug = 5

 RNDbytes = 64
 RNDoverwrite = yes
 session = 300 seconds
 verify = level 1

 [uniform35]
 ;htpps port 443
 accept = 443
 ;default connects to local host
 connect = 80

 TIMEOUTbusy = 300 seconds
 TIMEOUTclose = 60 seconds
 TIMEOUTidle = 43200 seconds

Note: You can disable the taskbar icon by adding the line: taskbar = no

Top


  Ric