Tux

...making Linux just a little more fun!

Some stunnel questions (hopefully not too dumb)

Harmon, Paul [paul.harmon at nscorp.com]


Thu, 29 Nov 2007 15:44:51 -0500

Hi All,

I'm trying to use Stunnel to create an encrypted tunnel into my LINUX box from another LINUX box and as much as I hate to admit it, I know relatively little about SSL implementation. I would like to set up connection from a relatively dumb test client application which requests of my test server to send out the contents of a file which I specify to it. This is done by firing up my server and having it listen to requests on specific port number which I have chosen, accept the connection and respond with the data over the socket. I have recently found Barry O'Donovan's article in the Linux Gazette which seems to specify how to set up Stunnel-4.XX to create an SSL aware server. That much seems reasonable. But my question is "How do I setup a similar scheme for the client?" I've found other articles, but they seem to be for older versions of Stunnel using flags that do not seem to apply to Stunnel-4.XX. So here I am with half the solution I need. Now what? Help!!!!

Many Thanks for serious replies,

Paul Harmon


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Fri, 30 Nov 2007 09:57:06 +0530

Hello,

On Thu, 29 Nov 2007, Harmon, Paul wrote:

> But my question is "How do I setup a similar scheme for the client?"

I confess to not being a user of stunnel4 (even though I should be!). However, one need not actually do any "SSL-like" thing to connect to an SSL server which does not require clients to authenticate using SSL.

The option "client = yes" ought to do most of the work.

Next you need to decide on what port your stunnel will accept local connections (say this is 1234) and what port on the remote side you will connect (say this is 4321). You then put "local = 1234" and "connect = remotehost:4321".

Finally, you start stunnel and then point your non-SSL aware client to "127.0.0.1:1234".

To make the whole thing more SSL-like, there are two aspects:

	1. Client verifies the server if you use
		CAfile = certfile
        where you replace certfile with the name of a file
        containing the self-signed certificate of the CA of your
        server certificate (or enough CA's to verify this server
        sertificate).
 
	2. Server uses SSL to authenticate the client if you use
		key = keyfile
		cert = pemfile
	where you replace keyfile with the name of the file
	containing your SSL private key and pemfile with the name
	of a file containing the certificate for your key. This
	certificate must be signed by a CA whose certificate is in
	the CAfile of the server. (Chaining of certs is also
	possible).
Hope this helps,

Kapil. --


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Fri, 30 Nov 2007 10:54:23 +0530

Hello,

On Fri, 30 Nov 2007, Kapil Hari Paranjape wrote:

> I confess to not being a user of stunnel4 (even though I should be!).
> However, one need not actually do any "SSL-like" thing to connect to
> an SSL server which does not require clients to authenticate using
> SSL.

This is with the (default) setting "verify = default" which does not do SSL verification, but see below.

> To make the whole thing more SSL-like, there are two aspects:

In addition to the settings given in my earlier mail you need to set "verify=2" or "verify=3".

Regards,

Kapil. --


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Sat, 1 Dec 2007 08:34:39 +0530

Hello,

I have added TAG back to the lists of correspondents. Please do not respond privately to a mail sent to this list.

On Fri, 30 Nov 2007, Harmon, Paul wrote:

>         Thanks for the input Kapil. However, now I have a really dumb
> question: "On my server I obviously know the port number. Why do I need
> a port number on my client's local machine. When making connections on
> clients you simply issue a connect call and the port of the server is
> specified. There is no local port mentioned or is it because it is now
> treating Stunnel as its server now?"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You've got it. In more detail:

Stunnel(client) does not provide the client protocol it merely creates an encrypted tunnel which the client can use to communicate with the server. Now your local network client needs to connect to some network port in order to take its part in the protocol. Normally this would be "remotehost:port". In this case we want to tunnel it so it is "localhost:4321" which speaks to stunnel. Then stunnel(client) encrypts this and sends it to the stunnel(server) at "remotehost:1234" which in turn then passes it to the actual server listening on some local port.

So, yes, the stunnel(client) is acting as a local server which proxies the remote service.

I hope this clarifies things. (I may have mixed up 1234 and 4321 so that the above description may be at odds with the configs I gave).

Regards,

Kapil. --


Top    Back