canoedf -
Joined: 25 Oct 2004 Posts: 13 Location: Colorado
|
Posted: Sat Sep 09, 2006 12:48 am Post subject: How to: Debian stable OpenSSL and Stunnel support for Abyss |
|
|
This took awhile to unravel and a few false starts
I hope this helps to save time for others.
If anyone spots a problem with this - let me know and I will clear it up.
UPDATE: removed the -v stunnel command line arg after finding that MS W2K could not connect
programatically to the tunnel using wininet.dll - removing the argument did not appear to affect browsers.
Dan in Colorado
Debian (Sarge) based OpenSSL and Stunnel support for Abyss
Note: This assumes you have created an account on CACERT.ORG
http://www.cacert.org/
Get the software:
Code: | apt-get install openssl //Package: openssl (0.9.7e-3sarge1)
apt-get install stunnel //Package: stunnel (2:3.26-3) |
Create a workplace:
Code: | mkdir certwork
cd certwork |
Create the stunnel.cnf file with this text
(customize your country, state/province, city,
organization and domain name defaults):
Code: | #start of stunnel.cnf
#
#
RANDFILE = stunnel.rnd
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Colorado
localityName = Locality Name (eg, city)
localityName_default = Frederick
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Prosys Networks
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Web Security
0.commonName = Common Name (FQDN of your server)
0.commonName_default = prosysnet.us
# To create a certificate for more than one name uncomment:
# 1.commonName = DNS alias of your server
# 2.commonName = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# too see how Netscape understands commonName.
[ cert_type ]
nsCertType = server
#
#
#end of stunnel.cnf |
***** Now CREATE the certificate request server.csr:
Code: | openssl req -new -days 365 -nodes -config stunnel.cnf -out server.csr -keyout private.key |
***** Now GENERATE the new server certificate
Login to CACERT.ORG
Goto Server Certificates - New
Paste the contents of your server.csr into the page
this will generate the new server certificate
it appears in this format on the screen:
Code: | -----BEGIN CERTIFICATE-----
body of the cert
-----END CERTIFICATE----- |
Edit your private.key file, append the server certificate and save as
stunnel.ca
Code: | chmod 600 stunnel.ca |
***** Now ACTIVATE stunnel
Code: | stunnel -d 192.168.0.40:443 -r 192.168.0.40:80 -D 7 -o stunnel.log -p stunnel.ca -a /root/certwork -P /root/certwork/stun.pid
|
command line definition:
Code: | -d service.port that will listen for https traffic
-r serice.port that will receive the clear text traffic
-D the debug level
-o the log file
-p the combined private.key and server certificate text file
-v the client validation level
-a the cert file directory
-P the pid file |
****** Go see your new HTTPS website......
Your browser will have to accept the certificate the first time.
Do not forget to check on all the documentation and help available. |
|