How to: Debian stable OpenSSL and Stunnel support for Abyss

 
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
canoedf
-


Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Sat Sep 09, 2006 12:48 am    Post subject: How to: Debian stable OpenSSL and Stunnel support for Abyss Reply with quote

This took awhile to unravel and a few false starts
I hope this helps to save time for others.
If anyone spots a problem with this - let me know and I will clear it up.

UPDATE: removed the -v stunnel command line arg after finding that MS W2K could not connect
programatically to the tunnel using wininet.dll - removing the argument did not appear to affect browsers.

Dan in Colorado

Debian (Sarge) based OpenSSL and Stunnel support for Abyss
Note: This assumes you have created an account on CACERT.ORG


http://www.cacert.org/

Get the software:
Code:
apt-get install openssl  //Package: openssl (0.9.7e-3sarge1)
apt-get install stunnel  //Package: stunnel (2:3.26-3)


Create a workplace:
Code:
mkdir certwork
cd certwork


Create the stunnel.cnf file with this text
(customize your country, state/province, city,
organization and domain name defaults):

Code:
#start of stunnel.cnf
#
#
RANDFILE = stunnel.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Colorado

localityName                    = Locality Name (eg, city)
localityName_default            = Frederick

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Prosys Networks

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Web Security

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            = prosysnet.us

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# too see how Netscape understands commonName.

[ cert_type ]
nsCertType = server
#
#
#end of stunnel.cnf


***** Now CREATE the certificate request server.csr:

Code:
openssl req -new -days 365 -nodes -config stunnel.cnf -out server.csr -keyout private.key


***** Now GENERATE the new server certificate
Login to CACERT.ORG
Goto Server Certificates - New
Paste the contents of your server.csr into the page
this will generate the new server certificate
it appears in this format on the screen:

Code:
-----BEGIN CERTIFICATE-----
body of the cert
-----END CERTIFICATE-----


Edit your private.key file, append the server certificate and save as
stunnel.ca

Code:
chmod 600 stunnel.ca


***** Now ACTIVATE stunnel
Code:
stunnel -d 192.168.0.40:443 -r 192.168.0.40:80 -D 7 -o stunnel.log -p stunnel.ca -a /root/certwork -P /root/certwork/stun.pid


command line definition:
Code:
-d service.port that will listen for https traffic
-r serice.port that will receive the clear text traffic
-D the debug level
-o the log file
-p the combined private.key and server certificate text file
-v the client validation level
-a the cert file directory
-P the pid file


****** Go see your new HTTPS website......
Your browser will have to accept the certificate the first time.
Do not forget to check on all the documentation and help available.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group