How to: Debian stable OpenSSL and Stunnel support for Abyss

Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Sat Sep 09, 2006 12:48 am

This took awhile to unravel and a few false starts
I hope this helps to save time for others.
If anyone spots a problem with this - let me know and I will clear it up.

UPDATE: removed the -v stunnel command line arg after finding that MS W2K could not connect
programatically to the tunnel using wininet.dll - removing the argument did not appear to affect browsers.

Dan in Colorado

Debian (Sarge) based OpenSSL and Stunnel support for Abyss
Note: This assumes you have created an account on CACERT.ORG

Get the software:
apt-get install openssl  //Package: openssl (0.9.7e-3sarge1)
apt-get install stunnel  //Package: stunnel (2:3.26-3)

Create a workplace:
mkdir certwork
cd certwork

Create the stunnel.cnf file with this text
(customize your country, state/province, city,
organization and domain name defaults):

#start of stunnel.cnf
RANDFILE = stunnel.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Colorado

localityName                    = Locality Name (eg, city)
localityName_default            = Frederick

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Prosys Networks

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Web Security

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            =

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See
# too see how Netscape understands commonName.

[ cert_type ]
nsCertType = server
#end of stunnel.cnf

***** Now CREATE the certificate request server.csr:

openssl req -new -days 365 -nodes -config stunnel.cnf -out server.csr -keyout private.key

***** Now GENERATE the new server certificate
Goto Server Certificates - New
Paste the contents of your server.csr into the page
this will generate the new server certificate
it appears in this format on the screen:

body of the cert

Edit your private.key file, append the server certificate and save as

chmod 600

***** Now ACTIVATE stunnel
stunnel -d -r -D 7 -o stunnel.log -p -a /root/certwork -P /root/certwork/

command line definition:
-d service.port that will listen for https traffic
-r serice.port that will receive the clear text traffic
-D the debug level
-o the log file
-p the combined private.key and server certificate text file
-v the client validation level
-a the cert file directory
-P the pid file

****** Go see your new HTTPS website......
Your browser will have to accept the certificate the first time.
Do not forget to check on all the documentation and help available.
