How to: Debian stable OpenSSL and Stunnel support for Abyss

Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message

Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Sat Sep 09, 2006 12:48 am    Post subject: How to: Debian stable OpenSSL and Stunnel support for Abyss Reply with quote

This took awhile to unravel and a few false starts
I hope this helps to save time for others.
If anyone spots a problem with this - let me know and I will clear it up.

UPDATE: removed the -v stunnel command line arg after finding that MS W2K could not connect
programatically to the tunnel using wininet.dll - removing the argument did not appear to affect browsers.

Dan in Colorado

Debian (Sarge) based OpenSSL and Stunnel support for Abyss
Note: This assumes you have created an account on CACERT.ORG

Get the software:
apt-get install openssl  //Package: openssl (0.9.7e-3sarge1)
apt-get install stunnel  //Package: stunnel (2:3.26-3)

Create a workplace:
mkdir certwork
cd certwork

Create the stunnel.cnf file with this text
(customize your country, state/province, city,
organization and domain name defaults):

#start of stunnel.cnf
RANDFILE = stunnel.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Colorado

localityName                    = Locality Name (eg, city)
localityName_default            = Frederick

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Prosys Networks

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Web Security

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            =

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See
# too see how Netscape understands commonName.

[ cert_type ]
nsCertType = server
#end of stunnel.cnf

***** Now CREATE the certificate request server.csr:

openssl req -new -days 365 -nodes -config stunnel.cnf -out server.csr -keyout private.key

***** Now GENERATE the new server certificate
Goto Server Certificates - New
Paste the contents of your server.csr into the page
this will generate the new server certificate
it appears in this format on the screen:

body of the cert

Edit your private.key file, append the server certificate and save as

chmod 600

***** Now ACTIVATE stunnel
stunnel -d -r -D 7 -o stunnel.log -p -a /root/certwork -P /root/certwork/

command line definition:
-d service.port that will listen for https traffic
-r serice.port that will receive the clear text traffic
-D the debug level
-o the log file
-p the combined private.key and server certificate text file
-v the client validation level
-a the cert file directory
-P the pid file

****** Go see your new HTTPS website......
Your browser will have to accept the certificate the first time.
Do not forget to check on all the documentation and help available.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials All times are GMT + 1 Hour
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB phpBB Group