Stunnel to protect unencrypted Services

From Bitbull Wiki
Jump to navigation Jump to search

create server certificate 

cd /etc/stunnel
mkdir server ; cd server
openssl req -new -x509 -out cacert.pem -days 3650 -nodes
cat privkey.pem cacert.pem > /etc/stunnel/server.pem
cd ..

create client certificate 

mkdir client ; cd client
openssl req -new -x509 -out cacert.pem -days 3650 -nodes
cat privkey.pem cacert.pem > /etc/stunnel/client.pem
cd ..
chmod 600 /etc/stunnel/*.pem
chmod og-rwx /etc/stunnel/{client,server}

scp /etc/stunnel/client.pem /etc/stunnel/server.pem root@CLIENT:/etc/stunnel/

config for server vi /etc/stunnel/stunnel.conf 

# Authentication stuff
verify = 2
cert = /etc/stunnel/client.pem
CAfile = /etc/stunnel/server.pem

# Some debugging stuff
#debug = 7
#output = stunnel.log

# Use it for client mode
client = no

# Service-level configuration
[telnet-test]
accept  = SERVER_IP_ADDRESS:1023
connect = 127.0.0.1:23
---

#config for client
vi /etc/stunnel/stunnel.conf
---
# Authentication stuff
verify = 2
cert = /etc/stunnel/client.pem
CAfile = /etc/stunnel/server.pem

# Some debugging stuff
#debug = 7
#output = stunnel.log

# Use it for client mode
client = yes

# Service-level configuration
[telnet-test]
accept  = 127.0.0.1:23
connect = SERVER_IP_ADDRESS:1023

create the start script 

curl http://www.gaztronics.net/rc/stunnel.txt > /etc/init.d/stunnel
chmod 700 /etc/init.d/stunnel
ln -s /etc/init.d/stunnel /etc/rc3.d/S90stunnel


LINKS:
http://gentoo-wiki.com/HOWTO_create_a_logserver_with_syslog-ng
http://www.gaztronics.net
http://www.stunnel.org

Retrieved from "http://www.bitbull.ch/wiki/index.php?title=Stunnel_to_protect_unencrypted_Services&oldid=5388"