Shulou(Shulou.com)05/31 Report--

Editor to share with you how to install and use Stunnel plus sealer, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

As a small cross-platform (Unix/Linux and Windows) open source (GNU) project, Stunnel provides the following two main functions:

Stunnel provides secure encrypted connections (based on OpenSSL) for clients and servers that cannot communicate with TLS or SSL by themselves.

For Lans with access restrictions, Stunnel provides encrypted SSL connections that release firewalls and proxies from restrictions directly to any network service theoretically connected to the remote server. We know that the general LAN will open port 443 for encrypted HTTP connections, we can use this to create a SSL connection with Stunnel and remote port 443, firewalls and agents think this connection is a normal HTTPS connection and allow it to pass.

Go to the network security tools treasure box to see other security tools

Installation of Stunnel

The Windows version of Stunnel can be downloaded here. We need to install the downloaded Stunnel program on both the server side and the client side. The installation process is relatively simple, just Next all the way. Suppose we install Stunnel in the default path C:\ Program Files\ stunnel\. The specific installation steps are as follows:

Access control and generation of security certificates

Stunnel uses OpenSSL to provide access control based on security certificates. In accordance with the SSL protocol, both the client and the server can require each other to provide a security certificate to verify the trust of the other side. In most applications, only the server side needs to verify the client's security certificate to confirm that the connectors can be trusted, so my article focuses on the server-side authentication settings. The setup methods and steps for client-side authentication are the opposite of those on the server side, so they will not be described here.

After deciding how to implement access control, we need a security certificate for the next step. You can choose the following methods to get the security certificate:

Included with the 1.Stunnel installer (C:\ Program Files\ stunnel\ stunnel.pem)

Security certificate generated by 2.OpenSSL

3. Security certificate purchased from CA

Generally speaking, method 1 is not recommended because the universal Stunnel security certificate does not provide any security guarantee because everyone can download and obtain it. The safest third method costs a lot of money, so here we use method 2: get security without spending money. The Windows version of Stunnel does not provide an OpenSSL program, so the security certificate needs to be generated in the following ways.

1. Use web services to generate security certificates

Using the web service (http://www.stunnel.org/pem/) provided by Stunnel, enter all relevant information and the server of Stunnel will generate the required security certificate, as shown in the following figure:

Click the Generate stunnel.pem File button and wait a few seconds and the following page will appear:

Copy all the contents in the text box and save it as a stunnel.pem file. This is the security certificate you need. As stated on the Stunnel page, this approach is not secure because the generated certificate is transmitted over an unencrypted channel from which anyone can steal it.

two。 Use Unix/Linux to generate security certificates

The second method requires a Unix or Linux host with OpenSSL installed. Run the following command to generate a security certificate:

Openssl req-new-x509-days 365-nodes-out ${FILE_NAME} .pem-keyout ${FILE_NAME} .pem

${FILE_NAME} .pem is the name of the custom generated security certificate. The meanings of other parameters are as follows:

◆-new: generate a new key

◆-x509: generate X509 security certificate

◆-days 365: valid for 1 year

◆-nodes: do not set password

◆-out: generated file name

◆-keyout: the name of the file where the key is stored

After running this command, you need to answer the following questions, and then the security authentication is automatically stored in the ${FILE_NAME} .pem file.

When verifying the validity of the security certificate, Stunnel uses the hash value to search for the certificate, so we also need to run the following two commands to get the hash value of the certificate, and then rename the file:

Hash_name= `openssl x509-hash-noout-in ${FILE_NAME} .pem `mv ${FILE_NAME} .pem $hash_name.0

The resulting security certificate is XXXXXXXX.0, where X represents a hexadecimal number. The above two scripts can be combined into a batch file.

We need to note that the generated security certificate needs to be copied to both the client and the server. The client needs to send this certificate to the server, and the server needs to check that the client certificate is consistent with the server certificate.

Client configuration

Edit the configuration file for Stunnel (located at C:\ Program Files\ stunnel\ stunnel.conf):

[CLIENT] accept=22443 connect=proxyhost:8080 client=yes ccert=c:\ program files\ stunnel\ ${FILE_NAME} .pem protocol=connect protocolHost=192.234.191.174:443

The meaning of each parameter is:

◆ accept: accepted port (in this example, you need to connect to localhost port 22443 if you want to access a remote service).

◆ connect: the IP address and port of the remote server (note that we use the standard HTTPS port here).

◆ client: tell stunnel that this configuration is a client configuration.

◆ cert: a connection is a security certificate provided to the other party. The certificate can be the name of the ${FILE_NAME} .pem file or directly in the XXXXXXXX.0 file.

If the client needs to connect through the HTTPS proxy, the following configuration file is required:

[CLIENT] accept=22443 connect=proxyhost:8080 client=yes ccert=c:\ program files\ stunnel\ ${FILE_NAME} .pem protocol=connect protocolHost=192.234.191.174:443

Here you need to fill in the IP and port of the proxy server at connect and the IP and port of the remote server at protocolHost. Run the stunnel program after configuration, and then double-click the diagram of the taskbar to view the log:

Server-side configuration

Server-side configuration is slightly more troublesome than client-side configuration. First, we need to copy the previously generated XXXXXXXX.0 certificate to a folder (suppose this folder is called CApath), where all trusted certificates should be copied. Then we need to configure the C:\ Program Files\ stunnel\ stunnel.conf file:

[SERVER] accept=443 cert=stunnel.pem connect=localhost:21 CApath=c:\ program files\ stunnel\ CApath CRLpath=c:\ program files\ stunnel\ CRLpath verify=3

The following is the meaning of each parameter of this configuration:

◆ accept: the port that accepts connection requests (should be the same as the client)

◆ cert: the security authentication sent by the server to the client. Because our client does not validate this certificate, we can use a standard stunnel certificate.

◆ connect: a network service that connects to a local or other local area network (here we use local FTP services).

◆ CApath: the folder where all trusted security certificates are saved (all filenames should be in XXXXXXXX.0 format).

◆ CRLpath: a folder where all revoked security certificates are saved (all filenames should be in XXXXXXXX.0 format). The main function of this is that after you issue the security certificate to the customer, you can still refuse his connection request.

◆ verify: authentication level. 1 indicates that the security certificate is verified if the customer provides a security certificate. 2 indicates that the customer must provide the security certificate and verify the security certificate, which is suitable for verifying the security certificate purchased from CA. 3 indicates that the customer must provide a security certificate and fundamentally local CAPath and CRLpath to verify that the certificate is legal. There is no doubt that we should choose 3 here.

After the setup is complete, we can start the stunnel program and do a simple test.

Connection test

First make sure that both the server-side and client-side stunnel programs have been started, and that the web application that provides the service has also been started (in this case, we are the FTP service). Open the command line and enter:

Telnet localhost 22443

At this point you should be able to get a TCP connection to the FTP server and declare it done:) the above example enables the use of FTP services in a LAN where FTP is disabled, and of course any TCP service installed on the server side can be used in this way. Because Stunnel uses encrypted connections, no one can see the data transmitted by the server and the client. It is important to note that some firewalls close connections when there is no traffic, so try to keep sending data in order to maintain the connection for a long time (simple heartbeat is fine).

The above is all the contents of the article "how to install, set up and use Stunnel sealers". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.