Stunnel is a progam created to act as an SSL encryption wrapper between a remote client and an (inetd startable) remote server. It enables you to add SSL functionality to widely used inetd daemons like POP2, POP3, and IMAP servers with no alterations in the programs’ code. Stunnel uses the OpenSSL library for cryptography, it therefore supports whatever cryptographic algorithms are compiled in the library. In a mutual SSL authentication, the client verifies the identity of the SSL server application, and then the SSL server also provides verification for the client. The stunnel and netcat programs enables you to encrypt raw tcp or udp connections between two stations by integrating the capabilty of reading and writing over traffic between two sessions. utilities like netcat or telnet if not secured can pose vulnerabilites to your server which can easily be exploited, stunnel here helps create a secure SSL channel between two remote sessions.
the distro cent OS6 will be our main platform;
yum install openssl-devel
tar -zxf stunnel-4.53.tar.gz
You will afterwards enter details for the SSL Certificate. The details will create a 1024bit local SSL certificate as ‘/usr/local/etc/stunnel/stunnel.pem’ . After installation you will also need to create a new configuration file. OR get the sample configuration file available at ‘/usr/local/etc/stunnel/stunnel.conf-sample’. and edit to according to your configs. This file should allow encrypted HTTP traffic to pass on to the existing configurations i.e the IP Address of your clients you have in the /etc/stunnel/stunnel.conf to the ip of the webservers (maybe 10.XXX.XXX.XXX).
chroot = /usr/local/var/lib/stunnel/
setgid = nobody
pid = /stunnel.pid
cert = /usr/local/etc/stunnel/stunnel.pem
options = NO_SSLv2
accept = 192.168.XXX.XXX:443
connect = 192.168.XXX.XXX:80
start STunnel Service:
The last step is to ensure an ssl connection is available by pointing your IP in a browser.
After this page confirm the exception and proceed to the secure page. The idea is to be able to create a secure ssl connection between a client and a server by listening on one port and redirecting the traffic to a different port. SSL enabled netcat can do this as follows;
$ scnc -vc -a ca.pem -f server.pem -k server-key.pem -p 10000 -r localhost:110
server: SSL listening on: 0.0.0.0:10000 (IPv4)
on the server you are able to listen on port 10000 and redirect traffic to lower more binding ports like pop/110
$ scnc -v -s localhost -p 1110 -r server:10000::ssl
server: listening on: 127.0.0.1:1110 (IPv4)
On the client side you can listen on port 1110 and redirect traffic on port 10000 also remove encryption using this method
$ scnc -v -r audited-server:443::ssl -a ca.pem -f client.pem -k client-key.pem -s localhost -p 1443
server: listening on: 127.0.0.1:1443 (IPv4)