How to secure mutual authentications [ Stunnel + ssl enabled netcat ]

Stunnel is a progam created to act as an SSL encryption wrapper between a remote client and an (inetd startable) remote server. It enables you to add SSL functionality to widely used inetd daemons like POP2, POP3, and IMAP servers with no alterations in the programs’ code. Stunnel uses the OpenSSL library for cryptography, it therefore supports whatever cryptographic algorithms are compiled in the library. In a mutual SSL authentication, the client verifies the identity of the SSL server application, and then the SSL server also provides verification for the client. The stunnel and netcat programs enables you to encrypt raw tcp  or udp connections between two stations by integrating the capabilty of reading and writing  over traffic between two sessions. utilities like netcat or telnet if not secured can pose vulnerabilites to your server which can easily be exploited, stunnel here helps create a secure SSL channel between two remote sessions.


installing stunnel

the distro cent OS6 will be our main platform;

yum install openssl-devel


tar -zxf stunnel-4.53.tar.gz

cd stunnel-4.53



make install

You will afterwards  enter details for the SSL Certificate.  The details will create a 1024bit local SSL certificate as ‘/usr/local/etc/stunnel/stunnel.pem’ . After installation you will also need to create a new configuration file. OR get the sample configuration file available at ‘/usr/local/etc/stunnel/stunnel.conf-sample’. and edit to according to your configs. This file should allow encrypted HTTP traffic to pass on to the existing configurations i.e the IP Address of your clients you have in the /etc/stunnel/stunnel.conf to the ip of the webservers (maybe 10.XXX.XXX.XXX).

chroot = /usr/local/var/lib/stunnel/

setgid = nobody

pid = /

cert = /usr/local/etc/stunnel/stunnel.pem

options = NO_SSLv2


accept = 192.168.XXX.XXX:443

connect = 192.168.XXX.XXX:80

start STunnel Service:

stunnel /usr/local/etc/stunnel/stunnel.conf

The last step is to ensure an ssl connection is available by pointing your IP  in a browser.


After this page confirm the exception and proceed to the secure page. The idea is to be able to create a secure ssl connection between a client and a server by listening on one port and redirecting the traffic to a different port. SSL enabled netcat can do this as follows;


$ scnc -vc -a ca.pem -f server.pem -k server-key.pem -p 10000 -r localhost:110

server: SSL listening on: (IPv4)

on the server you are able to listen on port 10000 and redirect traffic to lower more binding ports like pop/110

$ scnc -v -s localhost -p 1110 -r server:10000::ssl

server: listening on: (IPv4)

On the client side you can listen on port 1110 and redirect traffic on port 10000 also remove encryption using this method

$ scnc -v -r audited-server:443::ssl -a ca.pem -f client.pem -k client-key.pem -s localhost -p 1443

server: listening on: (IPv4)





Comments are closed.

%d bloggers like this: