Stunnel/Certificates: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 15: | Line 15: | ||
Generating a signed SSL certificate with LetsEncrypt: see [[LetsEncrypt]] | Generating a signed SSL certificate with LetsEncrypt: see [[LetsEncrypt]] | ||
Generating a self-signed SSL certificate with openssl: [[SSH Stunnel#Generate Private Keys and Certificates for SSL]] | Generating a self-signed SSL certificate with openssl: [[RaspberryPi/SSH Stunnel#Generate Private Keys and Certificates for SSL]] | ||
==Controlling both server and client== | ==Controlling both server and client== | ||
Revision as of 09:21, 30 April 2017
Certificates in Stunnel
The official stunnel howto has some useful (but confusing) information about certificates: https://www.stunnel.org/howto.html
Client Certificates
Using stunnel in client mode (i.e., stunnel is not acting as an SSL server) means you (the client) probably don't need to present a valid certificate (to the server). While stunnel always requires a certificate (a pem file) to run, a dummy certificate is generated when stunnel is installed, and that dummy pem file can be used by the client since the server will probably not ask the client to present this certificate.
Generating a client SSL certificate is the same process as generating a server SSL certificate. See below, or "Generating stunnel certificate and private key" section of the stunnel howto: https://www.stunnel.org/howto.html
Server Certificates
The server will need a private key and an SSL certificate.
Generating a signed SSL certificate with LetsEncrypt: see LetsEncrypt
Generating a self-signed SSL certificate with openssl: RaspberryPi/SSH Stunnel#Generate Private Keys and Certificates for SSL
Controlling both server and client
Using stunnel in a situation where you control both the client and the server gives you two options:
- Skip verification of certificates
- Verify certificates against locally installed certificates
Controlling server only
Using stunnel in a situation where you do not control the client gives you three options:
- Skip verification of certificates (not recommended if there is no authentication involved with the traffic being passed to stunnel, since a malicious actor could intercept and decrypt traffic)
- Ask clients to install your certificate authority into their OpenSSL installation, so that they can verify the certificate
- Verify certificates against pre-installed, "pre-trusted" root certificates (e.g., Verisign)
Verification of Certificates
By default, stunnel does not verify SSL certificates, so clients will accept whatever SSL certificate they get from the server (or an attacker pretending to be the server).
To turn on verification, set the verify option in the stunnel config file..
verify = 1
Verify the certificate, if present.
If no certificate is presented by the remote end, accept the connection.
If a certificate is presented, then
If the certificate valid, it will log which certificate is being used, and continue the connection.
If the certificate is invalid, it will drop the connection.
verify = 2
Require and verify certificates
Stunnel will require and verify certificates for every SSL connection. If no certificate or an invalid certificate is presented, then it will drop the connection.
verify = 3
Require and verify certificates against locally installed certificates.
 |
stunnel secure tunnel - create secure encrypted connections on any port to wrap any protocol
Using: Client: Stunnel/Client Server: Stunnel/Server Stunnel Over Docker: Stunnel/Docker Certificates: Stunnel/Certificates
Protocols: Stunnel/Rsync · Stunnel/SSH · Stunnel/Scp · Stunnel/HTTP · Stunnel/OpenVPN
Other Links: RaspberryPi/Headless · RaspberryPi/Reverse SSH Category:Stunnel · Category:SSH · Category:Networking
|