With public key cryptography, two keys are created, one public the other private. SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and a web browser. This presents a security issue where security and privacy is necessary for credit card and bank transactions. Normal web pages are sent unencrypted over the Internet allowing anyone to intercept them and read their content. Stunnel is configured for server operation allowing a secure connection between Apache and a browser client.
Do read stunnel(8).Stunnel is very flexible this page provides additional information for Uniform Server 3.5-Apollo’s implementation. The psk string from the sed command is just a random name for the sake of the example. The permissions for each psk.txt file should be set appropriately. # sed -in-place '1s/^/psk:/' /etc/stunnel/psk.txtĪnd copied to the other machine by secure means before starting stunnel. # openssl rand -base64 -out /etc/stunnel/psk.txt 180 Where /etc/stunnel/psk.txt could be created on one machine by Setgid = stunnel server:/etc/stunnel/nf BOM composed of non printable characters. A simple configuration for a single server with a single client that are using a pre shared secret is:Ĭlient:/etc/stunnel/nf BOM composed of non printable characters. When such transfer is acceptable, pre shared key is the fastest method. A pre shared secret has to be transferred to all involved machines a priory by other means, such as SCP and SFTP. Either a pre shared secret, or a key and certificate pair, can be used for authentication. Which is why you might want to verify that they are still there after editing is completed with the above od, or similar, command.Īt least one of the client and the server, and optionally both, should be authenticated. Note that when printing the file to the screen, such as with cat, or when editing the file with a text editor, the BOM bytes are usually not displayed. % od -address-radix=n -format=x1c -read-bytes=8 /etc/stunnel/nf To test if those bytes appear, one can use It is here, before the semicolon!' > /etc/stunnel/nf # echo -e '\x ef\x bb\x bf BOM composed of non printable characters. Creating a file with these bytes at its beginning can be done by Its UTF-8 representation is the (hexadecimal) byte sequence 0圎F, 0xBB, 0xBF. The configuration file should have a UTF-8 byte order mark (BOM), at the beginning of the file. The configuration tokens setuid and setgid are available for this purpose. After verifying correct operation, it is worth explicitly setting lower value in the configuration file.įor better security, it is advised to explicitly set an appropriate uid and gid, other then root, for the global section and the per service sections. The default debug value is 5, which is very verbose. It then connects to where the data should be sent to. The stunnel server accepts TLS encrypted data and extracts it. Stunnel will TLS encrypts its data and connects to the stunnel server.
It is composed from a global section, followed by one, or more, service sections.Ī client is one to accept non TLS encrypted data. The main configuration file is read from /etc/stunnel/nf.
In order for the stunnel to start up automatically at system boot you must enable it. Depending on your usage, you might also edit the provided systemd units to better handle dependencies.
0 kommentar(er)
