2008年3月26日 星期三

stunnel to establish a mutual-certificated SSL tunnel

stunnel could be used to establish SSL tunnel for non-SSL connection. The scenario looks like

AP1 <-> [stunnel client] <- SSL connection -> [stunnel server] <-> AP2

stunnel client accepts a TCP connection, establish a SSL connection to stunnel server, and exchanges data between TCP connection and SSL connection,

stunnel server accepts a SSL connection, establish a TCP connection to AP2, and exchanges data between SSL connection and TCP connection.

In general, the SSL connection could be used to protect MIB to observe/intercept/modify the data in it. And only server-side SSL certificate is verified. But it is possible to let SSL server to verify the client-side SSL certificate.

Here is the procedure:

1. create key/certificate for client.
# openssl genrsa 1024 > client-key.pem
# openssl req -new -key client-key.pem -x509 -days 3650 -out client-cert.pem

2. create key/certificate for server.
# openssl genrsa 1024 > client-key.pem
# openssl req -new -key client-key.pem -x509 -days 3650 -out client-cert.pem

3. create stunnel config file for client.
cert = client-cert.pem
key = client-key.pem
chroot = /usr/local/stunnel/
setuid = nobody
setgid = nobody
pid = /client.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CApath = /client
client = yes

[ap1]
accept = 127.0.0.1:2399
connect = :2340
TIMEOUTclose = 0

4. create stunnel config file for server.
cert = server-cert.pem
key = server-key.pem
chroot = /usr/local/stunnel/
setuid = nobody
setgid = nobody
pid = /server.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CApath = /server

[ap2]
accept = :2340
connect = 127.0.0.1:2341
TIMEOUTclose = 0

5.
In host running ap1 and stunnel client, put client-key.pem/client-cert.pem in /usr/local/stunnel, and put server-cert.pem in /usr/local/stunnel/client. then run
# c_rehash /usr/local/stunnel/client

6.In host running ap2 and stunnel server, put server-key.pem/server-cert.pem in /usr/local/stunnel, and put client-cert.pem in /usr/local/stunnel/server. then run
# c_rehash /usr/local/stunnel/server

7. start the stunnel client/server.
In stunnel client host,
# stunnel /usr/local/stunnel/client.conf

In stunnel server host,
# stunnel /usr/local/stunnel/server.conf