Tool : Stunnel as SSL relay - baoyingwang/LibrariesEvaluation GitHub Wiki
Stunnel is a very useful tool as a ssl relay. It is simple, and free.
note: socat is a useful linux process to support traffic forward without ssl.
With below section, the stunnel will listen on local:8082 port, and forward the connection to target remote_fqdn:443. For the meaning of each entry, pls check the reference page.
[trtn-integration-ssl]
sslVersion = all
accept = localhost:8082
connect = remote_fqdn:443
client = yes
verify = 0
CAfile = D:/CAcert.pem
note: verify is deprecated since version 5.34 at 2016.07.05. Three new service-level options: requireCert, verifyChain, and verifyPeer, are introduced for fine-grained certificate verification control note: if you are the client side of Client-authenticated TLS handshake, you should configure below
key = your.key.pem
cert = your_cert_trusted_by_remote_server.pem
CAfile = CAfile_included_the_CA_which_sign_the_remote_server_cert.pem
note: debug=7 is the highest(most) log level
Pls configure the related value based on your requirement. But it is recommended to use lower level securty at the start, and then add more for easy trouble shooting.
verifyιι‘Ήεζ³εΌδΈΊοΌ0 1 2 3 4. And the related relationship is below - copied from Reference : [CN - stunnel-verify-config]
value | request_cert | require_cert(requireCert in config) | verify_chain(verifyChain in config) | verify_peer(verifyPeer in config) |
---|---|---|---|---|
0 | Y | N | N | N |
1 | Y | N | Y | N |
2 | Y | Y | Y | N |
3 | Y | Y | Y | Y |
4 | Y | Y | N | Y |
εεΌ request_cert require_cert (requireCert in config file) verify_chain (verifyChain in config file) verify_peer (verifyPeer in config file) 0 β Γ Γ Γ 1 β Γ β Γ 2 β β β Γ 3 β β β β 4 β β Γ β note: verifyChain - means verify the CA note: verifyPeer - means you have put the peer certificate(NOT the CA) to the CA list. I did a test on it(Dec 30, 2016).
http://www.stunnel.org/howto.html - looks like this link does not anymore(Feb 1, 2018)
Source code: https://github.com/mtrojnar/stunnel
http://xixitalk.github.io/blog/2016/10/18/stunnel-verify-config/
in below example, the final target is pts.net:443, the proxy server is 10.13.113.144:80
[trtn-integration-ssl-webproxy]
sslVersion = all
accept = localhost:8081
;; * Replace <proxy address> and <proxy port> with the address and *
;; * port numbers of your web proxy *
connect = 10.13.113.144:80
protocolhost = pts.net:443
protocol = connect
;TIMEOUTclose = 0
client = yes
verify = 0
CAfile = D:/CAcert.pem
;cert = TRTN-AMIT-UAT.pem
;key = TRTN-AMIT-UAT.key.pem