Tool : Stunnel as SSL relay - baoyingwang/LibrariesEvaluation GitHub Wiki

Introduction

Stunnel is a very useful tool as a ssl relay. It is simple, and free.

note: socat is a useful linux process to support traffic forward without ssl.

A quick example of stunnel client

With below section, the stunnel will listen on local:8082 port, and forward the connection to target remote_fqdn:443. For the meaning of each entry, pls check the reference page.

[trtn-integration-ssl]
sslVersion = all
accept = localhost:8082
connect = remote_fqdn:443
client = yes
verify = 0
CAfile = D:/CAcert.pem

note: verify is deprecated since version 5.34 at 2016.07.05. Three new service-level options: requireCert, verifyChain, and verifyPeer, are introduced for fine-grained certificate verification control note: if you are the client side of Client-authenticated TLS handshake, you should configure below

key = your.key.pem
cert = your_cert_trusted_by_remote_server.pem
CAfile = CAfile_included_the_CA_which_sign_the_remote_server_cert.pem

note: debug=7 is the highest(most) log level

Highlight - comparing verify(deprecated)/requireCert/verifyChain/verifyPeer

Pls configure the related value based on your requirement. But it is recommended to use lower level securty at the start, and then add more for easy trouble shooting.

verifyι€‰ι‘Ήεˆζ³•ε€ΌδΈΊοΌš0 1 2 3 4. And the related relationship is below - copied from Reference : [CN - stunnel-verify-config]

value request_cert require_cert(requireCert in config) verify_chain(verifyChain in config) verify_peer(verifyPeer in config)
0 Y N N N
1 Y N Y N
2 Y Y Y N
3 Y Y Y Y
4 Y Y N Y

取值 request_cert require_cert (requireCert in config file) verify_chain (verifyChain in config file) verify_peer (verifyPeer in config file) 0 √ Γ— Γ— Γ— 1 √ Γ— √ Γ— 2 √ √ √ Γ— 3 √ √ √ √ 4 √ √ Γ— √ note: verifyChain - means verify the CA note: verifyPeer - means you have put the peer certificate(NOT the CA) to the CA list. I did a test on it(Dec 30, 2016).

Reference

1. Stunnel Howto

http://www.stunnel.org/howto.html - looks like this link does not anymore(Feb 1, 2018)

Source code: https://github.com/mtrojnar/stunnel

2. CN - stunnel-verify-config

http://xixitalk.github.io/blog/2016/10/18/stunnel-verify-config/

3. how to setup a client config with proxy server

in below example, the final target is pts.net:443, the proxy server is 10.13.113.144:80

[trtn-integration-ssl-webproxy]
sslVersion = all
accept = localhost:8081
;; * Replace <proxy address> and <proxy port> with the address and *
;; * port numbers of your web proxy *
connect = 10.13.113.144:80
protocolhost = pts.net:443
protocol = connect
;TIMEOUTclose = 0
client = yes
verify = 0
CAfile = D:/CAcert.pem
;cert = TRTN-AMIT-UAT.pem
;key = TRTN-AMIT-UAT.key.pem

⚠️ **GitHub.com Fallback** ⚠️