[stunnel-users] Using stunnel for RDP / Proxy / Firewall

• Previous message (by thread): [stunnel-users] Using stunnel for RDP / Proxy / Firewall
• Next message (by thread): [stunnel-users] [RE] Using stunnel for RDP / Proxy / Firewall
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for all the information, it's been a big help. I had a problem
generating the server key / certificate. I posted my question/problem on the
openssl.org mailing list.

Frank

Algol Tradent wrote:
> 
> 
> Greetings,
> 
> To answer your questions:
> "Where does your 'certificates' directory live in
> relation to the stunnel.conf file?"
> 
> The 'certificates' directory in my configuration is in
> the same directory as the stunnel.conf file.
> 
> "Did you create the server.pem, client.pem and
> CAcert.pem file your self?" 
> 
> Yes, I did. I created my own Self-Signed Certificates.
> Here is a link I found very useful for this
> http://sial.org/howto/openssl/
> 
> CAcert.pem is the Certificate Authority's Certificate
> Server.pem is the server's certificate
> Client.pem is the client's certificate
> 
> Notice that Stunnel requires key + certificate in the
> .pem files (see man page)
> 
> "Are any of these files the same files or all
> different?"
> 
> I'm not sure I understand your question 100% but, The
> CAcert.pem is the same in both server and client. Then
> the server.pem and client.pem are different files.
> 
> Here is another link with an example that you can
> adapt for RDP
> http://www.securityfocus.com/infocus/1677
> 
> I hope this helps
> 
> Best Regards
> 
> --- garberfc <garberfc at coolsite.net> wrote:
> 
>> 
>> 
>> Algol Tradent wrote:
>> > 
>> > 
>> > Here are the configs I've used. I must point out
>> that
>> > I use certificates in both the client and server
>> for
>> > authentication. Hence verify=3 in the config.
>> > 
>> > ======= SERVER =======
>> > 
>> >
>>
> ;----------------------------------------------------
>> > ;--  SERVER OPTIONS
>> >
>>
> ;----------------------------------------------------
>> > 
>> > ;select data compression algorithm 
>> > compression = zlib
>> > 
>> > ; Enable Taskbar icon
>> > taskbar = yes 
>> > 
>> > ; Some performance tunings
>> > ; turn off the Nagle algorithm for local sockets
>> > ; turn off the Nagle algorithm for remote sockets
>> > socket = l:TCP_NODELAY=1
>> > socket = r:TCP_NODELAY=1
>> > 
>> > [TServ]
>> > 
>> > ;Certificate Authority file
>> > CAfile = CAcert.pem
>> > 
>> > ;Certificate Authority directory 
>> > CApath = certificates
>> > 
>> > ;certificate chain PEM file name
>> > ;required in server mode
>> > cert   = server.pem
>> > 
>> > ;client mode - no (server mode)
>> > client = no
>> > 
>> > ;level 3 - verify peer with locally installed
>> > certificate
>> > verify = 3
>> > 
>> > accept = 50000
>> > connect = 127.0.0.1:3389
>> > 
>> > 
>> > ======= CLIENT =======
>> > 
>> >
>>
> ;----------------------------------------------------
>> > ;                 GLOBAL OPTIONS
>> >
>>
> ;----------------------------------------------------
>> > 
>> > 
>> > ;Logging Options
>> > debug = 7
>> > output = stunnel.log
>> > 
>> > ; Some performance tunings
>> > ; turn off the Nagle algorithm for local sockets
>> > ; turn off the Nagle algorithm for remote sockets
>> > socket = l:TCP_NODELAY=1
>> > socket = r:TCP_NODELAY=1
>> > 
>> >
>>
> ;----------------------------------------------------
>> > ;        SERVICE-LEVEL OPTIONS
>> >
>>
> ;----------------------------------------------------
>> > [tserver]
>> > accept = 127.0.0.1:50000
>> > connect = <my_server_IP>:50000
>> > 
>> > ;Server mode or Client mode
>> > ;Yes=Client mode
>> > client = yes
>> > 
>> > ;Certificate Authority file
>> > CAfile = CAcert.pem
>> > 
>> > ;Certificate Authority directory
>> > CApath = certificates
>> > 
>> > ;certificate chain PEM file name
>> > cert = client.pem
>> > 
>> > ;verify peer certificate
>> > ;level 3 - verify peer with locally installed
>> > certificate
>> > verify = 3
>> > 
>> > ;Select permitted SSL ciphers ':' delimited list
>> > ciphers = AES256-SHA 
>> > 
>> > --- Frank Garber <garberfc at coolsite.net> wrote:
>> > <snip />
>> > 
>> > 
>> 
>> I had a question about your setting:
>>     ;Certificate Authority directory
>>     CApath = certificates
>> 
>> Where does your 'certificates' directory live in
>> relation to the
>> stunnel.conf file?
>> 
>> Did you create the server.pem, client.pem and
>> CAcert.pem file your self? Are
>> any of these files the same files or all different?
>> 
>> Thanks for the help,
>> 
>> Frank
>> 
>> -- 
>> View this message in context:
>>
> http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.html#a13465792
>> Sent from the Stunnel - Users mailing list archive
>> at Nabble.com.
>> 
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at mirt.net
>>
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> 
> 

-- 
View this message in context: http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.html#a13492794
Sent from the Stunnel - Users mailing list archive at Nabble.com.

• Previous message (by thread): [stunnel-users] Using stunnel for RDP / Proxy / Firewall
• Next message (by thread): [stunnel-users] [RE] Using stunnel for RDP / Proxy / Firewall
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]