[stunnel-users] 1 server and more desktops

• Previous message (by thread): [stunnel-users] 1 server and more desktops
• Next message (by thread): [stunnel-users] securing OpenBSD/FreeBSD with stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Carter,

thank you very much for your help and nice examples. I will try it in my local network.

Have a good day.
Mia


---- Pôvodná správa ----
Od koho: Carter Browne <cbrowne at cbcs-usa.com>
Komu: aaa aaa <miamia at inMail.sk>
Dátum: 8. 6. 2009 17:52:00
Predmet: Re: [stunnel-users] 1 server and more desktops

Mia,

I work in both Windows and Linux, so I use a Windows approach - copying
files where in Linux a link would be more appropriate.

Assume server.pem is the server full server certificate including the
private key and client1.pem is a full client certificate including the key.

The first step is to make a copy of the server certificate and delete
the lines starting with -----BEGIN RSA PRIVATE KEY------ down through
the blank line
after -----END RSA PRIVATE KEY-----

Initial I call this server-pub.pem

The command:

    openssl x509 -in server-pub.pem -subject_hash -noout

will print out the hash for the server key (as 8 hexadecimal digits),
for example abcef012

Then I rename server-pub.pem to abcdef012.0

I repeat the same process for each client key, so that client1.pem in
this example would have a public key named 987654fe.0 (assuming that the
hash of 987654fe).

In the client1 configuration:

cert = client1.pem
key  = client1.pem
verify = 3
cafile = abcdef012.0

In the server configuration

cert = server1.pem
key = server1.pem
verify = 3
capath = capath

In the capath directory is

987654fe.0
...                     Plus the hashes of the other clients.


In Windows, the capath is under the stunnel directory.

The client certificates can also be concatenated in a single file.  If
you use a directory, it is not necessary to restart stunnel if you add a
new client.  If you use a concatenated file, you do have to restart
stunnel if you add a client.  There are some notes in the documentation
about the structure of a concatenated file.

I hope this helps.

Carter

Carter Browne
CBCS
cbrowne at cbcs-usa.com
781-721-2890



aaa aaa wrote:
> Hi Carter,
>
> thank you. I am trying to use scenario with self-signed certificates
> exactly like you are using it. Could you please write me some examples
> of config for server and clients? I don't know where to put private
> keys and how to set up server for acceptation of certificates from
> clients only - server must reject all communication without/or with
> other certificates as are stored in his folder.
>
> thank you in advance
>
> regards,
> mia
>
> ---- Pôvodná správa ----
> Od koho: Carter Browne <cbrowne at cbcs-usa.com>
> Komu: aaa aaa <miamia at inMail.sk>
> Dátum: 8. 6. 2009 15:00:00
> Predmet: Re: [stunnel-users] 1 server and more desktops
>
> I do this using self-signed certificates and verify=2 or verify=3. The
> remote computers would only have the servers public certificate their
> CAfile (or CApath). The server must have all the remote computers
> public certificates in its CAfile or CApath. See the rules about how to
> build those. If you are only using self-signed certificates, you can
> use verify=3, otherwise you will have to use verify=2. Each port that
> you want to forward must be in you stunnel.conf file - without knowing
> what you are trying to do, it is hard to be more specific.
>
> Carter
>
> Carter Browne
> CBCS
> cbrowne at cbcs-usa.com
> 781-721-2890
>
>
>
> aaa aaa wrote:
> > hello Christophe,
> >
> > thanks for your answer. Sorry for any misunderstanding. Well, I just
> > wanted to ask if it is able to set stunnel for working with more
> > certificates? So it means that I don't want to have secured tunnel
> > between remote and local computer only but also between one remote and
> > many local computers with more certificates? Every local computer
> > should have own certificate.
> >
> > Is this possible?
> >
> > thank you.
> >
> > ---- Pôvodná správa ----
> > Od koho: Christophe Nanteuil <christophe.nanteuil at gmail.com>
> > Komu: aaa aaa <miamia at inmail.sk>
> > Dátum: 7. 6. 2009 16:27:00
> > Predmet: Re: [stunnel-users] 1 server and more desktops
> >
> > Hello,
> >
> > Stunnel is an application oriented tunnel, not a machine oriented
> > tunnel. Please, be more precise in your requests if you want someone
> > to be able to help you. It seems also that the stunnel documentation
> > pages are worh reading in your case.
> >
> > Regards,
> >
> > --
> > Christophe
> >
> >
> > 2009/6/7 aaa aaa <miamia at inmail.sk>:
> > > Hello,
> > >
> > > I have one server and 3 desktops (PC1,PC2,PC3). I need to do this:
> > every pc
> > > should communicate with server with his own certificate and server
> > should
> > > sends anwser back to the computer encrypted for this one pc only.
> > >
> > > Example: PC3 {with server's public key} sends data to server and
> server
> > > sends answer to PC3 (encrypted wiht unique PC3's public key).
> > > then PC2 {with server's public key} sends data to server and server
> > sends
> > > answer to PC2 (encrypted wiht unique PC2's public key). and so
> on... how
> > > should I configure stunnel for this?
> > >
> > > And another question > how should I configure all computers (server,
> > > pc1,pc2,pc3) to accept communication over secured stunnel only and
> > drop all
> > > other unsecured communication?
> > >
> > >
> > > thank you in advance.
> > > regards, Mia
> > > ----------
> > > Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk.
> > Domena,
> > > webhosting, e-mail a seo od 10 centov/denne.
> > >
> > > _______________________________________________
> > > stunnel-users mailing list
> > > stunnel-users at mirt.net
> > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> > >
> > >
> > ----------
> > Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk
> > <http://www.inpage.sk/>. Domena, webhosting, e-mail a seo od 10
> > centov/denne.
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at mirt.net
> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> >
> ----------
> Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk
> <http://www.inpage.sk/>. Domena, webhosting, e-mail a seo od 10
> centov/denne.
----------

Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk. Domena, webhosting, e-mail a seo od 10 centov/denne. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090608/398a258a/attachment.html>

• Previous message (by thread): [stunnel-users] 1 server and more desktops
• Next message (by thread): [stunnel-users] securing OpenBSD/FreeBSD with stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]