<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>Hello Carter,<br /><br />thank you very much for your help and nice examples. I will try it in my local network.<br /><br />Have a good day.<br />Mia<br /><br /><br />---- Pôvodná správa ----<br />Od koho: Carter Browne <cbrowne@cbcs-usa.com><br />Komu: aaa aaa <miamia@inMail.sk><br />Dátum: 8. 6. 2009 17:52:00<br />Predmet: Re: [stunnel-users] 1 server and more desktops<br /><br />Mia,<br /><br />I work in both Windows and Linux, so I use a Windows approach - copying<br />files where in Linux a link would be more appropriate.<br /><br />Assume server.pem is the server full server certificate including the<br />private key and client1.pem is a full client certificate including the key.<br /><br />The first step is to make a copy of the server certificate and delete<br />the lines starting with -----BEGIN RSA PRIVATE KEY------ down through<br />the blank line<br />after -----END RSA PRIVATE KEY-----<br /><br />Initial I call this server-pub.pem<br /><br />The command:<br /><br /> openssl x509 -in server-pub.pem -subject_hash -noout<br /><br />will print out the hash for the server key (as 8 hexadecimal digits),<br />for example abcef012<br /><br />Then I rename server-pub.pem to abcdef012.0<br /><br />I repeat the same process for each client key, so that client1.pem in<br />this example would have a public key named 987654fe.0 (assuming that the<br />hash of 987654fe).<br /><br />In the client1 configuration:<br /><br />cert = client1.pem<br />key = client1.pem<br />verify = 3<br />cafile = abcdef012.0<br /><br />In the server configuration<br /><br />cert = server1.pem<br />key = server1.pem<br />verify = 3<br />capath = capath<br /><br />In the capath directory is<br /><br />987654fe.0<br />... Plus the hashes of the other clients.<br /><br /><br />In Windows, the capath is under the stunnel directory.<br /><br />The client certificates can also be concatenated in a single file. If<br />you use a directory, it is not necessary to restart stunnel if you add a<br />new client. If you use a concatenated file, you do have to restart<br />stunnel if you add a client. There are some notes in the documentation<br />about the structure of a concatenated file.<br /><br />I hope this helps.<br /><br />Carter<br /><br />Carter Browne<br />CBCS<br />cbrowne@cbcs-usa.com<br />781-721-2890<br /><br /><br /><br />aaa aaa wrote:<br />> Hi Carter,<br />><br />> thank you. I am trying to use scenario with self-signed certificates<br />> exactly like you are using it. Could you please write me some examples<br />> of config for server and clients? I don't know where to put private<br />> keys and how to set up server for acceptation of certificates from<br />> clients only - server must reject all communication without/or with<br />> other certificates as are stored in his folder.<br />><br />> thank you in advance<br />><br />> regards,<br />> mia<br />><br />> ---- Pôvodná správa ----<br />> Od koho: Carter Browne <cbrowne@cbcs-usa.com><br />> Komu: aaa aaa <miamia@inMail.sk><br />> Dátum: 8. 6. 2009 15:00:00<br />> Predmet: Re: [stunnel-users] 1 server and more desktops<br />><br />> I do this using self-signed certificates and verify=2 or verify=3. The<br />> remote computers would only have the servers public certificate their<br />> CAfile (or CApath). The server must have all the remote computers<br />> public certificates in its CAfile or CApath. See the rules about how to<br />> build those. If you are only using self-signed certificates, you can<br />> use verify=3, otherwise you will have to use verify=2. Each port that<br />> you want to forward must be in you stunnel.conf file - without knowing<br />> what you are trying to do, it is hard to be more specific.<br />><br />> Carter<br />><br />> Carter Browne<br />> CBCS<br />> cbrowne@cbcs-usa.com<br />> 781-721-2890<br />><br />><br />><br />> aaa aaa wrote:<br />> > hello Christophe,<br />> ><br />> > thanks for your answer. Sorry for any misunderstanding. Well, I just<br />> > wanted to ask if it is able to set stunnel for working with more<br />> > certificates? So it means that I don't want to have secured tunnel<br />> > between remote and local computer only but also between one remote and<br />> > many local computers with more certificates? Every local computer<br />> > should have own certificate.<br />> ><br />> > Is this possible?<br />> ><br />> > thank you.<br />> ><br />> > ---- Pôvodná správa ----<br />> > Od koho: Christophe Nanteuil <christophe.nanteuil@gmail.com><br />> > Komu: aaa aaa <miamia@inmail.sk><br />> > Dátum: 7. 6. 2009 16:27:00<br />> > Predmet: Re: [stunnel-users] 1 server and more desktops<br />> ><br />> > Hello,<br />> ><br />> > Stunnel is an application oriented tunnel, not a machine oriented<br />> > tunnel. Please, be more precise in your requests if you want someone<br />> > to be able to help you. It seems also that the stunnel documentation<br />> > pages are worh reading in your case.<br />> ><br />> > Regards,<br />> ><br />> > --<br />> > Christophe<br />> ><br />> ><br />> > 2009/6/7 aaa aaa <miamia@inmail.sk>:<br />> > > Hello,<br />> > ><br />> > > I have one server and 3 desktops (PC1,PC2,PC3). I need to do this:<br />> > every pc<br />> > > should communicate with server with his own certificate and server<br />> > should<br />> > > sends anwser back to the computer encrypted for this one pc only.<br />> > ><br />> > > Example: PC3 {with server's public key} sends data to server and<br />> server<br />> > > sends answer to PC3 (encrypted wiht unique PC3's public key).<br />> > > then PC2 {with server's public key} sends data to server and server<br />> > sends<br />> > > answer to PC2 (encrypted wiht unique PC2's public key). and so<br />> on... how<br />> > > should I configure stunnel for this?<br />> > ><br />> > > And another question > how should I configure all computers (server,<br />> > > pc1,pc2,pc3) to accept communication over secured stunnel only and<br />> > drop all<br />> > > other unsecured communication?<br />> > ><br />> > ><br />> > > thank you in advance.<br />> > > regards, Mia<br />> > > ----------<br />> > > Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk.<br />> > Domena,<br />> > > webhosting, e-mail a seo od 10 centov/denne.<br />> > ><br />> > > _______________________________________________<br />> > > stunnel-users mailing list<br />> > > stunnel-users@mirt.net<br />> > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users<br />> > ><br />> > ><br />> > ----------<br />> > Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk<br />> > <http://www.inpage.sk/>. Domena, webhosting, e-mail a seo od 10<br />> > centov/denne.<br />> > ------------------------------------------------------------------------<br />> ><br />> > _______________________________________________<br />> > stunnel-users mailing list<br />> > stunnel-users@mirt.net<br />> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users<br />> ><br />> ----------<br />> Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk<br />> <http://www.inpage.sk/>. Domena, webhosting, e-mail a seo od 10<br />> centov/denne.
<br>----------<br>
Sutaz s InPage o ceny za viac ako 2000 Euro. Info na <a href="http://www.inpage.sk/">www.inpage.sk</a>. Domena, webhosting, e-mail a seo od 10 centov/denne.
<br></body></html>