Thanks for all the information, it's been a big help. I had a problem generating the server key / certificate. I posted my question/problem on the openssl.org mailing list.
Frank
Algol Tradent wrote:
Greetings,
To answer your questions: "Where does your 'certificates' directory live in relation to the stunnel.conf file?"
The 'certificates' directory in my configuration is in the same directory as the stunnel.conf file.
"Did you create the server.pem, client.pem and CAcert.pem file your self?"
Yes, I did. I created my own Self-Signed Certificates. Here is a link I found very useful for this http://sial.org/howto/openssl/
CAcert.pem is the Certificate Authority's Certificate Server.pem is the server's certificate Client.pem is the client's certificate
Notice that Stunnel requires key + certificate in the .pem files (see man page)
"Are any of these files the same files or all different?"
I'm not sure I understand your question 100% but, The CAcert.pem is the same in both server and client. Then the server.pem and client.pem are different files.
Here is another link with an example that you can adapt for RDP http://www.securityfocus.com/infocus/1677
I hope this helps
Best Regards
--- garberfc garberfc@coolsite.net wrote:
Algol Tradent wrote:
Here are the configs I've used. I must point out
that
I use certificates in both the client and server
for
authentication. Hence verify=3 in the config.
======= SERVER =======
;----------------------------------------------------
;-- SERVER OPTIONS
;----------------------------------------------------
;select data compression algorithm compression = zlib
; Enable Taskbar icon taskbar = yes
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[TServ]
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name ;required in server mode cert = server.pem
;client mode - no (server mode) client = no
;level 3 - verify peer with locally installed certificate verify = 3
accept = 50000 connect = 127.0.0.1:3389
======= CLIENT =======
;----------------------------------------------------
; GLOBAL OPTIONS
;----------------------------------------------------
;Logging Options debug = 7 output = stunnel.log
; Some performance tunings ; turn off the Nagle algorithm for local sockets ; turn off the Nagle algorithm for remote sockets socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;----------------------------------------------------
; SERVICE-LEVEL OPTIONS
;----------------------------------------------------
[tserver] accept = 127.0.0.1:50000 connect = <my_server_IP>:50000
;Server mode or Client mode ;Yes=Client mode client = yes
;Certificate Authority file CAfile = CAcert.pem
;Certificate Authority directory CApath = certificates
;certificate chain PEM file name cert = client.pem
;verify peer certificate ;level 3 - verify peer with locally installed certificate verify = 3
;Select permitted SSL ciphers ':' delimited list ciphers = AES256-SHA
--- Frank Garber garberfc@coolsite.net wrote:
<snip />
I had a question about your setting: ;Certificate Authority directory CApath = certificates
Where does your 'certificates' directory live in relation to the stunnel.conf file?
Did you create the server.pem, client.pem and CAcert.pem file your self? Are any of these files the same files or all different?
Thanks for the help,
Frank
-- View this message in context:
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.htm...
Sent from the Stunnel - Users mailing list archive at Nabble.com.
stunnel-users mailing list stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users