Complete newbie here, so please bear with me.
I want to set up HTTPS service on a Mac OS X (10.4.7) machine running a custom web server. I imagine that Stunnel could be made to listen on the standard HTTPS port (443), do the encryption/decryption, and pass the resulting data to/from the HTTP port (80, or a custom port I specify).
This is probably very easy, but none of the documentation or examples I found covered this. Has anyone done this? Or if not, can you sketch out how I would go about it? Any gotchas or caveats I should be aware of?
Many thanks, - Joe
On Wed, Oct 25, 2006 at 03:32:02PM -0600, joe@strout.net wrote:
Complete newbie here, so please bear with me.
I want to set up HTTPS service on a Mac OS X (10.4.7) machine running a custom web server. I imagine that Stunnel could be made to listen on the standard HTTPS port (443), do the encryption/decryption, and pass the resulting data to/from the HTTP port (80, or a custom port I specify).
This is probably very easy, but none of the documentation or examples I found covered this. Has anyone done this? Or if not, can you sketch out how I would go about it? Any gotchas or caveats I should be aware of?
A quick Google search for "stunnel HTTPS wrapper" turned up http://www.stunnel.org/examples/https_windows.html among others. Even though the instructions there are for Windows, it could be useful as a starting point - the basic procedures (configuring OpenSSL, creating a self-signed certificate, the basic stunnel config file) are pretty much the same for most OS's.
Hope that helps!
G'luck, Peter
joe@strout.net wrote:
I want to set up HTTPS service on a Mac OS X (10.4.7) machine running a custom web server. I imagine that Stunnel could be made to listen on the standard HTTPS port (443), do the encryption/decryption, and pass the resulting data to/from the HTTP port (80, or a custom port I specify).
This is probably very easy, but none of the documentation or examples I found covered this. Has anyone done this? Or if not, can you sketch out how I would go about it?
The simplest configuration could be:
[web] accept=443 connect=80
Please read the fine manual for details: http://stunnel.mirt.net/static/stunnel.html
Any gotchas or caveats I should be aware of?
Stunnel does not support HTTP protocol directly, so any server-generated redirects are kept intact (pointing to the http instead of https).
Best regards, Mike
I've read the fine manual, and spent quite a while experimenting, but still have not managed to get stunnel to actually run. I have tried my own from-scratch configuration file, as well as a modified version of stunnel.conf-sample, with the same result, which is currently:
2006.11.13 16:18:16 LOG3[14237:2684415384]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.11.13 16:18:16 LOG3[14237:2684415384]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
Note that this is when running stunnel with sudo (since it needs root privs to read my certificate file -- cert.pem -- and I imagine may need them for other things too). If I turn the Debug option up to 7, then I get a few lines about the PRNG, followed by
2006.11.13 16:21:33 LOG7[14249:2684415384]: Certificate: /usr/local/etc/stunnel/cert.pem 2006.11.13 16:21:33 LOG7[14249:2684415384]: Certificate loaded 2006.11.13 16:21:33 LOG7[14249:2684415384]: Key file: /usr/local/etc/stunnel/cert.pem 2
and then followed by the same errors as above.
I'm running under OS X 10.4.8, compiled and installed stunnel-4.19 just today, and I have a key.pem and cert.pem obtained from StartCom. Note that the above errors were obtained with no "key=" line in my .conf file; it wasn't clear to me if I need that for my goal (which is layering HTTPS service over my existing HTTP server). But I also tried specifying the path to my key.pem, and that results in different errors:
2006.11.13 16:24:29 LOG7[14259:2684415384]: Key file: /usr/local/etc/stunnel/key.pem 2006.11.13 16:24:29 LOG3[14259:2684415384]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.11.13 16:24:29 LOG3[14259:2684415384]: error stack: 906A065 : error:0906A065:PEM routines:PEM_do_header:bad decrypt 2006.11.13 16:24:29 LOG3[14259:2684415384]: error stack: 6065064 : error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt 2006.11.13 16:24:29 LOG3[14259:2684415384]: Wrong pass phrase: retrying 2006.11.13 16:24:29 LOG3[14259:2684415384]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.11.13 16:24:29 LOG3[14259:2684415384]: error stack: 906A065 : error:0906A065:PEM routines:PEM_do_header:bad decrypt 2006.11.13 16:24:29 LOG3[14259:2684415384]: SSL_CTX_use_RSAPrivateKey_file: 6065064: error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt
..of course, it never asked me for my pass phrase, so maybe it's not surprising that whatever it's using is wrong. But I don't see how to make it ask me for one. Can anyone give me a clue?
Thanks, - Joe
--
-
joe@strout.net -
Michal Trojnara -
Peter Pentchev