Hello Carter,
thank you very much for your help and nice examples. I will try it in my local network.
Have a good day. Mia
---- Pôvodná správa ---- Od koho: Carter Browne cbrowne@cbcs-usa.com Komu: aaa aaa miamia@inMail.sk Dátum: 8. 6. 2009 17:52:00 Predmet: Re: [stunnel-users] 1 server and more desktops
Mia,
I work in both Windows and Linux, so I use a Windows approach - copying files where in Linux a link would be more appropriate.
Assume server.pem is the server full server certificate including the private key and client1.pem is a full client certificate including the key.
The first step is to make a copy of the server certificate and delete the lines starting with -----BEGIN RSA PRIVATE KEY------ down through the blank line after -----END RSA PRIVATE KEY-----
Initial I call this server-pub.pem
The command:
openssl x509 -in server-pub.pem -subject_hash -noout
will print out the hash for the server key (as 8 hexadecimal digits), for example abcef012
Then I rename server-pub.pem to abcdef012.0
I repeat the same process for each client key, so that client1.pem in this example would have a public key named 987654fe.0 (assuming that the hash of 987654fe).
In the client1 configuration:
cert = client1.pem key = client1.pem verify = 3 cafile = abcdef012.0
In the server configuration
cert = server1.pem key = server1.pem verify = 3 capath = capath
In the capath directory is
987654fe.0 ... Plus the hashes of the other clients.
In Windows, the capath is under the stunnel directory.
The client certificates can also be concatenated in a single file. If you use a directory, it is not necessary to restart stunnel if you add a new client. If you use a concatenated file, you do have to restart stunnel if you add a client. There are some notes in the documentation about the structure of a concatenated file.
I hope this helps.
Carter
Carter Browne CBCS cbrowne@cbcs-usa.com 781-721-2890
aaa aaa wrote:
Hi Carter,
thank you. I am trying to use scenario with self-signed certificates exactly like you are using it. Could you please write me some examples of config for server and clients? I don't know where to put private keys and how to set up server for acceptation of certificates from clients only - server must reject all communication without/or with other certificates as are stored in his folder.
thank you in advance
regards, mia
---- Pôvodná správa ---- Od koho: Carter Browne cbrowne@cbcs-usa.com Komu: aaa aaa miamia@inMail.sk Dátum: 8. 6. 2009 15:00:00 Predmet: Re: [stunnel-users] 1 server and more desktops
I do this using self-signed certificates and verify=2 or verify=3. The remote computers would only have the servers public certificate their CAfile (or CApath). The server must have all the remote computers public certificates in its CAfile or CApath. See the rules about how to build those. If you are only using self-signed certificates, you can use verify=3, otherwise you will have to use verify=2. Each port that you want to forward must be in you stunnel.conf file - without knowing what you are trying to do, it is hard to be more specific.
Carter
Carter Browne CBCS cbrowne@cbcs-usa.com 781-721-2890
aaa aaa wrote:
hello Christophe,
thanks for your answer. Sorry for any misunderstanding. Well, I just wanted to ask if it is able to set stunnel for working with more certificates? So it means that I don't want to have secured tunnel between remote and local computer only but also between one remote and many local computers with more certificates? Every local computer should have own certificate.
Is this possible?
thank you.
---- Pôvodná správa ---- Od koho: Christophe Nanteuil christophe.nanteuil@gmail.com Komu: aaa aaa miamia@inmail.sk Dátum: 7. 6. 2009 16:27:00 Predmet: Re: [stunnel-users] 1 server and more desktops
Hello,
Stunnel is an application oriented tunnel, not a machine oriented tunnel. Please, be more precise in your requests if you want someone to be able to help you. It seems also that the stunnel documentation pages are worh reading in your case.
Regards,
-- Christophe
2009/6/7 aaa aaa miamia@inmail.sk:
Hello,
I have one server and 3 desktops (PC1,PC2,PC3). I need to do this:
every pc
should communicate with server with his own certificate and server
should
sends anwser back to the computer encrypted for this one pc only.
Example: PC3 {with server's public key} sends data to server and
server
sends answer to PC3 (encrypted wiht unique PC3's public key). then PC2 {with server's public key} sends data to server and server
sends
answer to PC2 (encrypted wiht unique PC2's public key). and so
on... how
should I configure stunnel for this?
And another question > how should I configure all computers (server, pc1,pc2,pc3) to accept communication over secured stunnel only and
drop all
other unsecured communication?
thank you in advance. regards, Mia
Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk.
Domena,
webhosting, e-mail a seo od 10 centov/denne.
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk http://www.inpage.sk/. Domena, webhosting, e-mail a seo od 10 centov/denne.
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk http://www.inpage.sk/. Domena, webhosting, e-mail a seo od 10 centov/denne.
----------
Sutaz s InPage o ceny za viac ako 2000 Euro. Info na www.inpage.sk. Domena, webhosting, e-mail a seo od 10 centov/denne.
-
aaa aaa