[stunnel-users] Using stunnel for RDP / Proxy / Firewall
Algol Tradent
tradent at yahoo.com
Tue Oct 30 01:35:14 CET 2007
Greetings,
To answer your questions:
"Where does your 'certificates' directory live in
relation to the stunnel.conf file?"
The 'certificates' directory in my configuration is in
the same directory as the stunnel.conf file.
"Did you create the server.pem, client.pem and
CAcert.pem file your self?"
Yes, I did. I created my own Self-Signed Certificates.
Here is a link I found very useful for this
http://sial.org/howto/openssl/
CAcert.pem is the Certificate Authority's Certificate
Server.pem is the server's certificate
Client.pem is the client's certificate
Notice that Stunnel requires key + certificate in the
.pem files (see man page)
"Are any of these files the same files or all
different?"
I'm not sure I understand your question 100% but, The
CAcert.pem is the same in both server and client. Then
the server.pem and client.pem are different files.
Here is another link with an example that you can
adapt for RDP
http://www.securityfocus.com/infocus/1677
I hope this helps
Best Regards
--- garberfc <garberfc at coolsite.net> wrote:
>
>
> Algol Tradent wrote:
> >
> >
> > Here are the configs I've used. I must point out
> that
> > I use certificates in both the client and server
> for
> > authentication. Hence verify=3 in the config.
> >
> > ======= SERVER =======
> >
> >
>
;----------------------------------------------------
> > ;-- SERVER OPTIONS
> >
>
;----------------------------------------------------
> >
> > ;select data compression algorithm
> > compression = zlib
> >
> > ; Enable Taskbar icon
> > taskbar = yes
> >
> > ; Some performance tunings
> > ; turn off the Nagle algorithm for local sockets
> > ; turn off the Nagle algorithm for remote sockets
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> > [TServ]
> >
> > ;Certificate Authority file
> > CAfile = CAcert.pem
> >
> > ;Certificate Authority directory
> > CApath = certificates
> >
> > ;certificate chain PEM file name
> > ;required in server mode
> > cert = server.pem
> >
> > ;client mode - no (server mode)
> > client = no
> >
> > ;level 3 - verify peer with locally installed
> > certificate
> > verify = 3
> >
> > accept = 50000
> > connect = 127.0.0.1:3389
> >
> >
> > ======= CLIENT =======
> >
> >
>
;----------------------------------------------------
> > ; GLOBAL OPTIONS
> >
>
;----------------------------------------------------
> >
> >
> > ;Logging Options
> > debug = 7
> > output = stunnel.log
> >
> > ; Some performance tunings
> > ; turn off the Nagle algorithm for local sockets
> > ; turn off the Nagle algorithm for remote sockets
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> >
> >
>
;----------------------------------------------------
> > ; SERVICE-LEVEL OPTIONS
> >
>
;----------------------------------------------------
> > [tserver]
> > accept = 127.0.0.1:50000
> > connect = <my_server_IP>:50000
> >
> > ;Server mode or Client mode
> > ;Yes=Client mode
> > client = yes
> >
> > ;Certificate Authority file
> > CAfile = CAcert.pem
> >
> > ;Certificate Authority directory
> > CApath = certificates
> >
> > ;certificate chain PEM file name
> > cert = client.pem
> >
> > ;verify peer certificate
> > ;level 3 - verify peer with locally installed
> > certificate
> > verify = 3
> >
> > ;Select permitted SSL ciphers ':' delimited list
> > ciphers = AES256-SHA
> >
> > --- Frank Garber <garberfc at coolsite.net> wrote:
> > <snip />
> >
> >
>
> I had a question about your setting:
> ;Certificate Authority directory
> CApath = certificates
>
> Where does your 'certificates' directory live in
> relation to the
> stunnel.conf file?
>
> Did you create the server.pem, client.pem and
> CAcert.pem file your self? Are
> any of these files the same files or all different?
>
> Thanks for the help,
>
> Frank
>
> --
> View this message in context:
>
http://www.nabble.com/Using-stunnel-for-RDP---Proxy---Firewall-tf4654985.html#a13465792
> Sent from the Stunnel - Users mailing list archive
> at Nabble.com.
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the stunnel-users
mailing list