通过Stunnel 实现SSL连接(测试ing)

安装
AS3，Redhat 9默认已经安装
需要下面两个包：
openssl
stunnel

[root@linuxas3 root]# rpm -qa |grep opensslopenssl-0.9.7a-22.1openssl-devel-0.9.7a-22.1[root@linuxas3 root]# rpm -qa |grep stunnelstunnel-4.04-4[root@linuxas3 root]# cd /etc/stunnel/[root@linuxas3 stunnel]# lsstunnel.conf-sample stunnel.pem

配置

[root@linuxas3 stunnel]# cp stunnel.conf-sample stunnel.conf[root@linuxas3 stunnel]# mv stunnel.pem stunnel.pem.old[root@linuxas3 stunnel]# vi stunnel.conf

Example 1. stunnel.conf

# Sample stunnel configuration file# Copyright by Michal Trojnara 2002# Comment it out on Win32cert = /etc/stunnel/stunnel.pem# chroot = /usr/var/run/stunnel/# PID is created inside chroot jailpid = /stunnel.pid#setuid = nobody#setgid = nogroupsetuid = rootsetgid = root# Workaround for Eudora bug#options = DONT_INSERT_EMPTY_FRAGMENTS# Authentication stuff#verify = 2# don't forget about c_rehash CApath# it is located inside chroot jail:#CApath = /certs# or simply use CAfile instead:#CAfile = /usr/etc/stunnel/certs.pem# Some debugging stuffdebug = 7output = stunnel.log# Use it for client mode#client = yes# Service-level configuration[pop3s]accept  = 995connect = 110[imaps]accept  = 993connect = 143[ssmtp]accept  = 465connect = 25[s1]accept  = 5000connect = mail.osw.pl:110# delay = yes[s2]accept  = 5001connect = mail.osw.pl:25#[https]#accept  = 443#connect = 80#TIMEOUTclose = 0[nntps]accept  = 563connect = 119

配置/运行 Stunnel

stunnel 默认配置文件是 /etc/stunnel/stunnel.conf下面是最小的服务方式配置文件内容示范：key = stunnel.pem[http2ssl]accept = 443connect = 127.0.0.1:80含义：使用 stunnel.pem 证书，将 127.0.0.1: 80 的端口加密映射成本机443端口，“ http2ssl ”是名称，可以改成其它的标识。 配置文件文件还有其它内容，详情请看帮助。直接运行stunnel，就可以启动 Stunnel 了。

创建服务器证书

[root@linuxas3 stunnel]# cp /usr/share/ssl/openssl.cnf /etc/openssl.cnf[root@linuxas3 stunnel]# nano -w /etc/openssl.cnf[root@linuxas3 stunnel]# openssl req -new -x509 -days 365 -nodes -config /etc/openssl.cnf -out stunnel.pem -keyout stunnel.pemGenerating a 1024 bit RSA private key....................++++++.......................++++++writing new private key to 'stunnel.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CNState or Province Name (full name) [Berkshire]:GDLocality Name (eg, city) [Newbury]:Shen ZhenOrganization Name (eg, company) [My Company Ltd]:noneOrganizational Unit Name (eg, section) []:postfixCommon Name (eg, your name or your server's hostname) []:netkillerEmail Address []:netkiller@9812.net[root@linuxas3 stunnel]# openssl gendh 512 >> stunnel.pem[root@linuxas3 stunnel]# openssl x509 -subject -dates -fingerprint -in stunnel.pem[root@linuxas3 stunnel]# chmod 600 /etc/stunnel/stunnel.pem

Stunnel 客户方式不需要证书。Stunnel 服务方式需要一个证书文件。Stunnel 在 SSL Http Proxy 服务器是以服务方式运行的，所以必须要有一个证书。通过 openssl.exe 创建服务器证书。下面我将 Stunnel 关于创建证书的翻译如下：“...运行下面的命令openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem 这将会创建一个自己给自己签名的证书。参数的含义：-days 365 使这个证书的有效期是1年，之后它将不能再用。-new 创建一个新的证书-x509 创建一个 X509 证书（自己签名的）-nodes 这个证书没有密码-config openssl.cnf OpenSSL 使用的配置文件 （可能需要修改的有[CA_default]和[req_distinguished_name]这两个 section，译者）-out stunnel.pem 把 SSL 证书写到哪里-keyout stunnel.pem 把 SSL 证书放到这个文件中这个命令将会问你以下问题：问题的回答示范Country name 国家代码 PL, UK, US, CA...我国是CN,HK,TWState or Province name 省Locality Name 市Organization Name 公司、组织名称Organizational Unit Name 部门名称Common Name (FQDN) www.example.com 注意：Common Name (FQDN) 应该是运行 stunnel 机器的主机名。如果你能通过不同的主机名访问这台机器，有些 SSL 客户会警告这个主机的证书有问题，所以最好是使它和用户访问的主机名匹配。openssl gendh 512>> stunnel.pem 这将生成 Diffie-Hellman 部分, 追加到 pem 文件中。openssl x509 -subject -dates -fingerprint -in stunnel.pem 这个命令是将你的证书信息在屏幕显示出来。”

运行

[root@linuxas3 stunnel]# stunnel[root@linuxas3 stunnel]# ps ax |grep stunnel20733 ?        S      0:00 stunnel

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。