- 安装
- AS3,Redhat 9默认已经安装
- 需要下面两个包:
- openssl
- stunnel
[root@linuxas3 root]# rpm -qa |grep openssl
openssl-0.9.7a-22.1
openssl-devel-0.9.7a-22.1
[root@linuxas3 root]# rpm -qa |grep stunnel
stunnel-4.04-4
[root@linuxas3 root]# cd /etc/stunnel/
[root@linuxas3 stunnel]# ls
stunnel.conf-sample stunnel.pem
|
- 配置
[root@linuxas3 stunnel]# cp stunnel.conf-sample stunnel.conf
[root@linuxas3 stunnel]# mv stunnel.pem stunnel.pem.old
[root@linuxas3 stunnel]# vi stunnel.conf
|
-
Example 1. stunnel.conf
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002
# Comment it out on Win32
cert = /etc/stunnel/stunnel.pem
# chroot = /usr/var/run/stunnel/
# PID is created inside chroot jail
pid = /stunnel.pid
#setuid = nobody
#setgid = nogroup
setuid = root
setgid = root
# Workaround for Eudora bug
#options = DONT_INSERT_EMPTY_FRAGMENTS
# Authentication stuff
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
#CAfile = /usr/etc/stunnel/certs.pem
# Some debugging stuff
debug = 7
output = stunnel.log
# Use it for client mode
#client = yes
# Service-level configuration
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
[s1]
accept = 5000
connect = mail.osw.pl:110
# delay = yes
[s2]
accept = 5001
connect = mail.osw.pl:25
#[https]
#accept = 443
#connect = 80
#TIMEOUTclose = 0
[nntps]
accept = 563
connect = 119
|
- 配置/运行 Stunnel
stunnel 默认配置文件是 /etc/stunnel/stunnel.conf
下面是最小的服务方式配置文件内容示范:
key = stunnel.pem
[http2ssl]
accept = 443
connect = 127.0.0.1:80
含义:使用 stunnel.pem 证书,将 127.0.0.1: 80 的端口加密映射成本机443端口,“ http2ssl ”是名称,可以改成其它的标识。
配置文件文件还有其它内容,详情请看帮助。
直接运行stunnel,就可以启动 Stunnel 了。
|
- 创建服务器证书
[root@linuxas3 stunnel]# cp /usr/share/ssl/openssl.cnf /etc/openssl.cnf
[root@linuxas3 stunnel]# nano -w /etc/openssl.cnf
[root@linuxas3 stunnel]# openssl req -new -x509 -days 365 -nodes -config /etc/openssl.cnf -out stunnel.pem -keyout stunnel.pem
Generating a 1024 bit RSA private key
....................++++++
.......................++++++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:GD
Locality Name (eg, city) [Newbury]:Shen Zhen
Organization Name (eg, company) [My Company Ltd]:none
Organizational Unit Name (eg, section) []:postfix
Common Name (eg, your name or your server's hostname) []:netkiller
Email Address []:netkiller@9812.net
[root@linuxas3 stunnel]# openssl gendh 512 >> stunnel.pem
[root@linuxas3 stunnel]# openssl x509 -subject -dates -fingerprint -in stunnel.pem
[root@linuxas3 stunnel]# chmod 600 /etc/stunnel/stunnel.pem
|
Stunnel 客户方式不需要证书。Stunnel 服务方式需要一个证书文件。
Stunnel 在 SSL Http Proxy 服务器是以服务方式运行的,所以必须要有一个证书。通过 openssl.exe 创建服务器证书。下面我将 Stunnel 关于创建证书的翻译如下:
“...运行下面的命令
openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem
这将会创建一个自己给自己签名的证书。参数的含义:
-days 365
使这个证书的有效期是1年,之后它将不能再用。
-new
创建一个新的证书
-x509
创建一个 X509 证书(自己签名的)
-nodes
这个证书没有密码
-config openssl.cnf
OpenSSL 使用的配置文件 (可能需要修改的有[CA_default]和[req_distinguished_name]这两个 section,译者)
-out stunnel.pem
把 SSL 证书写到哪里
-keyout stunnel.pem
把 SSL 证书放到这个文件中
这个命令将会问你以下问题:
问题的回答示范
Country name 国家代码 PL, UK, US, CA...我国是CN,HK,TW
State or Province name 省
Locality Name 市
Organization Name 公司、组织名称
Organizational Unit Name 部门名称
Common Name (FQDN) www.example.com
注意:Common Name (FQDN) 应该是运行 stunnel 机器的主机名。如果你能通过不同的主机名访问这台机器,有些 SSL 客户会警告这个主机的证书有问题,所以最好是使它和用户访问的主机名匹配。
openssl gendh 512>> stunnel.pem
这将生成 Diffie-Hellman 部分, 追加到 pem 文件中。
openssl x509 -subject -dates -fingerprint -in stunnel.pem
这个命令是将你的证书信息在屏幕显示出来。”
|
- 运行
[root@linuxas3 stunnel]# stunnel
[root@linuxas3 stunnel]# ps ax |grep stunnel
20733 ? S 0:00 stunnel
|
|