OS: CentOS 6.5
安裝Stunnel
yum -y install stunnel
安裝Openssl 附加套件
yum -y install openssl-perl
首先建立自家的 SSL 憑證檔
建立 CA 憑證檔
/etc/pki/tls/misc/CA.pl -newca
CA certificate filename (or enter to create) <-- 按"Enter"用default Path
Making CA certificate ...
Generating a 2048 bit RSA private key
............................................................+++
.....+++
writing new private key to '/etc/pki/CA/private/cakey.pem'
Enter PEM pass phrase:<-- 輸入此Key檔的加密密碼
Verifying - Enter PEM pass phrase:<-- 重複輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW <--輸入憑證地區資料
State or Province Name (full name) []:Taiwan <--輸入憑證地區資料
Locality Name (eg, city) [Default City]:Taipei <--輸入憑證地區資料
Organization Name (eg, company) [Default Company Ltd]:Server CA <--輸入憑證公司資料
Organizational Unit Name (eg, section) []: <--輸入憑證公司單位資料 [可留空]
Common Name (eg, your name or your server's hostname) []:ca_root <--輸入憑證服務器名稱
Email Address []:<--輸入憑證電郵資料 [可留密]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- [可留空]
An optional company name []: <-- [可留空]
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: <-- 輸入剛輸入的Key檔加密密碼
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e1:1f:27:6d:8b:14:e8:d2
Validity
Not Before: Mar 18 08:11:16 2015 GMT
Not After : Mar 17 08:11:16 2018 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = Server CA
commonName = ca_root
X509v3 extensions:
X509v3 Subject Key Identifier:
26:E1:A1:7A:D5:F4:5F:57:7A:5E:59:B6:7F:DE:51:ED:F0:43:0B:B7
X509v3 Authority Key Identifier:
keyid:26:E1:A1:7A:D5:F4:5F:57:7A:5E:59:B6:7F:DE:51:ED:F0:43:0B:B7
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 17 08:11:16 2018 GMT (1095 days)
Write out database with 1 new entries
重要資料
CA Key 放在 /etc/pki/CA/private/cakey.pem
CA Cert (憑證檔) 放在 /etc/pki/CA/cacert.pem
把 cacert.pem 複製到 /etc/stunnel
cp /etc/pki/CA/cacert.pem /etc/stunnel
建立服務器憑證 (以下指令留意大小寫)
- 建立Key檔
openssl genrsa -out server.key.pem 2048
chmod og-rwx server.key.pem - 建立Request 檔
openssl req -new -key server.key.pem -out server.req.pem <--跟剛才一樣輸入地區等資料
- 由CA 檔簽發憑證
openssl x509 -req -days 3650 -sha1 -extfile /etc/pki/tls/openssl.cnf -extensions v3_req \
-CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem \
-CAserial /etc/pki/CA/serial -CAcreateserial \
-in server.req.pem -out server.crt.pem <--輸入CA Key檔加密密碼 - 建立Stunnel專用的憑證檔
cat server.crt.pem server.key.pem >> /etc/stunnel/server.pem
chmod og-rwx /etc/stunnel/server.pem
建立客戶端憑證
跟服務器一樣步驟只需把藍色的檔名由server改為client就可以了。mkdir /etc/stunnel/proxy-certs
cp client.crt.pem /etc/stunnel/proxy-certs
c_rehash /etc/stunnel/proxy-certs
建立服務器端 stunnel.conf
mkdir /var/run/stunnel
chown nobody:nobody /var/run/stunnel
nano /etc/stunnel/stunnel.conf
輸入以下資料
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel/stunnel.pid
fips = no
setuid = nobody
setgid = nobody
[proxy]
accept = 990
connect = target.yourdomain.com:22
CApath = /etc/stunnel/proxy-certs
verify=3
啟動stunnel 服務
/etc/init.d/stunnel start
建立客戶端stunnel.conf
輸入以下資料CAfile=cacert.pem
cert=client.pem
client=yes
[proxy]
accept = 127.0.0.1:8080
connect = server.youdomain.com:990
CAfile=peer-proxy.pem
verify=3
請把在服務器上的cacert.pem 及client.pem複製到客戶端的電腦內並放在stunnel.conf 的同一個資料匣內。
紅色標示的那兩行可以不用,如果你想在連接時核實服務的的真確的話你可以填上這兩行。
留意 peer-proxy.pem 可以從客戶端的軟件取得的,啟動客戶端軟件後在客戶端的圖示上按右鼠標 "Save Peer Certificate" -> "peer-proxy.pem"便可。