stunnel as https proxy: works, but need sanity check

Wed, 14 Feb 2001 07:53:54 -0800 


I've been trying to set up stunnel on the firewall to accept
SSL-encrypted connections and forward them to internal http
addresses.  This is for staff use only, so I don't care about having a
certificate signed by a public CA.  I do, however, want to require
users to have certificates.

I've finally worked out something that actually works, but as I'm
relatively new to this, I wanted to pass it by the list and see
whether anyone recognizes something I'm doing stupidly or something
that opens me up for some type of attack other than what one could do
on any SSL connection.  Here's the procedure:

mkdir /etc/stunnel
cd /etc/stunnel

Create CA key:
  openssl genrsa -des3 -out ca.key 2048

Create self-signed CA Certificate
  openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create CA pem
  cat ca.crt ca.key > ca.pem


Generate server certificate request
  openssl req -new -nodes -out server.csr -keyout server.key -newkey rsa:2048

Sign
  sign.sh server.csr
  enter key for ca
  result: server.crt

Create server pem
  cat server.crt server.key > server.pem


Generate user key (for each user)
  openssl genrsa -des3 -out user.key 2048

Generate certificate request
  openssl req -new -key user.key -out user.csr

Sign
  sign.sh user.csr
  enter key for ca
  result: user.crt

Create user.pem
  cat user.crt user.key > user.pem

Generate pkcs12
  openssl pkcs12 -export -out user.p12 -in user.crt -inkey user.key

Give user.p12 to user to import into browser.


Create hash symbolic links
  c_rehash -a /etc/stunnel

Verify -- all should be okay
  openssl verify -CApath . ca.pem
  openssl verify -CApath . server.pem
  openssl verify -CApath . user.pem


Now:
  stunnel -d server:server-port -a /etc/stunnel -p /etc/stunnel/server.pem -r
     internal:port -v 3
  will create a situation in which https://server:server-port will
  issue a certificate and accept connections from people only with
  client certificates signed by its signing authority.

As I said, this procedure works.  Does anyone see a problem with it?
Thanks for any advice.

--
E. Jay Berkenbilt <[EMAIL PROTECTED]>
http://www.ql.org/q/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to