stunnel配置实例

stunnel简介

stunnel是一个开源跨平台进行通信加密的软件。它可以对原生不支持加密通信的服务(如FTP, Telnet等)在上层提供加密功能,而无须修改这些服务的代码。

stunnel分为client和server两种不同的角色,二者之间的通信使用X509证书进行加密。在初装时,stunnel会自动生成一个自签名的证书用于加密,但它更推荐用户使用自己生成的证书。

stunnel证书生成

用OpenSSL生成自签名的证书其实非常容易,在已安装OpenSSL的Linux环境下:

$ openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
上述命令中唯一需要注意的是-days 365参数,声明该自签名证书的有效期,可自行按需更改。运行后需要键入一些信息,可一路回车使用默认值。

输出内容:

Generating a 2048 bit RSA private key
..+++
.............................+++
unable to write 'random state'
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
此时,证书已经在当前目录生成好了,包括了私钥和证书,cat stunnel.pem显示它大概长这样
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDFfPlpkHBRLadK
wJP9+bfRflQzmGUAYiy6DaXPzYuHboVAKblTGqinMD9tqSWbTG6nbA+d30xc2eFM
+4YiXgvMCHh+uszimcRZHAOmePCN4AjJTOcT8WmSBdyiq4OT6a0URPhWpE7pCDqQ
KPa394vJbXK+T1UfGVDLEOiNXGsohx3CVEnTlSSo3BaODNpM2zUn3JQZSZY80Vxt
bfsg2dxP/ssoS62YPqsTNn7sZvkDR8AIR+Q4tW4CZXyu0nrOwcvSx3f44QPiIMj6
dflVtLXj6Wfjrzjx2Q9ZWJTZRetgmvFru77p9fmdnbA450hdy87moIUxdrMI9etN
v7JE71CpAgMBAAECggEAbMPdoVQZZ7wbDMJvP0tO/6Pxv9DIn6NyOq3VilML63Tl
EmdoV+qwxBOAe2bS/Wrk7nRHTY1zwxeETB+iyj69hIuNwU4kFRDW4LTbFc45vgmL
DUK7aXJl0DRGRZjsiIQD/MvXcfBgPVt41XiaGMvPQwpyTXnnyY7pvkz7pw8lPVXk
pa7vp6JlLFiEFgmqAAdE5/iLyg8ud1Xwrkq2qV5PPQGS2+8VZ/RSDhtXRtKzZLCJ
2cLbh8u7tgNYHh84hN3Jk5RVH2/59nN/Kp7c8U04DZCMNfY78kIkMVsphJQF05+f
KVWVtFSnRot/XEyVcPtoJKxcBLrZbZWOXLrmokToeQKBgQDyJ6S2xVAiXCerCnQ8
UfW7aXMJgBFW5ZEReK13YABvLStY8yqW0AOL8XNH8BSY7Z2HiQ0F2Zo+SiI4J53a
LGbmhsZ/je81X48OlYQatzcctsnZ99+YCHoR6hWsxaVNnjYA0uwGBeDjQqhA7+hd
1gki6znFvjrLB5FjNl3SqrrgYwKBgQDQx454jcQA0bFsgMoNXUL6R/hJ4aRywil3
/gwvk+6g/NxTtn+frQ3XqfVy6rfXJSt45UXshhBd2g7+jnHYn1wcyzeXsMx9XiVB
uFp9Cb5fWhYGBgIHd4xsAv2MiqFSmDYjKQqDL7q7AidsiN8+EednSFo3qW3vsNP8
JwinNTzqgwJ/RvFWUDV+RJK7DGEDrKhWVZGPIjli2xJmbbftGgwGFIwnJugWkhhe
8aDLJUgwwJzcidic+BnIFnehjtIMbN6VRvQ1Mylh60ETqDIlga4rdz4V5MW5u9C/
8n+h2fwNca/oIlWo0Brox6u/n0apzNPn2VMQmd4hW1ncPjSvSAi8twKBgQCrDtXs
cDrncOetvtfNm1wFNHJ6FiZm4C6Z4cyaLtqVjJf4/s4SRffRe69fOHDoFcxIgZGI
+U7vlnoylwMwOWF/NgGWh4UEMt7Tufhp+lHATk89IC8JbyneVZToUa1bvtqcdEPo
uHKGRn2Gr545fPHb7av9bxRkDr2hG1o7paMDgQKBgQDxTTM8IzFCNW5QwOHAKigl
3PMzHL7us1/AN5mNKH18CBuJB52KBuGBi9k2VhWQcSLQGkwtO6sb+zRp9e0m8SM6
b6D1Kci7FOtHIffOm1EomEB8XSIQr44cOseWNRJOccTXgYsshBT2PKCIKYxyIIdW
u7tI7RFevK+10e/jC0TvDA==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL27yfp8t3ofMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTkwNzIxMDIxMTI1WhcNMjAwNzIwMDIxMTI1WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXz5aZBwUS2nSsCT/fm30X5UM5hlAGIsug2lz82Lh26FQCm5UxqopzA/
baklm0xup2wPnd9MXNnhTPuGIl4LzAh4frrM4pnEWRwDpnjwjeAIyUznE/FpkgXc
oquDk+mtFET4VqRO6Qg6kCj2t/eLyW1yvk9VHxlQyxDojVxrKIcdwlRJ05UkqNwW
jgzaTNs1J9yUGUmWPNFcbW37INncT/7LKEutmD6rEzZ+7Gb5A0fACEfkOLVuAmV8
rtJ6zsHL0sd3+OED4iDI+nX5VbS14+ln46848dkPWViU2UXrYJrxa7u+6fX5nZ2w
OOdIXcvO5qCFMXazCPXrTb+yRO9QqQIDAQABo1AwTjAdBgNVHQ4EFgQUSX6484h5
FuRhJi13z0LSFMmxh1MwHwYDVR0jBBgwFoAUSX6484h5FuRhJi13z0LSFMmxh1Mw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlM7Bt8Vp//mtUBmLxiQI
XLTThPAxjgGvMaoyhPGRajuENpQuQlqlAw92kw8hMAYxx5I1PGRSx4Hdok1RWaTo
cmbio6VhID3iDWpBHShv8ZlfAILnBq6RXNc+/c6nOIsnB8/wt43XxdVmEiHK/PmX
jdtJV9IW9doavXLb36iOh6Z5EvJFvegJsUB4Vjbtvz8Ukr9vEviWCaMbinFueT1G
BIw7mhyUrQhVHTAapQ9d2JvecQyolzxvDsUMU1qedTyowsoJ/eCs9uu/cHrae3Va
YGRSJ1Un/k9LzbXiliAOVpSVAMbwHfJZtSVLn0b2GRqHO5SKSnPAtABCCbifuLvZ
9g==
-----END CERTIFICATE-----
此时需要将此生成的证书放在一个稳妥的目录下,如下文所提到的默认配置文件目录。

stunnel配置说明

stunnel的默认配置文件存放目录:

  • Linux:/etc/stunnel

  • Windows:C:Files (x86) ## Server配置 典型的Server配置如下:

    cert = /etc/stunnel/stunnel.pem # server使用的证书
    key = /etc/stunnel/stunnel.pem # server使用的私钥
    CAfile = /etc/stunnel/stunnel.pem # 验证client合法性的证书
    verify = 3 # 验证方式,下面详述
    client = no # server配置成no
    
    [telnet]
    accept = 1234 # [HOST:]PORT, 不指定HOST, 则监听所有IPv4地址
    connect = 127.0.0.1:6789 # [HOST:]PORT
    
    [ftp]
    accept = 12345
    connect = 127.0.0.1:67890
    其中verify这个参数用于指定对对方的验证方式:

  • 不指定:不验证客户端出示的证书。

  • verify = 1:如果对方出示了证书,则验证;不出示则通过。

  • verify = 2:证书的CA必须与CAfile指定的匹配,否则不通过。

  • verify = 3:证书的CA与证书内容必须与CAfile指定的匹配,否则不通过。

对于自签名的证书,建议使用verify = 3的方式,然后需要通过安全的方式线下将证书分发到client。

Client配置

对应的client配置示例:

cert = /etc/stunnel/stunnel.pem # client使用的证书,与server端CAfile一致才能通过验证
client = yes # client配置成yes

[telnet]
accept = 127.0.0.1:6789 # [HOST:]PORT
connect = {serverip}:1234 # 替换serverip
此处不再设置verify参数,一般无须验证server的合法性。

References

stunnel

stunnel HOWTO