[TAG] Some stunnel questions (hopefully not too dumb)
Kapil Hari Paranjape
kapil at imsc.res.in
Fri Nov 30 07:27:06 MSK 2007
Hello,
On Thu, 29 Nov 2007, Harmon, Paul wrote:
> But my question is "How do I setup a similar scheme for the client?"
I confess to not being a user of stunnel4 (even though I should be!).
However, one need not actually do any "SSL-like" thing to connect to
an SSL server which does not require clients to authenticate using
SSL.
The option "client = yes" ought to do most of the work.
Next you need to decide on what port your stunnel will accept local
connections (say this is 1234) and what port on the remote side you
will connect (say this is 4321). You then put "local = 1234" and
"connect = remotehost:4321".
Finally, you start stunnel and then point your non-SSL aware client
to "127.0.0.1:1234".
To make the whole thing more SSL-like, there are two aspects:
1. Client verifies the server if you use
CAfile = certfile
where you replace certfile with the name of a file
containing the self-signed certificate of the CA of your
server certificate (or enough CA's to verify this server
sertificate).
2. Server uses SSL to authenticate the client if you use
key = keyfile
cert = pemfile
where you replace keyfile with the name of the file
containing your SSL private key and pemfile with the name
of a file containing the certificate for your key. This
certificate must be signed by a CA whose certificate is in
the CAfile of the server. (Chaining of certs is also
possible).
Hope this helps,
Kapil.
--
More information about the TAG
mailing list