Today I got the opportunity to play around with an open-source application named STunnel. Its purpose is simple – some applications are dumb and don’t understand SSL. This program makes it.
Bullying aside, it had a perfect application today when I wanted to move two websites over to use a secure login page. Why didn’t I just Apache, or IIS you might ask? This particular website happens to be a from a 3rd party vendor who made their own web server to… get this… serve websites written in their own custom language. I don’t understand why anyone would do that in this day and age, what with the 10,000+ languages already available, and the 1,000+ web server platforms available. (On top of all that, they use a proprietary database!)
Long story short, the third party had a module ($695) to enable SSL in their webserver, which I will refer to as Peggle from here-out. The recommendation to use STunnel came from this vendor’s website, so it seems to contradict their money making plans. My guess is someone chewed their asses out about not having SSL out of the box. Whatever the reason, I will consider them less cruel by at least dropping the recommendation on their website as a free alternative to their solution. For all I know, their solution is installing STunnel for you for $695.
Back to Peggle . It does one thing – it serves requested pages out on a specific port. Incorporating SSL is really beyond its scope. This is similar to Mongrel. Whereas Mongrel can sit behind Apache (or some other webserver) to redirect to SSL, STunnel just “takes care of it”.
After finding a lack of documentation (and even worse documentation for Windows), I decided to write my own, much briefer, much more straight forward version. Hopefully, some poor soul will wander across this article searching for enlightenment.
Make sure that you have OpenSSL available to you in some form or fashion. Watching Certificate Requests getting generated on Windows makes babies cry, so your best bet is to take someone with a Unix machine out to lunch to get some terminal time.
- Locate a machine with OpenSSL (Windows, Mac, Linux – it doesn’t matter)
- Run the command: openssl req -new -nodes -keyout server.key -out server.csr
- Answer the certificate questions, keeping in mind that the common name is the FQDN for your website
- Locate the generated server.csr file and submit this to your Certificate Authority for signing.
- Transfer the server.key file to the machine you are installing STunnel to, if it is not the same.
- Download Stunnel from here – note that Windows binaries are generously provided
- Run the STunnel installation – the default path will install to “C:Program Filesstunnel”
- Get the signed certificate returned from your Certificate Authority (above), and drop this somewhere safe. You will need to refer to this location in a moment
- Locate the path for the server.key file generated earlier
- You now need to combine your key file, and your signed certificate into one single file. I named my file “stunnel.pem”
- Open up the file stunnel.conf and replace with the following configurations:
#Stunnel server configuration file #This is the path to your combined key / signed certificate file key=C:Program Filesstunnelstunnel.pem #up this number to 7 to get full log details #leave it at 3 to just get critical error messages debug=3 output=C:Program Filesstunneloutput.log #These are definitions for services. [system1] accept=443 connect=80 [system2] accept=8001 connect=8000
Once you have created your configuration file, you can start STunnel by running: stunnel.exe stunnel.conf. Remember that if anything goes wrong, you will probably have to kill it with Task Manager, or by clicking on the system tray icon (in Windows). Additionally, check your server log file – it contains valuable information.
Once you have the STunnel server running, you should be able to go to a URL in your browser such as “https://example.com:8001” and see that SSL is working. Even if there is nothing serving content at this port, and the page times out, you should still see the secure webpage icon in your browser. This SSL indicator should reflect your CA.
Once you have the port encrypted, it is up to the individual application to respond to requests coming in to that port. Data being sent to and from this port will be encrypted using SSL – totally transparent to the web server.
So there we have it – Peggle is now SSL enabled without ever knowing the difference. People’s data (especially login credentials) are secure once again! The crowd goes wild…