HI
Download Win32 OpenSSL v0.9.8g :
http://www.slproweb.com/products/Win32OpenSSL.htmland stunnel-4.21-installer.exe
http://www.stunnel.org/download/binaries.htmlAnd follows precisely this tutorial from the wiki on the forum:
http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server(ALTERNATE SOLUTION FOR SSL CERTIFICATE: A simpler solution is to generate a certificate ssl with a program like fillezilla server ( http://sourceforge.net/project/showfiles.php?group_id=21558&package_id=21737 ), and edit and past the contents in the file *.Pem
Then fill out the file pem.conf with the same informations as those captured to generate the certificate.
For configuring the tutorial remains valid)Essentials parts of the wiki:
2. Run “stunnel.exe” and open the log. Find the version of openssl used for compiling with stunnel:
“0.9.8g” at the time of writing.
Extract this version of “openssl.exe” from “openssl.zip” or download it directly to your Stunnel directory
3. Open a text editor (e.g. notepad) and copy/paste the following entries:
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = XX
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)
[ cert_type ]
nsCertType = server
Save this file as “pem.conf” in the stunnel directory.
4. Delete the “stunnel.pem”, which contains a default server certificate and privatekey.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing!
In order to produce pem-file with a unique secure private key / server certificate, open a text editor (e.g. notepad) and copy/paste the following entries:
openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem
Save this file as “create_pem.bat” in the stunnel directory. Run “create_pem.bat”,
answer the questions in the dialog and enter whatever you like.
Note: The Common Name (FQDN) is required and should be the hostname of the machine running stunnel e.g.
www.myhomeserver.net.
If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.
Each time you run “create_pem.bat”, a new “stunnel.pem” file with a unique random private key and self assigned server certificate with 10 years validity will be created.
It is extremely important to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic! Do not back-up, but create a new one if necessary.
5. Edit “stunnel.conf” with a text editor and to obtain the following content:
; Lines preceded with a “;” are comments
; Empty lines are ignored
; For more options and details: see the manual (stunnel.html)
; File with certificate and private key
cert = stunnel.pem
key = stunnel.pem
; Log (1= minimal, 5=recommended, 7=all) and log file)
; Preceed with a “;” to disable logging
debug = 5
output = stunnel.log
; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Data compression algorithm: zlib or rle
compression = zlib
; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2
; Service-level configuration
; Stunnel listens to port 443 (HTTPS) to any IP
; and connects to port 44300 (HFS) on localhost
[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0Save the edited “stunnel.conf”.
6. Stunnel is now configured to accept HTTPS requests from any IP on port 443 of your PC and connects with HTTP to port 44300 on the same PC (127.0.0.1).
Do not forget: Port 443 and 44300 on this PC have to be opened in a
firewall and routers have to forward port 443 to your PC.
Do not forward port 44300 on your router.
7. Start HFS to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply” in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.
8. Test your configuration carefully. You might to want to change the debug mode to debug = 7 in the stunnel.conf file for more log details.
9. Additionally, you might want also to have an HTTP welcome page, which links to your HTTPS enabled pages and contains instructions for your visitors how to handle a self signed server certificate and the related error messages of some browsers with it: Run a second, independent instance of HFS on port 80, modify the template and link from there to your secure Stunnel-HFS server.
