Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Examples>

Creating an HTTPS client with Stunnel, for BLOGging specifically

Supplied by Charlie Lindahl < stunnel@cyberchuck.org >

Using STUNNEL to encrypt non-SSL client/server via Apache/SSL
*OR / AND*
Using a non-SSL BLOGging client to access a non-SSL BLOG service

To whet the audience's appetite some, here's a quick ASCII diagram of my environment.

Non-encrypted configuration

+---------+      | |     +--------+    +---------+
| non-SSL | ---- | | --- | Apache | -- | non-SSL |
| enabled |      | |     | w/o    |    | enabled |
| client  |      | |     | SSL    |    | server  |
+---------+      | |     +--------+    +---------+
   CLIENT        NET     WEB SERVER      SERVICE

Encrypted version with STUNNEL

+---------+      | |     +--------+    +---------+
| non-SSL | -ST- | | --- | Apache | -- | non-SSL |
| enabled |      | |     | WITH   |    | enabled |
| client  |      | |     | SSL    |    | server  |
+---------+      | |     +--------+    +---------+
   CLIENT        NET     WEB SERVER      SERVICE

Note the position of STUNNEL : the "-ST-" in the diagram above.

Before I get into more specifics of my application, let me make some important points:

  • Only the client side needs to have STUNNEL, since SSL is provided within Apache
  • As with straight STUNNEL, no modifications are required to the client *or* the application server
  • Apache in general (and/or with SSL) has a *lot* of security options on the server side which can be utilized to protect the service

Specifics of my situation:

  • Blog service Moveable Type (http://www.moveabletype.org/)
  • Web server: Apache with SSL on LINUX
  • Client OSs: Windows (predominant), Macintosh (both MacOS and OS X), LINUX/UNIX

The Moveable Type allows *authorized* end users to update a Blog (basically a very flexible HTML-based diary).

Although the blog itself is a (set of) statically-generated HTML pages, to update (add/modify/delete) entries requires an authenticated client (hence the need for encryption).

MT comes with a web-based client which works fine under "https/SSL" (standard browser-to-SSL-server stuff). However, this web-based client has some limitations due to the standard limitations of the browser: no WYSIWYG editing is the primary limitation.

MT also provides a BLOG API which utilizes XMLRPC.

Quite a few very nice standalone blogging clients exist for the various platforms (Windows, Mac, UNIX/LINUX); see REFERENCES (below) for links. Unforunately, I've been unable to configure the clients to run "bare" SSL/HTTPS over the MT BLOG API.

Enter STUNNEL.

Specific server configuration details

Since I'm running Apache/SSL which uses the same SSL layer (openSSL) that STUNNEL does, no extra configuration is required (i.e., no separate STUNNEL process is needed on the server side).

Specific client configuration details

I'm using Windows (NT/Win2K/XP) for the client.

Steps:

  1. Download the Windows STUNNEL client and SSL libraries (if required)
  2. Edit the configuration file
  3. Start up STUNNEL from the command line
  4. Point my blog client to the STUNNEL pipe
  5. Blog away!

I'll leave step one as an exercise for the reader :)

Step 2 specifics: STUNNEL 4.x requires the use of a configuration file.

Below is my specific example (hostname changed to protect the innocent):


client=yes
verify=0
[psuedo-https]
accept  = 8080
connect = mybloghost.mydomain:443
TIMEOUTclose = 0

After starting STUNNEL on my Windows host (either manually or as a service) I configure my BLOG client as follows (w.bloggar as an example):

In File/Account Properties dialog, API tab: 

HOST:    localhost
PAGE:    /moveabletype-home/mt-xmlrpc.cgi
PORT:    8080

Note for w.bloggar users: Do *not* click on the HTTPS button (redundant!)

Now I can blog to my heart's content from home!

Some reference links