|
Note from webmaster: I always advocate using a webserver
with SSL built in, such as Apache+mod_ssl or Apache-SSL,
rather than jury-rigging something with Stunnel. This
contains some great OpenSSL, Stunnel, and certificate setup
information.
################################################################################
This HOWTO document covers the steps required create a working SSL wrapper
to your port 80 web server.
This assumes you are running on a windows operating system.
This HOWTO was written by Rob Clarke, based on instructions gleaned from the
following places.
http://www.openssl.org
http://www.stunnel.org
The is Revision 0.1 of this document.
Thanks to Brian Hatch for placing a copy of this document at
http://www.stunnel.org/examples/https_windows.html
I'll be keeping the original here at
http://www.geocities.com/ahremsee/SSLHOWTO-0.1.txt
################################################################################
Contents.
---------
0. Change-log
1. Starting Off
2. Installing Active Perl
3. Installing a C Compiler
4. Installing OpenSSL
5. Configuring OpenSSL
6. Installing Stunnel
7. Configuring Stunnel
8. Create Certificate Request
9. Signing the Certificate
10. Running the SSL Server
================================================================================
0. Change-log
================================================================================
Revision 0.1 Initial Revision, Released on 20th may 2003
================================================================================
1. Starting off.
================================================================================
What you need.
a cup of tea/coffee.
a copy of activeperl - go to http://www.activestate.com.
a copy of gcc - go to http://cr.yp.to/mirror/gcc-2.95.2-msvcrt.exe
a copy of openssl - go to http://www.openssl.org
a copy of stunnel - go to http://www.stunnel.org/download/
a copy of zip/rar/ace archive tools.
================================================================================
2. installing active perl
================================================================================
there are no special steps required to install active perl.
simply open the distribution executable and follow all the default options.
================================================================================
3. installing c compiler
================================================================================
install gcc.
make a note of the installation directory
again simply open the distribution executable and follow all the default options.
add the following to the your envirnment variable PATH "<#gcc installation directory#> bin"
you should now be able to enter the following command "gcc -v" from a command shell.
you should get a message "gcc version 2.95.2 19991024 (release)" or something similar.
================================================================================
4. installing openssl
================================================================================
unzip/untar the openssl distribution into a folder on your server
for example use "c:\openssl-0.9.7"
start a command prompt and CD to "C:\openssl-0.9.7"
run the following command "ms\mingw32 > make.out"
don't run this from the "ms" folder, run it from the "C:\openssl-0.9.7" folder!
whilst you're waiting drink your tea/coffee!
you will get between 5 and ten lines of warnings still written to the screen.
don't worry about them.
the important upshot of the make is that there will be an "out" folder created
with all the OpenSSL binaries in
Also the OpenSSL DLLs will be created in your current working folder.
================================================================================
5. Configuring OpenSSL
================================================================================
When configuring OpenSSL, we create a local Certificate Authority.
This allows us to generate certificate request and convert them into real certifcates
without having to spend large amounts of money with the real CAs.
----------------------------------------------------------------------------------------------------
open a command prompt and CD into the "openssl-0.9.7a" folder you've just created.
then enter the following command
"perl apps/CA.pl -newca"
take a look at the output below that shows you what you need to enter.
remember you will need to supply and remember a pass phrase that will be used
by the Certificate Authority when signing certificates. DO NOT LOSE THIS PASS PHRASE!
in the example we used "the quick brown fox".
> C:\openssl-0.9.7a> perl apps/CA.pl -newca
> CA certificate filename (or enter to create)
>
> Making CA certificate ...
> Loading 'screen' into random state - done
> Generating a 1024 bit RSA private key
> ................++++++
> .........................++++++
> writing new private key to './demoCA/private/cakey.pem'
> Enter PEM pass phrase: #the passphrase goes in here#
> Verifying - Enter PEM pass phrase: #the passphrase goes in here#
> -----
> You are about to be asked to enter information that will be incorporated into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:Derbyshire
> Locality Name (eg, city) []:Lockington
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Authority Name
> Organizational Unit Name (eg, section) []:Authority Department
> Common Name (eg, YOUR name) []:My full name
> Email Address []:mymail@mycompany.com
>
> C:\openssl-0.9.7a>
this will create a folder "demoCA" in the "openssl-0.9.7a" folder.
this folder contains all the certificate authority files and security keys.
if you need to re-create this CA (if you've forgot your pass phrase for example)
then delete the folder and re-run this configuration step.
================================================================================
6. Installing Stunnel
================================================================================
unzip/untar the stunnel distribution into a folder on your server
for example use "c:\stunnel-4.04"
you will need to make sure that you edit the following file
"c:\stunnel-4.04\src\makefile.w32"
containing the following line
"SSLDIR=../openssl-0.9.7"
you will be running the make from inside the "c:\stunnel-4.04\src" folder
so edit this line to point to the correct "OPENSSL" folder.
in our examples this would be
"SSLDIR=../../openssl-0.9.7a"
save the file.
open up a command prompt and cd to the "stunnel-4.04" folder.
within this folder cd to the "src" folder
now execute "make".
as before run the command exactly as indicated here from the folder indicated here.
this will generate the following output
> C:\stunnel-4.04\src> make
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c stunnel.c -o stunnel.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c ssl.c -o ssl.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c client.c -o client.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c protocol.c -o protocol.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c sthreads.c -o sthreads.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c log.c -o log.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c options.c -o options.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c sselect.c -o sselect.o
> gcc -g -O2 -Wall -DUSE_WIN32 -DHAVE_OPENSSL -I../../openssl-0.9.7a/outinc -c gui.c -o gui.o
> gui.c: In function `service_main':
> gui.c:662: warning: passing arg 2 of `RegisterServiceCtrlHandlerA' from incompatible pointer type
> windres resources.rc resources.o
> gcc -s -o stunnel.exe stunnel.o ssl.o client.o protocol.o sthreads.o log.o options.o sselect.o gui.o resources.o -L../../openssl-0.9.7a/out -leay32 -lssl32 -lwsock32 -lgdi32 -mwindows
>
> C:\stunnel-4.04\src>
It should have created an "stunnel.exe" file in the current working directory.
================================================================================
7. Configuring STUNNEL
================================================================================
Since we're going to be collating files from all over the place here, your best bet next is to
create a new folder to hold all of the configuration files that will be used to create/hold our
stunnel SSL wrapper configuration.
create a folder named "C:\SSL"
copy the following files into this folder.
c:\openssl-0.9.7a\libeay32.dll
c:\openssl-0.9.7a\libssl32.dll
c:\openssl-0.9.7a\out\openssl.exe
c:\stunnel-4.04\src\stunnel.exe
c:\stunnel-4.02\doc\stunnel.cnf
================================================================================
8. create a new certificate request
================================================================================
open a command prompt and CD into the "SSL" folder you've just created.
then enter the following command
"openssl req -new -days 365 -nodes -config stunnel.cnf -out newreq.pem -keyout stunnel.pem"
take a look at the output below that shows you what you need to enter.
> C:\SSL> openssl req -new -days 365 -nodes -config stunnel.cnf -out newreq.pem -keyout stunnel.pem
> Loading 'screen' into random state - done
> Generating a 1024 bit RSA private key
> ..++++++
> .........++++++
> writing new private key to 'stunnel.pem'
> -----
> You are about to be asked to enter information that will be incorporated into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:Derbyshire
> Locality Name (eg, city) []:Lockington
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Ltd
>
> Organizational Unit Name (eg, section) []:Development
> Common Name (eg, YOUR name) []:####THE FQDN OF YOUR WEB SERVER####
> Email Address []:mymail@mycompany.com
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
>
> C:\SSL>
you will now have two new files in your folder. "newreq.pem" and "stunnel.pem".
================================================================================
9. signing the certificate
================================================================================
now that you've generated the certificate request ("newreq.pem"),
copy it to the "openssl-0.9.7a" folder.
then start a command prompt and CD to the "openssl-0.9.7a" folder.
to sign the file that you've copied into this folder execute the following command
"perl apps/CA.pl -sign"
remembering that you will need the pass phrase that you created the demoCA with !!!
take a look at the output below that shows you what you need to enter.
> C:\openssl-0.9.7a> perl apps/CA.pl -sign
> Using configuration from ./stunnel.cnf
> Loading 'screen' into random state - done
> Enter pass phrase for ./demoCA/private/cakey.pem: #THE PASSPHRASE GOES IN HERE#
> Check that the request matches the signature
> Signature ok
> Certificate Details:
> Serial Number: 1 (0x1)
> Validity
> Not Before: Mar 31 13:41:36 2003 GMT
> Not After : Mar 30 13:41:36 2004 GMT
> Subject:
> countryName = GB
> stateOrProvinceName = Derbyshire
> localityName = Lockington
> organizationName = My Company Ltd
> organizationalUnitName = Development
> commonName = FQDN OF MY WEB SERVER
> emailAddress = mymail@mycompany.com
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> A9:8B:A6:72:0C:B8:0A:DD:32:C9:7F:CF:B2:0E:CA:06:44:C8:B0:65
> X509v3 Authority Key Identifier:
> keyid:BF:5E:7E:3A:A3:69:B7:96:EE:62:37:E5:41:78:53:65:93:15:A0:43
> DirName:/C=GB/
> serial:00
>
> Certificate is to be certified until Mar 30 13:41:36 2004 GMT (365 days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> Signed certificate is in newcert.pem
>
> C:\openssl-0.9.7a>
this will take the "newreq.pem" file and produce a digitally signed version and write it to a file named "newcert.req".
================================================================================
10. Running the server
================================================================================
in the C:\SSL folder create a file named "stunnel.conf"
edit this file and type the following into it
#Stunnel server configuration file
key=c:\ssl\stunnel.pem
#up this number to 7 to get full log details
#leave it at 3 to just get critical error messages
debug=3
output=c:\ssl\output.log
[stunnel]
accept=443
connect=80
next you will need to combine the contents of two files
these are c:\openssl-0.9.7a and c:\ssl\stunnel.key
the quickest way to accomplish this is to issue the following command,
with the current working directory as "c:\ssl"
"type c:\openssl-0.9.7a\newcert.pem >> stunnel.pem"
once all of these steps have been completed, the server can be started by the following command
"stunnel.exe stunnel.conf"
----------------------------------------------------------------------------------------------------
you can now connect to your server using the "https" protocol as well as the "http" protocol.
|
