Configuration of the Windows system Stunnel client

Stunnel official Windows version, to the following address download:
Https://www.stunnel.org/downloads.html

Select " stunnel-X.XX-installer.exe " and install to a "writable" location, because Windows Vista/7/8 if installed in the system C:\Program Files or C:\Program Files (x86) , will not be able to write configuration, log or inconvenient to place the user's certificate, so in the lazy and "green" principle, recommended to install to other places. In fact you can also install the later, the entire program directory to copy out, and then the original security loading. Stunnel has become a green program.

Here's the assumption of creating a new directory: and C:\local then Stunnel installing the software here:

C:\local\stunnel

Then, go to your Linux server to get the certificate file: /etc/stunnel/stunnel.pem . The method of transmission is suggested in the form of SCP. There is a PSCP program in the Free Putty Series tool on Windows that can be used to transfer files securely.

Download the "Putty.zip" Toolkit: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (the first few are individual file downloads, where the entire ZIP package is downloaded directly, indicating "a". ZIP file containing all the binaries (except Puttytel), and also the ' Help files ' place.

With the understanding compressed to C:\usr\local\putty . Open a command-line window and CD to the directory.

c:\usr\local\putty> pscp [email PROTECTED]:/ETC/STUNNEL/STUNNEL.PEM.

If your SSH server port is not the default port 22, specify the -P PORT port (p is uppercase):

c:\usr\local\putty> pscp-p 12345 [email PROTECTED]:/ETC/STUNNEL/STUNNEL.PEM.

After the command is run, you will generally be asked to confirm that the server's fingerprint is correct and press "Y" to enter the confirmation. You will then be prompted to enter your password. The password will be copied to the current directory after it is entered.

If you configure the SSH server does not accept the password login, and can only use the key to log on, then you have to import your SSH key through the program provided by Putty PUTTYGEN.exe , and then export to .ppk format, then run PAGENT.exe , load the exported Putty private format key. At this point PSCP , you can run the above command without entering a password.

Pulled a half-day transfer certificate problem, the following is the configuration Stunnel. The configuration files are C:\usr\local\stunnel\stunnel.conf :

First, let's configure the options for the debug log:

; debugging stuff (May useful for troubleshooting) debug = 7output =. \stunnel.log

Similarly, the initial use of the recommended debug level is set to 7, debugging is normal, you can modify the default of 5 or smaller numbers. The log file specified by "Output" is set to ". \stunnel.log". It means in the Software installation directory (and stunnel.exe in the same location).

Next, specify the certificate file. is the "Stunnel.pem" file that was transferred from the Linux server, put this file in the Stunnel installation directory, and then write it in the config file:

; Certificate/key is needed in server mode and optional in client Modecert =. \stunnel.pemkey =. \stunnel.pem

Please note that the relative path is also used here. This certificate file is the client Stunnel and server Stunnel mutual authentication "password", please be sure to properly save. only the parties with this certificate can encrypt the communication over SSL, and the third party will not be able to see any information.

Finally, configure the service entry:

; Example SSL Front-End to a web server[https]client = yesaccept  = 8080connect = 12.34.56.78:443; "Timeoutclose = 0" is a workaround for a design flaw in Microsoft SSL; Microsoft implementations do not use SSL close-notify alert and thus; They is vulnerable to truncation attacks; Timeoutclose = 0TIMEOUTclose = 0

Here is the assumption that your server-side IP address is 12.34.56.78 , the service-side Stunnel listening port is 443. While the client listening port on Windows is 8080, that is, other programs can see that your local machine has an HTTP proxy that listens on port 8080. Also note that you want to specify "client = yes" to turn on the Stunnel clients mode.

Also follow the instructions in the note, on the Windows platform we set "Timeoutclose" to 0.

As for the other services, all add '; ' at the beginning of the line , or simply delete it:

; Example SSL Server Mode services; [Pop3s];accept  = 995;connect = 110;[ Imaps];accept  = 993;connect = 143;[ Ssmtp];accept  = 465;connect = 25; Example SSL client Mode services; [gmail-pop3];client = yes;accept = 127.0.0.1:110;connect = pop.gmail.com:995; [gmail-imap];client = yes;accept = 127.0.0.1:143;connect = imap.gmail.com:993; [gmail-smtp];client = yes;accept = 127.0.0.1:25;connect = smtp.gmail.com:465

After the configuration file is saved. Double-click on the installation directory to stunnel.exe start running, if everything is normal, double-click after the run will not have a window appears, but in the system tray bar appears a stunnel icon. Right click on this icon to view the program log, restart the service, exit and other operations. If an error occurs, you can view the log file troubleshooting issues. After the test is OK, you can configure Windows to automatically run "C:\usr\local\stunnel\stunnel.exe" after startup, so you don't have to worry about it.

Finally, in your browser configure the use of this agent, that is, the proxy address is: 127.0.0.1:8080.

Configuration of the Windows system Stunnel client