Stunnel-General SSL encryption program

Source: Internet
Author: User
Tags imap stunnel
Stunnel is a program that can use SSL to encrypt any TCP connection. It can run on a variety of UNIX and Windows operating systems. In this way, it effectively solves the problem that SSL cannot encrypt the data transmitted by existing applications. That is to say, before the emergence of Stunnel, secure data transmission is required, the security can only be improved by adding SSL code to the application. But now, you can leave it alone. strunnel solves many problems for you. # W? Www.5y6s.net
Stunnel is based on OpenSSL, so it requires that OpenSSL has been installed and configured correctly. It can add SSL to server software that does not enable SSL. For example, you can use Stunnel to protect POP3, SMTP, and IMAP servers. The only thing that is unsatisfactory is to use the secure version of these servers. The client must be able to recognize SSL. Www.5y6s.net
For the Stunnel project, it is open-source. Of course, its source code is not a complete product, because it is based on OpenSSL, compile and run it, you need to have an SSL library such as OpenSSL or ssleay. This means that Stunnel supports all (and only) SSL libraries, without changing the source code of Stunnel. ? Www.5y6s.net
The source code of stuunel is valid under the GNU license. That is to say, it can be freely used and modified in commercial and non-commercial applications, as long as you provide the source code and all the modification information and software. Compiling the Stunnel library is subject to the license you selected. However, OpenSSL and ssleay are both open-source and are equally generous in the license. ? € Www.5y6s.net
Unfortunately, Stunnel has some limitations. On the server side, it can only transparently proxy Linux clients. On the client side, it is not easy to perform full certificate verification. Even so, Stunnel is still a very useful utility. It should be a programmer and also a security magic weapon for system administrators. If you are developing your own software, you should be able to easily integrate Stunnel into your own program. Why? Www.5y6s.net
If you are interested in network security and SSL, you can go to the Stunnel Official Website: http://www.stunnel.org to download the latest Stunnel source code and help documentation and examples. J. www.5y6s.net
With the previous descriptions, I believe you have some knowledge about Stunnel. Next, I will illustrate an example of using Stunnel to encrypt MySQL (this is provided on the official Stunnel website and I only translate it :). } Www.5y6s.net
?? Www.5y6s.net
Use stunnel3.24 to encrypt the MySQL connection: P www.5y6s.net
Since I have seen a lot of request information about the encryption of MySQL connections, all I think I should disclose this encryption solution to those interested in Stunnel. I successfully compiled Stunnel 3.14 Based on openssl0.9.6 and encrypted the connection for MySQL 3.22.32. All operations are performed on Red Hat 6.2. Why? Www.5y6s.net
My MYSQL client includes the mysql client application, dbish application, and Perl DBI module. To encrypt the connection between the mysql client and the server, you need to run two Stunnel instances, one on the client and the other on the server. Next I will call them client and server. The customer Stunnel receives MySQL queries from the mysql client application, encrypts these queries, and then sends the encrypted information to port 3307 of the server. On the other hand, the Stunnel on the server listens to port 3307, decrypts encrypted query requests, and returns to port 3306-mysql standard default connection port G? Www.5y6s.net
The command for running Stunnel on the client is :? \ Www.5y6s.net
./Stunnel-P/tmp/-c-d 3306-r server: 3307 4 P? Www.5y6s.net
The command for running Stunnel on the server is: www.5y6s.net
./Stunnel-P/tmp/-P Stunnel. pem-D 3307-r localhost: 3306 bytes? Www.5y6s.net
Here I assume that the Stunnel on the two machines is compiled binary code and the certificate files of the stunel are also in the current directory of the two machines. However, you should save the Stunnel. pem file. Therefore, it is best to run Stunnel as a special non-login user and set the owner uid of Stunnel. pem to 0400. Www.5y6s.net
Now, from the client, you can access your MySQL database and enjoy the benefits of SSL encryption by running the following command: + www.5y6s.net
Mysql-H client-u yourdbuser-p | I www.5y6s.net
This command always runs the same command before you use Stunnel, however, note that you use the-H option to specify the machine that runs the Stunnel client background program rather than the MySQL server background program. OJ www.5y6s.net
James Walden | "fall leaves blanket ground? Www.5y6s.net
Sr Internet Software Engineer | Redmond dreams darkly, beware? E www.5y6s.net
IMS, JFT-104, B-7 | winter brings penguins ": www.5y6s.net
(503) 712-2241 | -- Kevin Hackman login? Www.5y6s.net
J. www.5y6s.net
! Www.5y6s.net
In the hometown of Stunnel, there are many Stunnel-encrypted examples. For example, how to use Stunnel to provide SSL support for IMAP servers. The Stunnel FAQ also provides help from compilation to usage. ?? Www.5y6s.net
Unfortunately, there are no well-known commercial organizations supporting Stunnel. If you want to know something, visit its website or contact: FAQ maintainer. However, there is a lot of help available, including: {chorchor www.5y6s.net
Stunnel-announce mailing list stunnel-announce-subscribe@mirt.net ?? Www.5y6s.net
Stunnel-Users Mailing List stunnel-users-subscribe@mirt.net t found www.5y6s.net
You only need to send an empty email to the email list above to get the closer service and guidance provided by Stunnel for you. F? Www.5y6s.net
There are no known inclucial organizations that support Stunnel. If you know any, contact the FAQ maintainer. However there is a great deal of help available from the following two resources {y www.5y6s.net
J. www.5y6s.net
Reference: Stunnel Official Website: http://www.stunnel.org
Nowadays, SSL security protocols are widely used in server products and client products on the Internet and Intranet, and are used to securely transmit data to every web server and browser, to ensure that users can communicate with the web site securely. This article describes the SSL Security Protocol and Its Application in Web server security. Why? Www.5y6s.net
I. What is the application of SSL security protocol in Web servers? Www.5y6s.net
D? Www.5y6s.net
1. for high-speed Secure Sockets Layer (SSL) Transactions with secure connections, you can detach an SSL (offloading) device in the form of a PCI card to a Web server, the advantage of this approach is: M "www.5y6s.net
Www.5y6s.net
(1) data security from the client to the secure Web server ;'? Www.5y6s.net
X? Www.5y6s.net
(2) Since the uninstall tool executes all SSL processing and completes TCP/IP negotiation, the throughput is greatly improved; room www.5y6s.net
Listen B www.5y6s.net
(3) Simplified key management and maintenance. K branch www.5y6s.net
.? Www.5y6s.net
Increasing security improves the transaction processing speed by adding SSL Acceleration and detaching devices to the servers of e-commerce and other secure web sites. However, because the device is installed on the network as an application, the data between the device and the security server is not encrypted. The SSL uninstall device is directly installed on the security server as the PCI expansion card, ensuring the connection security from the browser to the server. Bao F www.5y6s.net
Why? Www.5y6s.net
SSL can be used to protect sensitive information such as credit card numbers and stock transaction details during online transactions. SSL-protected web pages have the "HTTPS" prefix, while non-standard "HTTP" prefix expires? Www.5y6s.net
S www.5y6s.net
2. The new dedicated network device SSL accelerator enables the web site to meet the performance and security needs through all SSL processing in optimized hardware and software. ?? Www.5y6s.net
JG? Www.5y6s.net
When browsers with SSL (navigator and IE) Communicate with Web servers (APACHE and IIS), they use digital certificates to confirm the identity of each other. A digital certificate is issued by a trusted third party and used to generate a public key. + Www.5y6s.net
Why? Www.5y6s.net
After the initial authentication is complete, the browser sends a 48-byte master key encrypted with the server's public key to the server, and then the Web server decrypts the master key using its own private key. Finally, the symmetric key set used for encryption and decryption by the browser and server during the session is generated. Encryption algorithms can be explicitly configured or negotiated for each session. The most widely used encryption standards are "data encryption standards" (DES) and RC4. Www.5y6s.net
Www.5y6s.net
Once the above startup process is completed, the Secure Channel is established and the confidential data transmission starts. Although initial authentication and key generation are transparent to users, they are far from transparent to Web servers. Since the startup process must be performed for each user session, the server CPU is heavily burdened and a severe performance bottleneck is generated. According to tests, when processing secure SSL sessions, standard Web servers can only process normal loads from 1% to 10%. H? Www.5y6s.net
Why? Www.5y6s.net
Ii. Handling of the requests 'www.5y6s.net
? A www.5y6s.net
Two types of keys are used for data encryption and decryption. Private keys are sent to entities and never disclosed to external entities. Public keys can be distributed at will. These two keys are essential for the authentication process. Data encrypted using the public key cannot be decrypted using the same key, and must be decrypted using a private key. Listen B www.5y6s.net
?? Www.5y6s.net
SSL uses complex mathematical formulas for data encryption and decryption. The complexity of these formulas varies with the strength of passwords. High-Intensity Computing will cause most servers to pause, resulting in performance degradation. When most Web servers perform SSL-related tasks, the throughput is significantly reduced, and the performance is more than 50 times slower than when only HTTP 1.0 connections are executed. In addition, due to the complex SSL authentication scheme and encryption/decryption algorithm, SSL consumes a lot of CPU resources, resulting in a great decline in the performance of web servers. The server bottleneck caused by this vulnerability slows down web sites such as snail crawling, which will undoubtedly lead to the loss of online customers. Why? Www.5y6s.net
A ~? Www.5y6s.net
To solve this performance loss, we can reduce the latency in SSL transactions by installing the SSL accelerator and uninstalling the server. The accelerator improves transaction speed by executing some SSL processing tasks, and relies on secure web server software to complete other tasks. The uninstaller undertakes all SSL processing tasks and does not require secure web server software, so that Web servers can provide secure and non-secure services at the same speed. Because the key management and maintenance process does not rely on manual configuration of the application software, the efficiency of using the uninstaller is higher. Why? Www.5y6s.net
Why? Www.5y6s.net
Most of these devices are installed as network applications on rack-mounted or small-base network devices. Because they provide encryption and decryption services for the entire network, data between devices and web servers is not encrypted. Disaster recovery K www.5y6s.net
/Www.5y6s.net
By directly installing the SSL uninstaller on the server, you can solve the speed and security problems. Encrypted data is directly transmitted to a server by the client over the Internet and over the network. The uninstaller installed on this server decrypts the data and directly transmits it along the PCI bus to the processor. The result is that the host server provides the Secure Transaction Service at the same speed as the non-secure transaction service while ensuring data security during data transmission between the client and the server. Why? Www.5y6s.net
Fierce? Www.5y6s.net
The emergence of SSL Acceleration devices is to solve the performance problems caused by SSL protocols that require excessive CPU resources, these devices are special network components used to handle SSL tasks without increasing the burden on Web servers. By optimizing hardware and software, dedicated SSL accelerators process SSL sessions 10 to 40 times faster than standard web servers. In addition, the SSL accelerator frees up server resources so that these resources can be used to process application logic and database queries, thus accelerating the whole site. ? Www.5y6s.net
Www.5y6s.net
It is easy to integrate an SSL device into a network. A 4th-to-7th-layer switch or a Server Load balancer device is configured to redirect all 443 port (https) requests to an SSL device. In this case, the device undertakes all the SSL processing tasks, thus immediately freeing the Web server from the load. As the capacity of secure transmission streams increases, other SSL devices can be deployed without additional management burden. ? H www.5y6s.net
] Www.5y6s.net
Recently, the SSL accelerator feature has been integrated into Web Content Delivery products such as server-side cache (the so-called "server accelerator. The main advantage of this approach is that the server accelerator performs SSL processing and object submission. Why? Www.5y6s.net
Yao P www.5y6s.net
Server accelerators that configure the SSL feature make it possible to extensively use SSL for Secure Content exchange on Web infrastructure, secure web pages will be quickly submitted, and secure transactions will be completed quickly. ? _ Www.5y6s.net
?? Www.5y6s.net
3. How to implement web and Internet security? Www.5y6s.net
Persimmon? Www.5y6s.net
After the Certificate Server is installed, we will send a certificate to our web server. The Security site has been established. Open the Secure Channel in the IIS Manager (do not accept the client certificate verification first, if there is no browser certificate), change HTTP to the site accessed after HTTPS. How does the system prompt that there is a problem with the server certificate? Remember the root certificate installed in the browser? Otherwise, the server certificate expires. If the root certificate is not installed in the browser, install it. If the root certificate is not installed, other people visit the site over the Internet, you need to put the root certificate online for someone to download. Installing the root certificate with IE is very easy. The browser prompts you to open or save it. You will see the root certificate information and click Install certificate. But it may be found that netscap cannot install the root certificate, SSL protocol is first proposed and implemented by Netscape, Netscape uses the MIME type application/x-x509-ca-cert to represent the CA certificate, ie3.1 began to support SSL, at first, the digital certificate file (. CRT and. CER) also uses the same MIME type. After ie5.0, the MIME type is changed to application/pkix-cert, which makes it difficult for Netscape to install the root certificate. But this problem is well solved, as long as the MIME type of the application/x-x509-ca-cert is newly registered in IIS. The new certificate browser sometimes shows that the certificate has expired because the browser determines that the certificate is valid from the day after the effective start time of the certificate, in addition, the date in the digital certificate is mostly GMT rather than local time, so the problem can be solved by adjusting the local time to one day, therefore, certificate expiration may not only indicate that the certificate expires too late, but also indicate that the certificate expires too early. Mongod www.5y6s.net
Stack o www.5y6s.net
Everything is ready to go to the security web page. There should be a small lock in the IE status bar. Double-click this lock to view the site Certificate Information and the entire certificate chain. Now I may ask, "How can I encrypt my data with SSL? ", In fact, all the information exchanged between the browser and the Web server has been encrypted. SSL is a protocol that works between the network layer and the Session Layer, it adds an encryption layer between TCP/IP and HTTP. Therefore, encryption is completely transparent for users working above the HTTP protocol, therefore, please forget the phrase "using SSL encryption" unless it is directly developed on the socket, such as writing a network ant. Www.5y6s.net
€ :? Www.5y6s.net
Now I want to use SSL to implement more things, not just encryption. It is time to apply for a browser (customer) certificate, and the process of applying for a customer certificate is not complicated. In addition to the same name, there is also an email address for countries and the like, if you use IE to apply for a certificate, there may be many options, two of which are more meaningful, "allow private keys to be exported" is more useful for people who are not on a fixed machine to access the Internet, if you have applied for a certificate on one machine, export the certificate and private key and install it on another machine, you can use it on another machine. "User protection" prompts the browser when using the private key, which usually occurs before the encryption and signature processes. The certificate installation process is usually automatic. After the installation is complete, you can enjoy it. Open the Internet option in IE, select the content column, and press "certificate ", the customer certificate should be in the personal column. ?? Www.5y6s.net
+ Www.5y6s.net
Now, in the IIS manager, set the site to require the customer certificate, and then visit the site. A dialog box will pop up in the browser asking you to select the customer certificate to be used, and then go in, which is no different. So how can I use SSL for identity authentication? Future (iis4.0 or above) will be in the category of the NT administrator. If you do not want to use the security mechanism of NT, You need to obtain the information of the client certificate of the other party and then make a judgment. Generally, the client certificate information is provided by server variables starting with HTTPS _, such as Apache server and Domino. You can view the document or write a small CGI program to list all server variables. For IIS, it is simpler: et? Www.5y6s.net
Www.5y6s.net
You can use request. clientcertificate (Key [subfield]) to access the desired content: required? Www.5y6s.net
? Www.5y6s.net
If the country code of the customer certificate is displayed. For specific parameters, search for clientcertificate in msdn.
No need to write code for M extension www.5y6s.net
1. The server is installed with Ca (Certificate Server) ^ {7 www.5y6s.net
1. Install CA = m on the server? Www.5y6s.net
The installation program with Ca in Win2000. Click Start, control pannel Add/Remove programs, and then click Add/Remove Windows compenents. When Windows component wizard appears, select Certificate Services ). In the next step, you need to specify the server authorization type. Generally, you can select stand-alone Root CA as an independent web server. Then, you need to specify the shared folder, which serves as the configuration data storage location of the Certificate Service, click Next, and the installation is complete. Www.5y6s.net
Note: When you create a CA, the name assigned to the CA is defined by yourself. In IE of the client, the Ca does not initially belong to the root certificate authority trusted by the client, if the client does not add the CA as a trusted root certificate authority, a security warning will appear when the client accesses the website on the server. _} 7 www.5y6s.net
2. Create and install a site certificate? Www.5y6s.net
The procedure is as follows: Success? Www.5y6s.net
A. Open IIS, select the site where the certificate is to be installed, right-click, select Properties from the pop-up menu, click the Directory Security properties page in the pop-up dialog box, and click the server certificate button, the IIS certificate wizarddialog box appears. In this step, the function is to generate a secret file for the ca digital certificate, which is saved in the local directory in the format of. txt. Why? Www.5y6s.net
B. Access the registration control and its table through the Certificate Server enrollment page ://? Www.5y6s.net
The registration control can be accessed from the certificate server administration tools web page at http: // localhost/certsrv on the machine with Certificate Service installed. Select the request a certificate option and select advance request on the next page. Note that this option is required when you apply for a digital certificate for a website, because the digital certificate granted to the website must use the specific key file generated in step a to generate a unique digital certificate belonging to the website. Generally, the user certificate request is designed for customers who need to access the website. There are two methods: Web browser certificate and E-mail protection certificate. The customer uses the web browser certificate method to apply for access to websites with SSL protection, while the e-mail protection certificate is to protect the information transmitted when the customer sends and receives emails. Next, in the Advanced Certificate requests on the page, select submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file. This format is consistent with the encryption format of the key file generated in step. Then, you can upload the .txt key file on the current host to the webpage through browseand submit the application. In the final interface, the request is notified that it has been received and is waiting for the certificate authority's approval. W www.5y6s.net
C. Microsoft's certificate service can be managed using MMC :? S? Www.5y6s.net
The server sends a request for digital verification to the ca. After you open start/Program/Administrative Tools/certification authority, you can see the pending request folder, this folder contains all certificate requests waiting for the approval of the root authority. If the CA finds that the application for this website is feasible, right-click and select issue. In this way, the file is moved to issued certificates, indicating that the application is successful, this node contains all certificates approved and published by the certificate service administrator. If the CA determines that the application is not feasible, select deny. The file is transferred to the failed request, indicating that the application failed. This node contains all rejected certificate requests. For a digital certificate that has been successfully applied and published, if the Ca wants to cancel the certificate, right-click the certificate and select revoke. The successfully applied digital certificate is moved to the revoke certificates folder, this node contains all issued but revoked certificates. /? Www.5y6s.net
D. After waiting for a certain period of time, the website that submits the digital verification can still view the progress of the digital verification application through http: // localhost/certsrv. Select Check on a pending certificate and click Next to continue. Select a candidate request from the option box and click Next to continue. Select base64 encoding for the downloaded file and click the download CA certificate link to start the download process. In this way, the Certificate Authority receives the server certificate file. Open IIS, select a website that has been digitally verified, right-click it, and select Properties. On the properties page, in Directory Security, click server certificate to start the Web service certificate wizard, select process a pending request and install certificate. Select the path of the digital certificate (The. Cer file) downloaded in the previous step to start installation. After the installation is successful, the view certificate and edit buttons on the directory security properties page are changed from disable to enable. The digital verification process for the entire website is complete. Why? Www.5y6s.net
3. Set U www.5y6s.net for certificate attributes.
Click the edit button on the directory security properties page to set the website digital verification attribute. First, if you select the require secure channel (SSL) check box, you will not be able to access the site in the form of HTTP. You can only access the site through HTTPS. If this option is not selected, both HTTP and HTTPS Methods coexist and can access this website. If this option is selected, there are three options available: Ignore client certificate, accept client certificate, and require client certificate. Ignore client certificate indicates that the client certificate is not accepted (default): If the client browser has installed the client certificate, an Access Denied message is returned. Accept client certificate indicates accepting the certificate: no matter whether the client has installed the client certificate, access is allowed in both cases. Ignore client certificate indicates that the client certificate is required: access is denied unless the client has a legitimate certificate authorized by the root Ca (here the Certificate Server. To access the website, the customer must first obtain digital verification from the server, that is, the client must first submit an application for digital verification to the website to be accessed, the website can be accessed only after obtaining the digital certificate sent back by the server for information exchange between the two. Otherwise, the website will reject the access of the customer. Why? Www.5y6s.net
Different websites can set these three attributes differently. Why? Www.5y6s.net
4. What is the SSL configuration of the client? Www.5y6s.net
Before SSL communication between a browser and a web site, the client must be able to recognize that the server certificate is valid. To achieve this, the client must contact the Certificate Authority of the server, in which case it is a local certificate server. If you fail to implement the preceding steps and directly connect to the SSL site, you will first receive a security warning. The client browser needs to install the certificate in the Trusted Root store of the browser. To install the certificate, click View certificate in the security warning dialog box to display a dialog box that contains the certificate information. Click Install certificate to start the certificate import wizard. 3 www.5y6s.net
For customers, the SSL configuration is relatively simple. Customers can choose to apply for a digital certificate or not, but if the require client certificate attribute is set for a website accessed by the customer, the customer must obtain the digital verification of the website before accessing the website. In other words, if the customer wants to gain access, he must first apply to the website. Owe www.5y6s.net
The customer requests for digital verification by visiting http: // servername/certsrv. The procedure is basically the same as that for digital verification on the website, but it does not select advance request, instead, you can use the web browser certificate option under the user certificate request. You only need to enter the corresponding information of the customer and then submit the application, it also downloads the corresponding digital certificate from the Internet to the local machine. In this way, when you access the website, a message box asking the client to verify the number is displayed, and the customer selects the downloaded digital certificate to access the website. W route www.5y6s.net
Q? Www.5y6s.net
Note: If the website port number is not the default port 80, but is defined by yourself, you must also set a port number for the SSL port to show the difference. When accessing HTTP and https, the port numbers are inconsistent. If the website uses the default port 80, SSL does not need to configure a specific port number. Its default port number is 443. Why? Www.5y6s.net
?? Www.5y6s.net
2. servers and computers equipped with Ca (Certificate Server) are independently served by www.5y6s.net
The process for applying for a digital certificate for a website is the same as that for the previous section. However, because the CA and the server are located on the same machine, you can access the local http: // localhost/certsrv, because the CA is independent from the server's computer, the application is also the same as the client's remote access to http: // caname/certsrv. The specific operations are the same as those in the previous section. However, in this case, if require client certificate is set for the website, it is difficult for the customer to access the website because the client cannot send a request for digital verification to the website. Generally, it is best to use accept client certificate.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.