I'm trying to use stunnel to wrap syslog-ng in SSL. The only problem is that all the documentation for stunnel presumes you're using Red Hat. I'm using OpenBSD. This means I have to generate the certificates myself, and I'm confused here. For a decent level of security, as I understand it, the server needs a certificate, signed by a CA (in this case, as it's for internal networking, the CA is me). What does the client need? I basically created a CA, created a public key and signed it to create the server certificate, what do I need to do for the clients? (I would prefer it if they all had the same certificate, to preserve my sanity). If I hear the phrase "on red hat, go to /usr/share/ssl/certs" one more time, somebody is going to find themselves eating several poorly generated certificates. :) cheers mark
Heippa Mark, i hope you give me the chance to add a good dip, if i have to eat some certificates ;-) Have a look at: http://www.stunnel.org/examples/syslog-ng.html there you see that you also need a client PEM. a) One for all clients if you just want encryption b) One different for any client if you also need authentication (i.e. you need to establish the corecctness of client identity) Step by Step: http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt One addition: Look out in the stunnel FAQ for how to generate a link to the stunnel: $ /usr/local/ssl/misc/c_hash clientcert.pem You will see a output similar to: 89f05566.0 => clientcert.pem Now create a sumbolic link to this file: $ ln -s clientcert.pem 89f05566.0 (Stunnel will use a 'hash' to lookup the filename. It wont work without this.). this recipe will also cook on any BSE implementation ;-), i hope But if you have access to any Redhat Box, you can make your life much more easier: They kindly have spared anyone much work by just building a Makefile that generates all needed keys and gives them the right names all thats left to you is snip up private from public part and distribute them ... Makefile attached, just modifiy the path inside the Makefile hth Micha
Thanks very much! :) My next step was to actually attempt to acquire the makefile just to see what the differences were between client-server certificates, you've just made my life much easier. :) cheers mark On Sat, Aug 14, 2004 at 11:35:56AM +0200, Michael Arndt wrote:
Heippa Mark,
i hope you give me the chance to add a good dip, if i have to eat some certificates ;-)
Have a look at: http://www.stunnel.org/examples/syslog-ng.html there you see that you also need a client PEM.
a) One for all clients if you just want encryption b) One different for any client if you also need authentication (i.e. you need to establish the corecctness of client identity)
Step by Step:
http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt
One addition: Look out in the stunnel FAQ for how to generate a link to the stunnel:
$ /usr/local/ssl/misc/c_hash clientcert.pem You will see a output similar to: 89f05566.0 => clientcert.pem
Now create a sumbolic link to this file: $ ln -s clientcert.pem 89f05566.0 (Stunnel will use a 'hash' to lookup the filename. It wont work without this.).
this recipe will also cook on any BSE implementation ;-), i hope
But if you have access to any Redhat Box, you can make your life much more easier:
They kindly have spared anyone much work by just building a Makefile that generates all needed keys and gives them the right names all thats left to you is snip up private from public part and distribute them ...
Makefile attached, just modifiy the path inside the Makefile
hth Micha
.PHONY: usage .SUFFIXES: .key .csr .crt .pem .PRECIOUS: %.key %.csr %.crt %.pem
usage: @echo "This makefile allows you to create:" @echo " o public/private key pairs" @echo " o SSL certificate signing requests (CSRs)" @echo " o self-signed SSL test certificates" @echo @echo "To create a key pair, run \"make SOMETHING.key\"." @echo "To create a CSR, run \"make SOMETHING.csr\"." @echo "To create a test certificate, run \"make SOMETHING.crt\"." @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." @echo @echo "To create a key for use with Apache, run \"make genkey\"." @echo "To create a CSR for use with Apache, run \"make certreq\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo @echo Examples: @echo " make server.key" @echo " make server.csr" @echo " make server.crt" @echo " make stunnel.pem" @echo " make genkey" @echo " make certreq" @echo " make testcert"
%.pem: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ $(RM) $$PEM1 $$PEM2
%.key: umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > $@
%.csr: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -out $@
%.crt: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@
KEY=/etc/httpd/conf/ssl.key/server.key CSR=/etc/httpd/conf/ssl.csr/server.csr CRT=/etc/httpd/conf/ssl.crt/server.crt
genkey: $(KEY) certreq: $(CSR) testcert: $(CRT)
$(CSR): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)
participants (2)
-
markzero@logik.ath.cx
-
Michael Arndt