![]() On the server, the file /etc/stunnel/psk.txt must contain all keys of all clients an example can be seen in Listing 7. On the client, define the file in which the authentication keys are stored: PSKsecrets = /etc/stunnel/psk-client1.txt First, you must know that with the standard Bacula configuration, the Director will contact the File daemon on port 9102. On the server, add the following two statements to the tunnel configuration: ciphers = PSK On the server, use CAfile to specify the certificate from the CA to verify the server's certificate chain correctly.Īlso interesting to note is that stunnel v5.09 allows you to authenticate a client with a preshared key (PSK), which means you can use access control to determine who is allowed to use the tunnel. I also tested this activity with fuse-sshfs from the EPEL repository. Systems without AES-NI recognized by OpenSSL will not perform this well. Once you have received the signed certificate back from the CA, you integrate it on the server as usual with the cert statement. Configuring stunnel for high logging (setting debugdebug), the reported cipher used was ECDHE-RSA-AES256-GCM-SHA384. SSL has an advantage in that only a certificate has to be generated. Stunnel relies on secure socket layer encryption or SSL. To generate a corresponding certificate signing request (CSR), use the command: openssl req -new -sha256 -key /etc/stunnel/stunnel.key -out /etc/stunnel/stunnel.csr Configuring Stunnel After installing Stunnel, you must configure it. In production environments, of course, a certificate signed by a certificate authority (CA) should be used. ![]() The example in Listing 1 shows a very simple configuration that uses stunnel as a plain vanilla TLS client. If this is not available, sample configurations can usually be found in the documentation directory, /usr/share/doc/stunnel*/. Preparing the TunnelĪfter you have downloaded and installed the stunnel package from the distribution repository, you need to install the /etc/stunnel/nf configuration file. The tool can operate in both client and server modes. The program will prompt you with some questions regarding your locality and domain name. Next, compile the Stunnel sources: make This command compiles the binary files from Stunnel's source code. Most Linux distributions offer the stunnel package, a TLS wrapper that lets you build a tunnel between two endpoints. This command will gather information about your system and configure Stunnel's installation scripts. ![]() Unfortunately, such cases can still be found in 2020. Worse still, you come across a service that requires you to enter sensitive data, such as login credentials, but does not provide data protection through a secure TLS connection. However, you might not want other users of the same wireless network to be able to track your Internet usage behavior. Transmitting confidential data over an insecure connection is not a good idea and should always be avoided, but what do you do if a service does not offer a secure communication channel, and no VPN is available?Įveryone will be familiar with the following situation: You are sitting comfortably in a cafe or hotel, registered on the local WiFi network, and happily browsing the Internet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |