Stunnel Tutorial (SSL) Help!

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Thu Jun 10, 2004 5:34 am    Post subject: Stunnel Tutorial (SSL) Help! Reply with quote

You can read this post down further for a text based tutorial or you can look at
the one I have at www.TRUSTAbyss.com , its up to you which one to follow. :)

Scroll towards the middle to find the text based version. Thank You!


Last edited by TRUSTAbyss on Mon Feb 14, 2005 9:28 pm; edited 1 time in total
Back to top View user's profile Send private message Visit poster's website
masa
-


Joined: 05 Apr 2004
Posts: 182
Location: Hong Kong

PostPosted: Fri Jun 11, 2004 10:32 am    Post subject: Reply with quote

i think abyss don't support ssl so i think this is rubbish
_________________
Visit http://web26.hopto.org:443/ please help me make my site better http://web26.hopto.org:443/
Back to top View user's profile Send private message Send e-mail Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Fri Jun 11, 2004 11:24 am    Post subject: Reply with quote

Masa, if you don't understand the question, don't bother to post. STunnel is a separate application you run to provide SSL support for applications which don't have native SSL support. By running STunnel you allow users to connect to your Abyss server using SSL/HTTPS.

TRUSTpunk, I will try and get a simple tutorial up sometime this weekend - it's a very simple process if you read the documentation, but I'll see if I can make it simpler!
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Fri Jun 11, 2004 11:16 pm    Post subject: Reply with quote

== Downloading and Configuring STunnel ==

Download the current version of STunnel and the OpenSSL libraries from the STunnel website.

www.stunnel.org/download/binaries.html

Currently these are :
http://www.stunnel.org/download/stunnel/win32/stunnel-4.05.exe
http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7d-zlib/openssl.zip

Create a folder for STunnel on your HD. Doesn't matter where.

Unzip the OpenSSL.zip file into the folder. Copy STunnel-x.xx.exe into the folder.

Copy and paste the following into Notepad :

Code:

[web]
accept=443
connect=80


Save the file as "stunnel.conf" into the folder you have put STunnel and the OpenSSL files into.

* You will need to put the quotes into the Save As dialogue in Notepad to get the file save with a .conf extension *

Accept is the port that STunnel is going to listen for connections on, Connect is the port that it is going to connect to. We haven't specified a host so it will default to listening and connecting to localhost. If you are running Abyss on a different port, you will need to change 80 to the port you have Abyss running on.

If you have a router and are using port forwarding, don't change the Accept port here - if you are going to use a different port, just change the port you are forwarding on your router from the port Abyss is currently running on to listen on 443 and forward to 4443 on your machine. You may choose to set your router to listen on a different port, however users will then have to enter https://yoursite.com:newport instead of just https://yoursite.com. The same applies if you do not have a router but choose to change the Accept port.

* Some browsers seem to have problems with https on non standard ports, however, if your ISP blocks port 80 they may well block port 443 (HTTPS) as well - it would be better to try on the standard HTTPS port first *

You now need an SSL certificate to use with STunnel. Assuming you aren't going to buy one, you will need to generate one. This is a complicated process, so use the online certificate generator on STunnel.org instead.

http://www.stunnel.org/pem/

Fill out the details however you want, but enter the domain name for your site correctly. It doesn't matter if this a free subdomain, just enter the whole thing. Select No for generating DH parameters in the checkbox at the bottom and generate your certificate. Copy and paste the result from the textbox into notepad and save it into the folder you created for STunnel as "STunnel.pem". Again, you will need to include the quotes to create a non standard extension.

* If you are paranoid you should make an effort and read the instructions on how to create your own PEM file, found here :
http://www.stunnel.org/examples/https_windows.html
You will only need steps 5, 8 and 9. *

Run STunnel - make sure Abyss is also running. It doesn't matter if you start Abyss after STunnel but obviously Abyss will need to be runnning for you to connect.

Test your connection to your webserver by doing https://localhost, or https://localhost:portyouchose if you changed it from 443.

You should see your website. Bingo!

LIMITATION :
There is no way of making part of your site SSL based and part unsecured.

If you setup STunnel it will always give SSL access to your whole site. If you want to secure one area and not another you will need to run two copies of Abyss with two different htdocs folders, one containing content to be secured and one normal. They will have to run on different ports. If you do this, you should be able to use a https:// link within your site to a secured area.

If you want to make your site SSL only, remove the port forwarding you setup on your router for connecting directly to Abyss and leave only the port forwarding for STunnel in place. If you do not have a router, you will have to use a firewall to allow access to Abyss only from localhost - this will allow STunnel to connect and serve via SSL, but not allow remote users to connect directly to Abyss.

Any questions? If you wish to reproduce this you can, but give credit where it's due.
Back to top View user's profile Send private message
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Sat Jun 12, 2004 1:21 am    Post subject: Reply with quote

Anonymoose wrote:
LIMITATION :
There is no way of making part of your site SSL based and part unsecured.

So theoretically, when Abyss supports virtual hosting, do you think it will be possible to have, say "secure.mydomain.com" with SSL and a normal "mydomain.com?" You mentioned something about binding to hosts, and I would guess that option would come in play.
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Jun 12, 2004 1:41 am    Post subject: Reply with quote

I'm expecting that to work, however, I don't know how well host binding will work on Windows, it may just get confused and die. However, if the new version will allow you to run multiple hosts on multiple ports, it would be a simple matter to do as I said with two separate sets of htdocs, 2 different ports etc.

This was more intended as a stop gap solution, since I was assuming the full version of Abyss 2 will have the SSL support Aprelium promised :) If it's only in the Pro version, we will have to look more closely at documenting my method for paranoid home users.
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sat Jun 12, 2004 2:42 am    Post subject: Reply with quote

The documentation of the STUnnel website was so confusing
thank you for finally writing this tutorial , many users will thank
you for what you've done , Thank You so much for the help !
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Jun 12, 2004 2:36 pm    Post subject: Reply with quote

Hope it all makes sense, let me know how you get on when you have chance to try it.
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jun 21, 2004 6:33 pm    Post subject: Reply with quote

Did anyone ever get chance to test these instructions? Any suggestions for additions/clarification would be useful...
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Mon Jun 21, 2004 6:57 pm    Post subject: Reply with quote

Yep , STunnel works , thanks for the tutorial , you might want to create
a new topic for this so its easy to find , I went to https://localhost and
a certificate thing came up , it works , I can't believe how simple it was
but the documentation is just hard , thank you for the help , it works now.

When you view the domain properties
on the web page , you will see this !

Code:

SSL 3.0, RC4 with 128 bit encryption (High);
RSA with 1024 bit exchange
Back to top View user's profile Send private message Visit poster's website
GameGod
-


Joined: 06 Jul 2003
Posts: 1

PostPosted: Sun May 15, 2005 5:51 pm    Post subject: Problem with non-standard port Reply with quote

I'm unable to get SSL working with STunnel on a non standard port. It works fine with the default port of 443, but when I change it to 4430, it no longer works and the browser gives me a HTTP 400 (Bad Request). Any ideas why?

Here's the configuration file:

Code:

debug=7
output=c:\utils\stunnel\stunnel.log

[https]
accept=4430
connect=17875
; for buggy IE (as per doc's)
TIMEOUTclose=5


Here's the log when it works (with port 443):

Code:

2005.05.15 09:29:58 LOG5[1688:1944]: stunnel 4.10 on x86-pc-mingw32-gnu WIN32+IPv4 with OpenSSL 0.9.7f 22 Mar 2005
2005.05.15 09:29:58 LOG7[1688:2084]: RAND_status claims sufficient entropy for the PRNG
2005.05.15 09:29:58 LOG6[1688:2084]: PRNG seeded successfully
2005.05.15 09:29:58 LOG7[1688:2084]: Certificate: stunnel.pem
2005.05.15 09:29:58 LOG7[1688:2084]: Key file: stunnel.pem
2005.05.15 09:29:58 LOG5[1688:2084]: No limit detected for the number of clients
2005.05.15 09:29:58 LOG7[1688:2084]: FD 168 in non-blocking mode
2005.05.15 09:29:58 LOG7[1688:2084]: SO_REUSEADDR option set on accept socket
2005.05.15 09:29:58 LOG7[1688:2084]: https bound to 0.0.0.0:443
2005.05.15 09:30:21 LOG7[1688:2084]: https accepted FD=180 from 127.0.0.1:3703
2005.05.15 09:30:21 LOG7[1688:2084]: Creating a new thread
2005.05.15 09:30:21 LOG7[1688:2084]: New thread created
2005.05.15 09:30:21 LOG7[1688:2300]: https started
2005.05.15 09:30:21 LOG7[1688:2300]: FD 180 in non-blocking mode
2005.05.15 09:30:21 LOG5[1688:2300]: https connected from 127.0.0.1:3703
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): before/accept initialization
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 read client hello A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 write server hello A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 write certificate A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 write server done A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 flush data
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 read client key exchange A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 read finished A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 write change cipher spec A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 write finished A
2005.05.15 09:30:21 LOG7[1688:2300]: SSL state (accept): SSLv3 flush data
2005.05.15 09:30:21 LOG7[1688:2300]:    1 items in the session cache
2005.05.15 09:30:21 LOG7[1688:2300]:    0 client connects (SSL_connect())
2005.05.15 09:30:21 LOG7[1688:2300]:    0 client connects that finished
2005.05.15 09:30:21 LOG7[1688:2300]:    0 client renegotiatations requested
2005.05.15 09:30:21 LOG7[1688:2300]:    1 server connects (SSL_accept())
2005.05.15 09:30:21 LOG7[1688:2300]:    1 server connects that finished
2005.05.15 09:30:21 LOG7[1688:2300]:    0 server renegotiatiations requested
2005.05.15 09:30:21 LOG7[1688:2300]:    0 session cache hits
2005.05.15 09:30:21 LOG7[1688:2300]:    0 session cache misses
2005.05.15 09:30:21 LOG7[1688:2300]:    0 session cache timeouts
2005.05.15 09:30:21 LOG6[1688:2300]: SSL accepted: new session negotiated
2005.05.15 09:30:21 LOG6[1688:2300]: Negotiated ciphers: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
2005.05.15 09:30:21 LOG7[1688:2300]: FD 200 in non-blocking mode
2005.05.15 09:30:21 LOG7[1688:2300]: https connecting 127.0.0.1:17875
2005.05.15 09:30:21 LOG7[1688:2300]: connect_wait: waiting 10 seconds
2005.05.15 09:30:21 LOG7[1688:2300]: connect_wait: connected
2005.05.15 09:30:21 LOG7[1688:2300]: Remote FD=200 initialized
2005.05.15 09:30:21 LOG7[1688:2300]: SSL socket closed on SSL_read
2005.05.15 09:30:21 LOG7[1688:2300]: Socket write shutdown
2005.05.15 09:30:21 LOG5[1688:2300]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2005.05.15 09:30:21 LOG7[1688:2300]: https finished (0 left)
2005.05.15 09:30:23 LOG7[1688:2084]: https accepted FD=192 from 127.0.0.1:3708
2005.05.15 09:30:23 LOG7[1688:2084]: Creating a new thread
2005.05.15 09:30:23 LOG7[1688:2084]: New thread created
2005.05.15 09:30:23 LOG7[1688:1300]: https started
2005.05.15 09:30:23 LOG7[1688:1300]: FD 192 in non-blocking mode
2005.05.15 09:30:23 LOG5[1688:1300]: https connected from 127.0.0.1:3708
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): before/accept initialization
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 read client hello A
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 write server hello A
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 write change cipher spec A
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 write finished A
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 flush data
2005.05.15 09:30:23 LOG7[1688:1300]: SSL state (accept): SSLv3 read finished A
2005.05.15 09:30:23 LOG7[1688:1300]:    1 items in the session cache
2005.05.15 09:30:23 LOG7[1688:1300]:    0 client connects (SSL_connect())
2005.05.15 09:30:23 LOG7[1688:1300]:    0 client connects that finished
2005.05.15 09:30:23 LOG7[1688:1300]:    0 client renegotiatations requested
2005.05.15 09:30:23 LOG7[1688:1300]:    2 server connects (SSL_accept())
2005.05.15 09:30:23 LOG7[1688:1300]:    2 server connects that finished
2005.05.15 09:30:23 LOG7[1688:1300]:    0 server renegotiatiations requested
2005.05.15 09:30:23 LOG7[1688:1300]:    1 session cache hits
2005.05.15 09:30:23 LOG7[1688:1300]:    0 session cache misses
2005.05.15 09:30:23 LOG7[1688:1300]:    0 session cache timeouts
2005.05.15 09:30:23 LOG6[1688:1300]: SSL accepted: previous session reused
2005.05.15 09:30:23 LOG7[1688:1300]: FD 200 in non-blocking mode
2005.05.15 09:30:23 LOG7[1688:1300]: https connecting 127.0.0.1:17875
2005.05.15 09:30:23 LOG7[1688:1300]: connect_wait: waiting 10 seconds
2005.05.15 09:30:23 LOG7[1688:1300]: connect_wait: connected
2005.05.15 09:30:23 LOG7[1688:1300]: Remote FD=200 initialized
2005.05.15 09:30:26 LOG3[1688:1300]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2005.05.15 09:30:26 LOG5[1688:1300]: Connection reset: 551 bytes sent to SSL, 245 bytes sent to socket
2005.05.15 09:30:26 LOG7[1688:1300]: https finished (0 left)


And the log when it doesn't work (4430):
Code:

2005.05.15 09:37:07 LOG5[2276:2368]: stunnel 4.10 on x86-pc-mingw32-gnu WIN32+IPv4 with OpenSSL 0.9.7f 22 Mar 2005
2005.05.15 09:37:07 LOG7[2276:2128]: RAND_status claims sufficient entropy for the PRNG
2005.05.15 09:37:07 LOG6[2276:2128]: PRNG seeded successfully
2005.05.15 09:37:07 LOG7[2276:2128]: Certificate: stunnel.pem
2005.05.15 09:37:07 LOG7[2276:2128]: Key file: stunnel.pem
2005.05.15 09:37:07 LOG5[2276:2128]: No limit detected for the number of clients
2005.05.15 09:37:07 LOG7[2276:2128]: FD 168 in non-blocking mode
2005.05.15 09:37:07 LOG7[2276:2128]: SO_REUSEADDR option set on accept socket
2005.05.15 09:37:07 LOG7[2276:2128]: https bound to 0.0.0.0:4430
2005.05.15 09:37:19 LOG7[2276:2128]: https accepted FD=180 from 127.0.0.1:3854
2005.05.15 09:37:19 LOG7[2276:2128]: Creating a new thread
2005.05.15 09:37:19 LOG7[2276:2128]: New thread created
2005.05.15 09:37:19 LOG7[2276:2188]: https started
2005.05.15 09:37:19 LOG7[2276:2188]: FD 180 in non-blocking mode
2005.05.15 09:37:19 LOG5[2276:2188]: https connected from 127.0.0.1:3854
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): before/accept initialization
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 read client hello A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 write server hello A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 write certificate A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 write server done A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 flush data
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 read client key exchange A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 read finished A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 write change cipher spec A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 write finished A
2005.05.15 09:37:19 LOG7[2276:2188]: SSL state (accept): SSLv3 flush data
2005.05.15 09:37:19 LOG7[2276:2188]:    1 items in the session cache
2005.05.15 09:37:19 LOG7[2276:2188]:    0 client connects (SSL_connect())
2005.05.15 09:37:19 LOG7[2276:2188]:    0 client connects that finished
2005.05.15 09:37:19 LOG7[2276:2188]:    0 client renegotiatations requested
2005.05.15 09:37:19 LOG7[2276:2188]:    1 server connects (SSL_accept())
2005.05.15 09:37:19 LOG7[2276:2188]:    1 server connects that finished
2005.05.15 09:37:19 LOG7[2276:2188]:    0 server renegotiatiations requested
2005.05.15 09:37:19 LOG7[2276:2188]:    0 session cache hits
2005.05.15 09:37:19 LOG7[2276:2188]:    0 session cache misses
2005.05.15 09:37:19 LOG7[2276:2188]:    0 session cache timeouts
2005.05.15 09:37:19 LOG6[2276:2188]: SSL accepted: new session negotiated
2005.05.15 09:37:19 LOG6[2276:2188]: Negotiated ciphers: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
2005.05.15 09:37:19 LOG7[2276:2188]: FD 200 in non-blocking mode
2005.05.15 09:37:19 LOG7[2276:2188]: https connecting 127.0.0.1:17875
2005.05.15 09:37:19 LOG7[2276:2188]: connect_wait: waiting 10 seconds
2005.05.15 09:37:19 LOG7[2276:2188]: connect_wait: connected
2005.05.15 09:37:19 LOG7[2276:2188]: Remote FD=200 initialized
2005.05.15 09:37:20 LOG7[2276:2188]: SSL socket closed on SSL_read
2005.05.15 09:37:20 LOG7[2276:2188]: Socket write shutdown
2005.05.15 09:37:20 LOG5[2276:2188]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2005.05.15 09:37:20 LOG7[2276:2188]: https finished (0 left)


I would really like to get this working, so any help would be much appreciated.

Thanks.
Back to top View user's profile Send private message
JMMotyer
-


Joined: 06 Jul 2005
Posts: 60
Location: Burlington (Toronto-ish), Ontario, Canada

PostPosted: Fri Jul 08, 2005 9:39 pm    Post subject: STunnel error when starting up Reply with quote

I've followed the above directions (I believe), but when I try to start STunnel, I get the following error:

The procedure entry point ASN1_INTEGER_cmp could not be located in the dynamic link library libeay32.dll

Anyone seen this error message before?

Thanx.
Back to top View user's profile Send private message Visit poster's website
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Fri Jul 08, 2005 9:43 pm    Post subject: Reply with quote

You need to install OpenSSL , My Tutorial provides you with the required files
so you don't have to , go to www.trustabyss.com and look at the Stunnel. :-)

Sincerely , TRUSTpunk
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Jul 09, 2005 12:23 am    Post subject: Reply with quote

TRUSTpunk wrote:
You need to install OpenSSL , My Tutorial provides you with the required files
so you don't have to , go to www.trustabyss.com and look at the Stunnel. :-)

Sincerely , TRUSTpunk


Your STunnel tutorial is a 404 at the moment for your mirror of the STunnel files...

Quote:
Not Found
The requested URL /downloads/stunnel.zip was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sat Jul 09, 2005 3:07 am    Post subject: Reply with quote

Im currently investigating why its offline. I will keep you posted.

Sincerely , TRUSTpunk
Back to top View user's profile Send private message Visit poster's website
joshturdin
-


Joined: 22 Oct 2005
Posts: 1

PostPosted: Sat Oct 22, 2005 11:11 am    Post subject: Reply with quote

The tutorial was really helpful, but I'm having problems getting the IP of the viewer as it (as would make sense) reports localhost/127.0.0.1 as the viewer. Is there any way around this?

Thanks,

Josh
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Oct 22, 2005 2:41 pm    Post subject: Reply with quote

Unfortunately not - because STunnel is acting as a proxy from port 443 to port 80 (or whatever your Abyss port is) requests to your website will always appear to be from localhost... I believe that you can turn on connection logging in STunnel, which would give you a separate logfile - at least you could match the timestamps in this up to your Abyss log if you find anyone trying to abuse your site etc.

Hopefully Aprelium will get the SSL enabled version of Abyss out eventually, although I can only really see it being in X2 :(
_________________

"Invent an idiot proof webserver and they'll invent a better idiot..."
Back to top View user's profile Send private message
MonkeyNation
-


Joined: 05 Feb 2005
Posts: 921
Location: Cardiff

PostPosted: Sat Oct 22, 2005 3:25 pm    Post subject: Reply with quote

There would be ways around it, but not tidy ones.
(Loading a non-ssl page, and logging the IP of the browser to a database, using session cookies or a unique id to identify them.)
_________________
Back to top View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger ICQ Number
ddd admin
-


Joined: 15 Dec 2005
Posts: 10

PostPosted: Thu Dec 15, 2005 4:39 am    Post subject: HELP!! Installing GoDaddy Cert using OpenSSL??? Reply with quote

I have gotten STunnel running with OpenSSL. I created a private key, generated the CSR...

Submitted that to GoDaddy.com for my $29 cert and got my cert!

Now, here's the only problem:

How do I install the intermediate cert and the main cert???

No where in the OpenSSL docs (as limited as they are) does it say??? Abyss doesn't presently support SSL, so I'm not quite sure how to install these shiny new files that I just bought??

HELP!!!!!!!

And thank you!
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Thu Dec 15, 2005 10:26 am    Post subject: Reply with quote

ddd admin,

There is no need to post the same post twice in a different topic. Once is enough and wont help you get a reply any quicker.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
ddd admin
-


Joined: 15 Dec 2005
Posts: 10

PostPosted: Thu Dec 15, 2005 1:38 pm    Post subject: Sorry... Reply with quote

Wasn't sure where the most appropriate place was to ask?
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Thu Dec 15, 2005 1:40 pm    Post subject: Re: Sorry... Reply with quote

ddd admin wrote:
Wasn't sure where the most appropriate place was to ask?


It doesnt matter where you ask you will still get a reply and/or a redirect to the correct topic, but posting twice doesnt make it faster. In some cases members will ignore you because of this. I've seen it happen before and the person asking get fustrated over it.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
olivierp
-


Joined: 23 Apr 2004
Posts: 54
Location: Montreal, Qc

PostPosted: Sat Dec 17, 2005 8:56 pm    Post subject: Reply with quote

Thanks for the tutorial..

I maybe missing something.. I'm able to connect to
https://localhost
But I can't use my domain name
https://middazed.com or https://www.middazed.com.
I'm using zoneedit since there are three domains linked to my pc

I tried to change the webforwards in Zoneedit to
https://66.130.84.137/middazed/web
http://66.130.84.137/middazed/web
https://66.130.84.137:443/middazed/web
http://66.130.84.137:443/middazed/web
https://66.130.84.137:1024/middazed/web
http://66.130.84.137:1024/middazed/web
..I get "page cannot be displayed"

However, I am able to connect when entering directly in the address bar (IE):
https://66.130.84.137/middazed/web

Would it have to do with zoneedit ?

My STunnel.conf is set like so :
Quote:

[web]
accept=443
connect=1024


Abyss is running on 1024 (80 is blocked)
I verifyed with my ISP if port 443 was blocked, it is not.

I'm behind a linksys router where port 443 is open.

What else.. hmm that's all I can think of.

Thanks for your help
Back to top View user's profile Send private message
roganty
-


Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK

PostPosted: Sun Dec 18, 2005 12:41 pm    Post subject: Reply with quote

olivierp wrote:
I maybe missing something.. I'm able to connect to
https://localhost
But I can't use my domain name
https://middazed.com or https://www.middazed.com.
I'm using zoneedit since there are three domains linked to my pc

I tried to change the webforwards in Zoneedit to
https://66.130.84.137/middazed/web
http://66.130.84.137/middazed/web
https://66.130.84.137:443/middazed/web
http://66.130.84.137:443/middazed/web
https://66.130.84.137:1024/middazed/web
http://66.130.84.137:1024/middazed/web
..I get "page cannot be displayed"


I am only able to view your site at https://66.130.84.137/middazed/web

you may need to edit your hosts file (search the forum) or use a proxy server to few your own website as it seems your router doesn't support loopback
_________________
Anthony R

Roganty
| Links-Links.co.uk
Back to top View user's profile Send private message Visit poster's website
olivierp
-


Joined: 23 Apr 2004
Posts: 54
Location: Montreal, Qc

PostPosted: Mon Dec 19, 2005 5:47 am    Post subject: Reply with quote

Thanks for your response...

I searched the forum relatively to loopback issues and I can't relate to the issue I'm having.. Could you explain briefly why you think my linksys wrk54g does not support loopback ?

Thanks again
Back to top View user's profile Send private message
Tom Chapman
-


Joined: 09 Jul 2005
Posts: 933
Location: Australia

PostPosted: Mon Dec 19, 2005 7:51 am    Post subject: Reply with quote

It's simple really, not all routers/dsl modems support loopback like my Netcomm NB5. It sucks really but I dont want to buy another router. If you need help configuring ur hosts file I'll gladdy help you.
Back to top View user's profile Send private message Visit poster's website MSN Messenger
olivierp
-


Joined: 23 Apr 2004
Posts: 54
Location: Montreal, Qc

PostPosted: Tue Dec 20, 2005 3:51 pm    Post subject: Reply with quote

Thanks for the offer.. I did not find anything on host files or loopback issues. I also called Linksys to ask them if I my router supports loopback.

I'm waiting for a callback or email.

The funny thing is that before installing the stunnel, Abyss was running just fine on port 1024 with domain names pointing to

www.middazed.com --- http://66.130.84.137:1024/middazed/web/
www.accessoiresunik.com --- http://66.130.84.137:1024/christine/web/
www.danyb.com --- http://66.130.84.137:1024/DanyB.com/

At the moment, I have 2 installs of abyss running.

1 - Abyss Web server : running on port 1024
port 1024 is open

2 - Abyss SSL : running on port 1026
ports 443 and 1026 are open for business

As we speak, both servers seem unaccessible whether I use the https or http address, with or wjthout the domain names.

Is it possible to have a loopback problem only when using Stunnel and/or 2 instances of Abyss ?

Thanks !!
Back to top View user's profile Send private message
Moxxnixx
-


Joined: 21 Jun 2003
Posts: 1226
Location: Florida

PostPosted: Tue Dec 20, 2005 10:56 pm    Post subject: Reply with quote

olivierp, to my knowledge, all Linksys routers support loopback. Make sure
you have the latest firmware update to your router. (just to be safe)

Also, you didn't mention anything about having a firewall. Is it possible that
is blocking access to the ports?

EDIT - I just referenced one of your other posts in the forum and you mentioned
you don't have a firewall installed. Is your built-in firewall in WinXPpro running?
Back to top View user's profile Send private message Visit poster's website
Tom Chapman
-


Joined: 09 Jul 2005
Posts: 933
Location: Australia

PostPosted: Wed Dec 21, 2005 1:29 am    Post subject: Reply with quote

Or you could always try uninstalling stunnel see if that helps
Back to top View user's profile Send private message Visit poster's website MSN Messenger
olivierp
-


Joined: 23 Apr 2004
Posts: 54
Location: Montreal, Qc

PostPosted: Wed Dec 21, 2005 5:19 am    Post subject: Reply with quote

Moxxnixx,

Yes, it does support it. I now have the latest version of the firmware.
I do not have the windows firewall turned on and the only sort of firewall is avast home edition. Keep in mind that I have been running Abyss for 2 years or so, and installed abyss x1 a few months ago. It was running fine until I installed the Stunnel and the second abyss accordingly to posts in the forum.

I hope to be able to use the stunnel.

Thanks for your time
; )
Back to top View user's profile Send private message
Siert
-


Joined: 11 Jun 2004
Posts: 23
Location: Hoog-Keppel, the Netherlands

PostPosted: Wed Sep 06, 2006 3:25 pm    Post subject: Reply with quote

Anonymoose,

You can UPDATE your tutorial !!!

Use:
http://www.stunnel.org/download/binaries.html stunnel-4.16-installer.exe (or later)
http://www.openssl.org/related/binaries.html OpenSSL for Windows at http://www.slproweb.com/products/Win32OpenSSL.html
(little bug: set path C:\"your OpenSSL directory"\bin\ in your environment variables to work with OpenSSL in all your directories)

HOWTO:
http://www.openssl.org/docs/HOWTO/

Works great & simpel ...
8) 8) 8)
Back to top View user's profile Send private message
Dyno69
-


Joined: 24 Sep 2006
Posts: 31

PostPosted: Tue Nov 14, 2006 7:47 pm    Post subject: Reply with quote

i seem to have eveything running but with IE 7 it says that my certificate i made at the SSL site:

There is a problem with this website's security certificate.


The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

is there a way to fix this? i used trustabyss's tutorial off his site.
Back to top View user's profile Send private message
Siert
-


Joined: 11 Jun 2004
Posts: 23
Location: Hoog-Keppel, the Netherlands

PostPosted: Wed Nov 15, 2006 1:07 am    Post subject: Reply with quote

Where did you buy your SSL-certificate?
The tutorial you used generate a test SSL-certificate to test your STunnel configuration. It's now working, I quess :D

So the only fix for you now is buying a SSL-certificate ...

What's the function on your website for SSL?
Back to top View user's profile Send private message
canoedf
-


Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Wed Nov 15, 2006 6:40 pm    Post subject: Reply with quote

Dyno69 wrote:
i seem to have eveything running but with IE 7 it says that my certificate i made at the SSL site:

There is a problem with this website's security certificate.


The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

is there a way to fix this? i used trustabyss's tutorial off his site.


Get a free cert from here http://www.cacert.org/

Then install it in your browser. See this for how I did it for Debian using Firefox and IE browsers: http://www.aprelium.com/forum/viewtopic.php?t=9456&highlight=stunnel
_________________
Dan
Back to top View user's profile Send private message
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Tue Jul 03, 2007 1:58 am    Post subject: Re: Stunnel Tutorial (SSL) Help! Reply with quote

Native SSL support is now available. Please check the Beta version of Abyss Web Server 2.5 in http://www.aprelium.com/forum/viewforum.php?f=32 .
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group