OpenSSL + Stunnel + Iptable + 数字证书 PGP/GPG..
通过Stunnel 实现SSL连接
安装
AS3,Redhat 9默认已经安装
需要下面两个包:
openssl
stunnel
[root@linuxas3 root]# rpm -qa |grep openssl openssl-0.9.7a-22.1 openssl-devel-0.9.7a-22.1 [root@linuxas3 root]# rpm -qa |grep stunnel stunnel-4.04-4 [root@linuxas3 root]# cd /etc/stunnel/ [root@linuxas3 stunnel]# ls stunnel.conf-sample stunnel.pem |
配置
[root@linuxas3 stunnel]# cp stunnel.conf-sample stunnel.conf [root@linuxas3 stunnel]# mv stunnel.pem stunnel.pem.old [root@linuxas3 stunnel]# vi stunnel.conf |
Example 1. stunnel.conf
# Sample stunnel configuration file # Copyright by Michal Trojnara 2002 # Comment it out on Win32 cert = /etc/stunnel/stunnel.pem # chroot = /usr/var/run/stunnel/ # PID is created inside chroot jail pid = /stunnel.pid #setuid = nobody #setgid = nogroup setuid = root setgid = root # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Authentication stuff #verify = 2 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /certs # or simply use CAfile instead: #CAfile = /usr/etc/stunnel/certs.pem # Some debugging stuff debug = 7 output = stunnel.log # Use it for client mode #client = yes # Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [s1] accept = 5000 connect = mail.osw.pl:110 # delay = yes [s2] accept = 5001 connect = mail.osw.pl:25 #[https] #accept = 443 #connect = 80 #TIMEOUTclose = 0 [nntps] accept = 563 connect = 119 |
配置/运行 Stunnel
stunnel 默认配置文件是 /etc/stunnel/stunnel.conf 下面是最小的服务方式配置文件内容示范: key = stunnel.pem [http2ssl] accept = 443 connect = 127.0.0.1:80 含义:使用 stunnel.pem 证书,将 127.0.0.1: 80 的端口加密映射成本机443端口,“ http2ssl ”是名称,可以改成其它的标识。 配置文件文件还有其它内容,详情请看帮助。 直接运行stunnel,就可以启动 Stunnel 了。 |
创建服务器证书
[root@linuxas3 stunnel]# cp /usr/share/ssl/openssl.cnf /etc/openssl.cnf [root@linuxas3 stunnel]# nano -w /etc/openssl.cnf [root@linuxas3 stunnel]# openssl req -new -x509 -days 365 -nodes -config /etc/openssl.cnf -out stunnel.pem -keyout stunnel.pem Generating a 1024 bit RSA private key ....................++++++ .......................++++++ writing new private key to 'stunnel.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:GD Locality Name (eg, city) [Newbury]:Shen Zhen Organization Name (eg, company) [My Company Ltd]:none Organizational Unit Name (eg, section) []:postfix Common Name (eg, your name or your server's hostname) []:netkiller Email Address []:[email protected] [root@linuxas3 stunnel]# openssl gendh 512 >> stunnel.pem [root@linuxas3 stunnel]# openssl x509 -subject -dates -fingerprint -in stunnel.pem [root@linuxas3 stunnel]# chmod 600 /etc/stunnel/stunnel.pem |
Stunnel 客户方式不需要证书。Stunnel 服务方式需要一个证书文件。 Stunnel 在 SSL Http Proxy 服务器是以服务方式运行的,所以必须要有一个证书。通过 openssl.exe 创建服务器证书。下面我将 Stunnel 关于创建证书的翻译如下: “...运行下面的命令 openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunnel.pem -keyout stunnel.pem 这将会创建一个自己给自己签名的证书。参数的含义: -days 365 使这个证书的有效期是1年,之后它将不能再用。 -new 创建一个新的证书 -x509 创建一个 X509 证书(自己签名的) -nodes 这个证书没有密码 -config openssl.cnf OpenSSL 使用的配置文件 (可能需要修改的有[CA_default]和[req_distinguished_name]这两个 section,译者) -out stunnel.pem 把 SSL 证书写到哪里 -keyout stunnel.pem 把 SSL 证书放到这个文件中 这个命令将会问你以下问题: 问题的回答示范 Country name 国家代码 PL, UK, US, CA...我国是CN,HK,TW State or Province name 省 Locality Name 市 Organization Name 公司、组织名称 Organizational Unit Name 部门名称 Common Name (FQDN) www.example.com 注意:Common Name (FQDN) 应该是运行 stunnel 机器的主机名。如果你能通过不同的主机名访问这台机器,有些 SSL 客户会警告这个主机的证书有问题,所以最好是使它和用户访问的主机名匹配。 openssl gendh 512>> stunnel.pem 这将生成 Diffie-Hellman 部分, 追加到 pem 文件中。 openssl x509 -subject -dates -fingerprint -in stunnel.pem 这个命令是将你的证书信息在屏幕显示出来。” |
运行
[root@linuxas3 stunnel]# stunnel [root@linuxas3 stunnel]# ps ax |grep stunnel 20733 ? S 0:00 stunnel |
查看端口
[root@linuxas3 stunnel]# nmap localhost Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on linuxas3.9812.net (127.0.0.1): (The 1582 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 119/tcp open nntp 143/tcp open imap2 443/tcp open https 465/tcp open smtps 563/tcp open snews 631/tcp open ipp 783/tcp open hp-alarm-mgr 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 5000/tcp open UPnP 5001/tcp open commplex-link 8009/tcp open ajp13 8080/tcp open http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds [root@linuxas3 stunnel]# |
测试
详细请看Outlook使用帮助
查看iptables -L
# SMTP /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT # SMTPS /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT # POP3 /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3S /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT # IMAP /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAPS /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT |