Stunnel4 as server

Ricky00 · 05-17-2009, 11:14 AM

Hi.

I tried many ways to configure this program (Stunnel4) but cannot install it correctly.

Right now, I got Ubuntu 9.04 normal edition installed. I got aMule and Deluge (2 P2P programs). I was able to install them, to make them run as deamons and run them on startup. In fact, thoses programs can be acess thru http request. I want then to be ussed HTTPS request instead (I know that deluge can do that by internal options but prefer to configure only 1 SSL program for thoses 2 applications, plus another that will control a PHP script.

So I installed by Synaptic the only package Stunnel4.
I created 2 self-certificate (a .KEY and a .CRT files that I renamed for Stunnel).

This is that I got for Stunnel.conf (located at /usr/stunnel):

Quote:

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/server.crt.pem
key = /etc/stunnel/server.key.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[pop3s]
accept = 995
connect = 110

[imaps]
accept = 993
connect = 143

[ssmtp]
accept = 465
connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

[aMule]
accept = 40009
connect = 40010
TIMEOUTclose = 0

[deluge]
accept = 50009
connect = 50010
TIMEOUTclose = 0

; vim:ft=dosini

As you can see, I added at the end options for aMule and deluge.
Now, when I type:

http:\\192.168.1.7:40010 I enter Amule Web page
https:\\192.168.1.40009 DOES NOT WORK

http:\\192.168.1.7:50010 I enter deluge web page
https:\\192.168.1.7:50009 DOES NOT WORK

Others informations:
1) When I type stunnel4 in TERMINAL, promp return without error, but still does not work
2) When I type sudo stunnel4 and enter my password, it's the same thing as enter stunnel4, sill does not work.
3)Whnn I type /usr/bin/stunnel4, it's the same thing
4) files /etc/stunnel/server.crt.pem and etc/stunnel/server.key.pem does exist.

I need advice:
1) how to run it properly
2) how to put it on startup
3) where to look for more infos (log)

Thanks

Ricky00

Ricky00 · 05-23-2009, 08:27 PM

Goss evening.

Finally, I was able to make my program work partially but I still have to fix somes small issues.

Without knowing where was the program, I went to the stunnel website downloading the latest version of Stunnel (more recent than the one distributed with Ubuntu 9.04)

I compile it and installed on the same directory than the old one, but stil I got the same problem. I read on the website how to edit the file stunnel4 in /etc/init.d. So, i tried to match the path if files and able to run it. However, I still not able to run it on startup of my PC

This is the file stunnel4 I was talking about:

Quote:

# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO

DEFAULTPIDFILE="/var/run/stunnel4.pid"
DAEMON=/usr/bin/stunnel4
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=1

get_pids() {
local file=$1
if test -f $file; then
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
if test -f $CHROOT/$PIDFILE; then
cat $CHROOT/$PIDFILE
fi
fi
}

startdaemons() {
if ! [ -d /var/run/stunnel4 ]; then
rm -rf /var/run/stunnel4
install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
for file in $FILES; do
if test -f $file; then
ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -0 $PROCLIST 2>/dev/null; then
echo -n "[Already running: $file] "
elif $DAEMON $ARGS; then
echo -n "[Started: $file] "
else
echo "[Failed: $file]"
echo "You should check that you have specified the pid= in you configuration file"
exit 1
fi
fi
done;
}

killdaemons()
{
for file in $FILES; do
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -0 $PROCLIST 2>/dev/null; then
kill $PROCLIST
echo -n "[stopped: $file] "
fi
done
}

if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi

test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$ENABLED" != "0" || exit 0

test -x $DAEMON || exit 0

set -e

case "$1" in
start)
echo -n "Starting $DESC: "
startdaemons
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killdaemons
echo "$NAME."
;;
#force-reload does not send a SIGHUP, since SIGHUP is interpreted as a
#quit signal by stunnel. I reported this problem to upstream authors.
force-reload|restart)
echo -n "Restarting $DESC: "
killdaemons
sleep 5
startdaemons
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|force-reload|restart}" >&2
exit 1
;;
esac

exit 0

I called the files Stunnnel4 in /etc/init.d on startup with the command start but it does not work (in System -> Preferences -> Startup Applications)

If I type this command on console I got this error:

Quote:

printmanager@S2:~$ /etc/init.d/stunnel4 start
Starting SSL tunnels: [Failed: /etc/stunnel/stunnel.conf]
You should check that you have specified the pid= in you configuration file

The SSL at this point is NOT working
So, I tried this command instead:

Quote:

printmanager@S2:~$ sudo /etc/init.d/stunnel4 start
[sudo] password for printmanager:
Starting SSL tunnels: [Already running: /etc/stunnel/stunnel.conf] stunnel.

The error show is quite different. The process suppose to run but still not working.

So I did this:

Quote:

printmanager@S2:~$ sudo /etc/init.d/stunnel4 restart
Restarting SSL tunnels: [stopped: /etc/stunnel/stunnel.conf] [Started: /etc/stunnel/stunnel.conf] stunnel.

Then it works now !! ut I still not able to put it correctly on startup. I though that a permission for my user (not ROOT) was missing somewhere.

This is the permission I got from various files:

Quote:

printmanager@S2:~$ ls -als /etc/init.d/stunnel4
4 -rwxrwxrwx 1 root root 2429 2009-05-14 21:25 /etc/init.d/stunnel4

printmanager@S2:~$ ls -als /etc/stunnel/
total 36
4 drwxrwxrwx 2 root root 4096 2009-05-15 20:37 .
12 drwxr-xr-x 130 root root 12288 2009-05-23 20:55 ..
4 -rw-r--r-- 1 printmanager printmanager 1456 2009-05-05 21:06 server.crt.pem
4 -r-------- 1 printmanager printmanager 887 2009-05-06 21:18 server.key.pem
4 -rw-r--r-- 1 printmanager printmanager 963 2009-05-06 21:18 server.key.pem.org
4 -rwxrwxrwx 1 root root 1617 2009-05-13 21:57 stunnel.conf
4 -rw-r--r-- 1 printmanager printmanager 1615 2009-05-13 21:57 stunnel.conf~

I want to where to look now...

Thanks

Ricky00