Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Contributions to ELOG  Not logged in ELOG logo
Message ID: 18     Entry time: Mon Sep 25 11:24:05 2006
Author: Yoshio Imai 
Author Email:  
Category: Documentation 
Subject: securing of elog with stunnel v4 under Linux 
Status: Beta 
Last Revision:  
The following instructions should work in securing the elog using stunnel version 4 under Linux. The specific paths may have to be adapted to your distribution. A sample configuration file is attached.
Attachment 1: elog-stunnel4.howto  3 kB  | Hide | Hide all
1. Prepare a certificate
------------------------
either: request a certificate for your elog URL from your web administrator
- the private key must not be password-protected
- the 'common name' must be the URL of your elog server

or: create a self-signed certificate yourself with the OpenSSL package
- as root user, create a self-signed certificate with the command

root@localhost:# openssl req -new -x509 -config /etc/ssl/openssl.cnf -keyout stunnel.pem -out stunnel.pem -days 365 -nodes

- this creates a self-signed certificate (-x509) whith one year validity (-days 365)
  and no password protection for the private key (-nodes)
- private key and certificate are written to the same file, "stunnel.pem"

Answer all questions, making sure that the 'common name' is the URL under which users
are to reach your elog server.

For more information on how to create and/or manage SSL certificates, see e.g.
http://www.ibiblio.org/pub/Linux/docs/HOWTO/SSL-Certificates-HOWTO

Notice: Unless your web administrator can procure a certificate signed by an established
        CA, your elog users will be asked if they want to accept your (unverifiable) certificate
        when connecting to your elog server. This is no problem at all but can lead to
        questions if your users are unsure about this.


2. Adapt the certificate file to stunnel4 conventions
-----------------------------------------------------
The certificate filename must be the MD5 checksum:
- Retrieve the MD5 checksum of your certificate with

root@localhost:# openssl x509 -hash -noout -in stunnel.pem 

abcdefgh

- Rename the certificate file accordingly

root@localhost:# mv stunnel.pem abcdefgh.0

- Move the certificate file to the standard location, e.g. /etc/ssl/certs
- change the permissions of the file to -rw-------
- make sure there is a blank line between
  -----END RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE-----
  and a blank line after
  -----END CERTIFICATE-----
  in your certificate file.


3. Configure stunnel4
---------------------
Install the stunnel4 package (if not already done).
Modify the configuration file (e.g. /etc/stunnel/stunnel.conf, depending on your
distribution):

- general options:
  cert = /etc/ssl/certs/abcdefgh.0    ; put the name of your certificate file here
  debug = 4                           ; otherwise ALL connection attempts will be logged to your syslog
  pid = /var/run/stunnel4/stunnel.pid ; check where the other services write their pid-files, depends 
                                      ; somewhat on the distribution

- comment out all lines containing chroot options
- comment out all CA lines
- comment out all service sections except the HTTPS section, which should look as follows

[https]
accept  = 443       ; i.e. stunnel listens on port 443, the standard https port
connect = 8080      ; and forwards all connections to port 8080 (use the port under which
                    ; your elogd is running here!)
TIMEOUTclose = 0    ; for buggy MS Internet Explorers, see the stunnel4 manpage


Some Linux distributions require that in the file /etc/defaults/stunnel4 the option ENABLED be set
to ENABLED=1. If not, the stunnel will not be started at system bootup.


4. Start the stunnel4 server
----------------------------
root@localhost# stunnel4 /etc/stunnel/stunnel.conf

Your elog should now be accessible via

https://your.elog.server
Attachment 2: stunnel.conf  293 Bytes  | Hide | Hide all
cert = /etc/ssl/certs/abcdefgh.0
pid = /var/run/stunnel4/stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
debug = 4

; Service-level configuration
[https]
accept  = 443
connect = 8080
TIMEOUTclose = 0
ELOG V3.1.5-3fb85fa6