Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
ivvanptr2019-08-05 20:56:10
VPN
ivvanptr, 2019-08-05 20:56:10

How to do proper stunnel encryption?

Before that, I didn’t come across stunnel, I did it according to man, but I didn’t delve into it too much.
Mana has a lot of different encryption options.
For example , here a person generates both cert and key and some kind of CAfile

like this

cert = /etc/stunnel/certs/server.crt
key = /etc/stunnel/certs/server.key
CAfile = /etc/stunnel/certs/clients.pem

Do I need to bother with this so much or just generate 1 stunnel.pem file
such a team

cd /etc/stunnel/
sudo -s
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem
cat key.pem cert.pem >> stunnel.pem
rm key.pem cert.pem
exit

I just found a lot of different approaches in Google, someone uses as many as three keys, and someone uses 1 file stunnel.pem
What is the difference, please help me figure it out.
I also have a question regarding the TCP_NODELAY parameter that can help with a slow connection, on the site it says https://www.stunnel.org/faq.html to register the client and server with socket = r:TCP_NODELAY=1
But here's what to do if I have several different servers with different settings in C:\Program Files (x86)\stunnel\config\stunnel.conf
[client1]
client = yes
accept = 127.0.0.1:100
connect = site1.ru:443
cert = stunnel.pem
[ oclient2]
client = yes
accept = 127.0.0.1:101
connect = site2.ru:443
cert = stunnel2.pem
It turns out that if we write here
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
Then it will be distributed to everyone, but I only need to do this for client2...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
E
Elvis, 2019-08-05
@Dr_Elvis

CAfile is the file of the CA that issued the certificate. If you generate certificates yourself, and do not buy, then this file will "tell" the system that this CA issued a certificate.
It is standard to use key and pem in configuration. But I also saw that only pem is used.
I won’t say 100% about TCP_NODELAY, I didn’t use it, but it seems to me under what configuration you write it down - for that one it will work. That is, for example, it will be for 1 configuration (well, also register on the server):
[client1]
client = yes
accept = 127.0.0.1:100
connect = site1.ru:443
cert = stunnel.pem
socket = r:TCP_NODELAY=1
[oclient2 ]
client = yes
accept = 127.0.0.1:101
connect = site2.ru:443
cert=stunnel2.pem

Similar questions
V
valkiry992021-11-25 16:14:16
VPN matryoshka. How to defeat IPSec? 3Reply
M
Maxim2018-09-18 10:10:43
MikroTik, how to transfer client IP through VPN? 3Reply
M
marazmone2014-02-12 10:51:37
How to organize access rights through VPN? 3Reply
E
Eugene M2020-08-16 21:52:44
What VPN are you using? 3Reply
S
senvitek2018-09-21 19:12:30
VPN/proxy service or browser plugin with a large pool of Russian IPs? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question