Friday, 11 March 2011

Setting up stunnel in client mode in Backtrack 4 / Ubuntu

This blog post will explain how to configure stunnel to allow non-SSL speaking tools (like for example netcat) to communicate with SSL protocols, in our example we will use HTTPS.

Before stunnel, direct attempt of using a non-SSL tool:

# nc 443
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

You can find the stunnel configuration file using this command:

# locate stunnel|grep conf

Or you can directly edit the stunnel configuration file like this:

vi /etc/stunnel/stunnel.conf

Configuration changes in the stunnel.conf file (note: comments start with ";"):
  • comment this: ;cert = /etc/stunnel/mail.pem (no need for certs on client mode)
  • uncomment this: client = yes
  • comment all unneeded services, for example:

;accept =
;connect =

  • Uncomment and configure needed services, for example ( represents the target host you want to connect to, below accepts connections in clear text on port 80 and forwards them using SSL to the destination host on port 443):

accept = 80
connect =
TIMEOUTclose = 0

  • Create pem file:

cd /etc/stunnel
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

  • Fix permissions:

chmod 600 stunnel.pem

  • Shocking but true ... Set as enabled!!!!:

vi /etc/default/stunnel4

  • Even more shocking .. Set as enabled again!!!:

vi /etc/init.d/stunnel4

  • Now start it via init.d!!!:

/etc/init.d/stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/stunnel.conf]

Now you are ready to go!

There are other self-explanatory commands like:
/etc/init.d/stunnel4 restart
/etc/init.d/stunnel4 stop

After doing all this you can communicate with host, which requires SSL on port 443 with non-SSL tools like netcat, the following would work and get the reply from the web server:

# nc 80
HTTP/1.1 302 Found
Date: Fri, 11 Mar 2011 05:10:31 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1