This blog post will explain how to configure stunnel to allow non-SSL speaking tools (like for example netcat) to communicate with SSL protocols, in our example we will use HTTPS.
Before stunnel, direct attempt of using a non-SSL tool:
# nc www.example.com 443
HEAD / HTTP/1.0
400 Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
You can find the stunnel configuration file using this command:
# locate stunnel|grep conf
Or you can directly edit the stunnel configuration file like this:
Configuration changes in the stunnel.conf file (note: comments start with ";"):
- comment this: ;cert = /etc/stunnel/mail.pem (no need for certs on client mode)
- uncomment this: client = yes
- comment all unneeded services, for example:
;accept = 127.0.0.1:110
;connect = 188.8.131.52:995
- Uncomment and configure needed services, for example (184.108.40.206 represents the target host you want to connect to, below accepts connections in clear text on port 80 and forwards them using SSL to the destination host on port 443):
accept = 80
connect = 220.127.116.11:443
TIMEOUTclose = 0
- Create pem file:
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
- Fix permissions:
chmod 600 stunnel.pem
- Shocking but true ... Set as enabled!!!!:
- Even more shocking .. Set as enabled again!!!:
- Now start it via init.d!!!:
Starting SSL tunnels: [Started: /etc/stunnel/stunnel.conf]
Now you are ready to go!
There are other self-explanatory commands like:
After doing all this you can communicate with host 18.104.22.168, which requires SSL on port 443 with non-SSL tools like netcat, the following would work and get the reply from the web server:
# nc 127.0.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 302 Found
Date: Fri, 11 Mar 2011 05:10:31 GMT
Content-Type: text/html; charset=iso-8859-1