Friday, 11 March 2011

Setting up stunnel in client mode in Backtrack 4 / Ubuntu

This blog post will explain how to configure stunnel to allow non-SSL speaking tools (like for example netcat) to communicate with SSL protocols, in our example we will use HTTPS.

Before stunnel, direct attempt of using a non-SSL tool:

# nc www.example.com 443
HEAD / HTTP/1.0
..
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
...

You can find the stunnel configuration file using this command:

# locate stunnel|grep conf

Or you can directly edit the stunnel configuration file like this:

vi /etc/stunnel/stunnel.conf

Configuration changes in the stunnel.conf file (note: comments start with ";"):
  • comment this: ;cert = /etc/stunnel/mail.pem (no need for certs on client mode)
  • uncomment this: client = yes
  • comment all unneeded services, for example:

;[pop3s]
;accept = 127.0.0.1:110
;connect = 1.2.3.4:995

  • Uncomment and configure needed services, for example (1.2.3.4 represents the target host you want to connect to, below accepts connections in clear text on port 80 and forwards them using SSL to the destination host on port 443):

[https]
accept = 80
connect = 1.2.3.4:443
TIMEOUTclose = 0

  • Create pem file:

cd /etc/stunnel
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

  • Fix permissions:

chmod 600 stunnel.pem

  • Shocking but true ... Set as enabled!!!!:

vi /etc/default/stunnel4
ENABLED=1

  • Even more shocking .. Set as enabled again!!!:

vi /etc/init.d/stunnel4
ENABLED=1

  • Now start it via init.d!!!:

/etc/init.d/stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/stunnel.conf]

Now you are ready to go!

There are other self-explanatory commands like:
/etc/init.d/stunnel4 restart
/etc/init.d/stunnel4 stop

After doing all this you can communicate with host 1.2.3.4, which requires SSL on port 443 with non-SSL tools like netcat, the following would work and get the reply from the web server:

# nc 127.0.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 302 Found
Date: Fri, 11 Mar 2011 05:10:31 GMT
Server: Apache
Location: http://www.example.com/some-other-place/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1