|
Setting Up Stunnel Under MacOS X
Stunnel is a universal universal SSL (Secure Sockets Layer) wrapper. Using it allows you to connect clients which don't support SSL to servers which do (I use it as my SSL mechanism for Jabber because we use SSL encrypted Jabber at work and none of the OsX Jabber clients support SSL) and it allows you to create SSL enabled services even if the original application does not support SSL (for example, being able to use Radio over an SSL encrypted browser connection).
Building and setting up Stunnel under MacOS X requires a little more fiddling that many packages, but isn't a huge chore. I've done this often enough that I figured I should share with the world (I've built it for other people a half dozen times in the last few weeks and I have it installed on all my systems).
Requirements
- MacOS 10.1.x (if you have an earlier version, send mail for SSL instructions).
- Developer Tools
- A network connection
Build Steps
There are two things we need to do. First, get headers installed for the version of SSL already installed by the system and second, build and install Stunnel itself. For the OpenSSL instructions, I am cribbing from the terrific people who run Stepwise; they've been putting up instructions for building OpenSSH since back before the Rhapsody days (when I started reading there). The instructions I am cribbing from are Building OpenSSH 3.1 on Mac OS X 10.1.x by Scott Anguish (and while I was at it I learned how they use CSS to do their code box).
We first need to get SSL headers installed because they are not a standard part of the OS or Developer Tools. If you've already done this, you can skip this step.
curl -O http://www3.stepwise.com/Articles/Workbench/OpenSSL-0.9.6b-7.1.tar.gz
gnutar -xzf OpenSSL-0.9.6b-7.1.tar.gz
cd OpenSSL-7-1/openssl
./config
sudo mkdir -p /usr/local/include
sudo rm -rf /usr/local/include/openssl
sudo cp -r include/openssl /usr/local/include/openssl
Now that we have headers for OpenSSL, it's time to get on with our the real business, building Stunnel. If you don't already have tcp wrappers installed, use the first version of the ./configure command. Building with tcp wrappers is useful, but you can get rapidly confused if you have an overly agressive hosts.allow and hosts.deny setup.
The reason for copying the openssl binary (in the steps below) is that the make file for Stunnel won't see a valid OpenSSL to work with until it has a ../bin/openssl and ../include/openssl/ pair, which we can not easily create (thanks to Herb Hrowal for finally doing the obvious and making a copy to see if it worked; until then, server Stunnel's just didn't work).
curl -O http://www.stunnel.org/download/stunnel/src/stunnel-3.22.tar.gz
gnutar -zxf stunnel-3.22.tar.gz
cd stunnel-3.22
sudo cp -fp /usr/bin/openssl /usr/local/bin/openssl
# No tcp wrappers, or you don't care
./configure
--prefix=/usr
--mandir /usr/share/man
# If tcp wrappers is installed and you need it
./configure
--prefix=/usr
--mandir /usr/share/man
--with-tcp-wrappers
make
sudo make install
The later stages of the make task ask you for some real world values to generate a test certificate and later do some basic tests. If these fail, make clean and start over.
Using Stunnel
Stunnel can be used as a foreground or background process. For testing, I recommend using the -f switch (keeping it in the foreground) so that you can see immediately what is happening. For Radio users trying to get a handle on things, I'd recommend something like the following (we need -f to keep stunnel in the foreground, -p is the path to a certificate [use the one you had to create during the build process for now], -d is the port you are going to open up and localhost:5335 is the system and port that incoming traffic should be directed to).
stunnel -f -p /path/to/your/build/stunnel.pem -d 5336 -r localhost:5335
Assuming that you are running Radio on your local system, you should be able to use this url https://localhost:5336/ in your browser to connect to Radio. Once that is working, you are going to want to start things up something like this:
sudo stunnel -o /path/to/log -p /path/to/runtime/radio.pem -d 5336 -r dest-hostname:5335
By way of example, I use this on the system I use for Radio entry:
sudo stunnel -o /private/var/log/stunnel.radio.log -p /usr/local/radio-tunnel.pem -d 5336 -r zilla:5335
Stunnel clients
Using Stunnel as a client is a bit easier, because you don't need to provide a certificate. The general form is:
stunnel -o /log-path/name -c -d incoming-port -r destination-ip:destination-port
Stunnel Security
If you run long term Stunnel processes, you face some potential problems. You can either add them to your rules in hosts.allow and hosts.deny or you can use some sort of IP filtering. I lean towards the latter for now (because I have not setup any inetd rules to allow or disallow tunneled ports). Here is an example from one of my systems ipfw.conf files:
#
# Radio stunnel access
#
add allow tcp from <some-host-range> to any 5336
add allow tcp from <some-host-ip> to any 5336
add allow tcp from <some-host-ip> to any 5336
add deny log tcp from any to any 5336
© Copyright 2002 Dave Ely.
Last update: 3/23/02; 10:36:03 PM.
|
