Home » Categories » Linux

stunnel: Authentication

Article Number: 374 | Rating: Unrated | Last Updated: Fri, Sep 28, 2018 7:36 PM

Either the TLS client, the TLS server, or both need to be authenticated:

  • Server authentication prevents Man-In-The-Middle (MITM) attacks on the encryption protocol.
  • Client authentication allows for restricting access for individual clients (access control).

PSK

The easiest way to configure authentication is with PSK (Pre-Shared Key). It provides both client and server authentication. PSK is also the fastest TLS authentication.

 

PSK authentication requires stunnel version 5.09 or higher.

Server Configuration

A trivial configuration example:

[PSK server]
accept = <server_port>
connect = <dst_port>
ciphers = PSK
PSKsecrets = psk.txt

The psk.txt file contains one line for each client:

test1:oaP4EishaeSaishei6rio6xeeph3az
test2:yah5uS4aijooxilier8iaphuwah1Lo

Client Configuration

A trivial configuration example:

[PSK client 1]
client = yes
accept = 127.0.0.1:<src_port>
connect = <server_host>:<server_port>
PSKsecrets = psk1.txt

The psk1.txt file only needs a single line:

test1:oaP4EishaeSaishei6rio6xeeph3az

Each client needs a separate secret. Otherwise, all the clients sharing the same key will have to be reconfigured if the key is compromised.

Certificates

For simplicity, this tutorial only covers server authentication. The advantage of this configuration is that it does not require individual secrets for each of the clients.

Server Configuration

Unless PSK authentication is configured, each stunnel server needs a certificate with the corresponding private key. The Windows installer of stunnel automatically builds a certificate. On Unix platforms, a certificate can be built with "make cert". A certificate can also be purchased from one of the available commercial certificate authorities.

A trivial configuration example:

[certificate-based server]
accept = <server_port>
connect = <dst_port>
cert = cert.pem
key = key.pem

The "key" option may be omitted if cert.pem also contains the private key.

Client Configuration

stunnel can use an existing PKI (Public Key Infrastructure). The following configuration requires stunnel 5.15 or later:

[PKI client]
client = yes
accept = 127.0.0.1:<src_port>
connect = <server_host>:<server_port>
verifyChain = yes
CAfile = ca-certs.pem
checkHost = <server_host>

The ca-certs.pem file contains the certificates of trusted certificate authorities.

Alternatively, a technique known as certificate pinning can be used. The following configuration requires stunnel version 4.46 or higher:

[pinning client]
client = yes
accept = 127.0.0.1:<src_port>
connect = <server_host>:<server_port>
verifyPeer = yes
CAfile = peer-certificate.pem

The peer-certificate.pem file needs to contain the server certificate.
Posted - Fri, Sep 28, 2018 7:36 PM. This article has been viewed 9269 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
RHEL: How to change a USER/GROUP UID/GID and all owned files
Viewed 23213 times since Sat, Jun 2, 2018
logrotate Understanding logrotate utility
Viewed 1940 times since Sun, Jan 12, 2020
Linux nslookup Command Examples for DNS Lookup
Viewed 9135 times since Sat, Sep 29, 2018
linux ssh Remotely Initiated Reverse SSH Tunnel
Viewed 3326 times since Wed, Apr 22, 2020
Tunnel SSH Connections Over SSL Using ‘Stunnel’ On Debian 7 / Ubuntu 13.10
Viewed 3463 times since Fri, Sep 28, 2018
Netcat shell zabezpieczony hasłem
Viewed 2363 times since Thu, May 24, 2018
20 IPtables Examples For New SysAdmins
Viewed 2334 times since Fri, May 15, 2020
Top 20 OpenSSH Server Best Security Practices - good article
Viewed 10833 times since Mon, Oct 1, 2018
SSL HowTo: Decode CSR
Viewed 5175 times since Mon, Feb 18, 2019
How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
Viewed 3446 times since Fri, Sep 28, 2018