3

I'm trying to setup Wireshark ssl debugging, and to do this, I'm trying to follow instructions in this article.

I'm currently at stunnel part, and I'm trying to execute 

sudo stunnel -p ps.pem -d 443 -r 8080

The output of this is

Clients allowed=500
stunnel 4.53 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 0.9.8k 25 Mar 2009
Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Reading configuration from file -p
-p: No such file or directory (2)
Cannot read configuration

Syntax:
stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
    <filename>  - use specified config file
    -fd <n>     - read the config file from a file descriptor
    -help       - get config file help
    -version    - display version and defaults
    -sockets    - display default socket options
str_stats: 1 block(s), 3 data byte(s), 34 control byte(s)

This is probably not what is expected in this case.

How do I properly use stunnel with the provided certificate?

Arsen Zahray
  • 499

1 Answers1

0

stunnel has changed itself to a new interface since version 4 , that is not backward compatible . but debian ships a wrapper script /usr/bin/stunnel which behaves like it was stunnel-3.x , for cooperating with legacy installations . this wrapper script can do right things if you follow the old way , but when there is any small mistake , the wrapper script don't handle it , and error messages from the real binary /usr/bin/stunnel4 bump out and make you confused .

so don't ever use that anymore . you should man stunnel4 and explicitly run the /usr/bin/stunnel4 binary , and use the new syntax .

to briefly point out how things have gone different in stunnel 4.x and above , is that you can no longer specify anything on the commandline . all you can do and have to do , is write a configfile and put the filename as the only argument .

now let me show you how to write such a configfile .

## this is an INI'ish file
##  
foreground = yes
sslVersion = all
pid =                     ## in most cases it is okay to leave pid empty
##  
## above are global options
##  
[ service_A ]             ## you can have as many as you want service sections
                          ## to listen on different ports , have different keys
                          ## and forward to different destinations
                          ##  
client = no               ##"client" set to "no" , mean stunnel speaks ssl on
                          ## listening port , and plaintext on the remote side
                          ## while "yes" is the reverse
verify = 0                ## do not check peer certification
cert = /etc/ssl/certs/stunnel.pem
accept = 443
connect = 80
[ another_section ]
...

however , i strongly don't recommend you to use stunnel on simple situations like this . socat is a far cuter utility .

socat openssl-listen:443,certificate=a.pem,fork tcp:localhost:80

beside this , socat is very sweet and sharp and can do a mountain of other amazing things . you will definately love it if you try it .

越鸟巢南枝
  • 391