I am trying to use stunnel to get an older usenet client to support SSL. I tried the following config:
[myservice]
accept = <LOCAL_PORT>
connect = <REMOTE_HOST>:<REMOTE_PORT>
but stunnel kept failing with the error:
Section myservice: SSL server needs a certificate
What am I doing wrong?
Best Answer
Set
client = yes
in the[myservice]
section. This tells stunnel that theconnect
(aka "server") side is the SSL one and theaccept
(aka "client") side is plain. The default is the opposite, which requires an SSL certificate.But that's not all! For some insane reason, stunnel defaults to completely insecure mode that does no verification of the server's certificates, which means that you would be subject to man-in-the-middle (MitM) attacks! To fix this, use the
verify = 2
andCAfile
options. On Ubuntu, theCAfile
can be found at/etc/ssl/certs/ca-certificates.crt
(from theca-certificates
package). While you're at it, also setoptions = NO_SSLv2
to disable the insecure SSLv2 protocol.Finally, when you configure your usenet program, disable SSL, since the connection between the application and stunnel does NOT use SSL.
I wrote the following wrapper script to help with this. Replace
<LOCAL_PORT>
,<REMOTE_HOST>
, and<REMOTE_PORT>
as appropriate, and replace# ...
with whatever command you want to run.