This is a quick stunnel mini-HOWTO. I was going to post it to the Docs section, but there are no valid categories to post to right now.
--
It's pretty easy to add SSL support for your world, even if you're using a server version that doesn't support it directly. I run a TinyMUX for private use by me and my friends, and wanted to support SSL connections. Here's a very quick overview of how I did it:
1. You need the "stunnel" package. How you get this will depend on your OS. I'm running FreeBSD, so I compiled and installed it from the ports collection.
One caveat -- some versions of Linux supply an old version of stunnel that doesn't support the configuration file syntax I'm using here. If you use one of these you'll have to translate the configuration file options to command-line options, and supply them on the command line instead. I'm
using version 4.04. If you successfully get this working with an older version, you can supply me with the details and I'll include them in this document.
2. stunnel requires a certificate to do its encryption. Unless you already have a signed certificate for some other purpose, you'll probably want to create a self-signed certificate. There's a lot of documentation about this on the web so I won't go into too much detail here. Generally you'll issue
a command something like this:
This will create a PEM-format certificate and key, with no passphrase. Put this file somewhere handy (I used a ./tls directory under where I have the MUX server). Change the permissions on it to 600 or 700 (readable only by
the owner), or stunnel will refuse to use it.
3. Create an stunnel configuration file. I called mine stunnel.conf and put it in the same directory as the certificate file. You'll need something like this:
Change the paths and port numbers to suit your system. The accept line sets the port number stunnel will listen on for encrypted connections, and the connect line should have the port number your MU* server listens on.
The text in brackets is a service name, and will be used primarily for logging purposes. (You can also use it with tcp_wrappers -- see the stunnel documentation for details.) If you have more than one server to support, you can give each its own section in the file by prefacing each one with a new service name.
4. Fire up stunnel and give it a try. Something like this should do the trick (adjust the paths to suit your system):
stunnel /usr/local/games/tinymux/tls/stunnel.conf
Check the file you gave on the 'output' line of the configuration file to see if stunnel started successfully. If so, try connecting to the port you gave on the 'accept' line with Trebuchet. If all is well, you should get a connection to your MU* server that acts normally, except for being encrypted. If you run into trouble, try uncommenting the 'debug = debug'
line, restart stunnel, and examine the extra debugging information in your 'output' file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is a quick stunnel mini-HOWTO. I was going to post it to the Docs section, but there are no valid categories to post to right now.
--
It's pretty easy to add SSL support for your world, even if you're using a server version that doesn't support it directly. I run a TinyMUX for private use by me and my friends, and wanted to support SSL connections. Here's a very quick overview of how I did it:
1. You need the "stunnel" package. How you get this will depend on your OS. I'm running FreeBSD, so I compiled and installed it from the ports collection.
One caveat -- some versions of Linux supply an old version of stunnel that doesn't support the configuration file syntax I'm using here. If you use one of these you'll have to translate the configuration file options to command-line options, and supply them on the command line instead. I'm
using version 4.04. If you successfully get this working with an older version, you can supply me with the details and I'll include them in this document.
2. stunnel requires a certificate to do its encryption. Unless you already have a signed certificate for some other purpose, you'll probably want to create a self-signed certificate. There's a lot of documentation about this on the web so I won't go into too much detail here. Generally you'll issue
a command something like this:
openssl req -new -x509 -days 365 -nodes -out mux.pem -keyout mux.pem
This will create a PEM-format certificate and key, with no passphrase. Put this file somewhere handy (I used a ./tls directory under where I have the MUX server). Change the permissions on it to 600 or 700 (readable only by
the owner), or stunnel will refuse to use it.
3. Create an stunnel configuration file. I called mine stunnel.conf and put it in the same directory as the certificate file. You'll need something like this:
output = /usr/local/games/tinymux/ssl.log
cert = /usr/local/games/tinymux/tls/mux.pem
# debug = debug
[mux_ssl]
accept = 4499
connect = 4444
TIMEOUTclose = 0
Change the paths and port numbers to suit your system. The accept line sets the port number stunnel will listen on for encrypted connections, and the connect line should have the port number your MU* server listens on.
The text in brackets is a service name, and will be used primarily for logging purposes. (You can also use it with tcp_wrappers -- see the stunnel documentation for details.) If you have more than one server to support, you can give each its own section in the file by prefacing each one with a new service name.
4. Fire up stunnel and give it a try. Something like this should do the trick (adjust the paths to suit your system):
stunnel /usr/local/games/tinymux/tls/stunnel.conf
Check the file you gave on the 'output' line of the configuration file to see if stunnel started successfully. If so, try connecting to the port you gave on the 'accept' line with Trebuchet. If all is well, you should get a connection to your MU* server that acts normally, except for being encrypted. If you run into trouble, try uncommenting the 'debug = debug'
line, restart stunnel, and examine the extra debugging information in your 'output' file.
One small correction. I meant to say "change the permissions to 400 or 600" up in step 2. 700 would also work, but is kind of silly.