我一直在使用stunnel以前的版本.它在SSL服务器模式下显然没有证书的功能.这对我们没有必要,因为我们只是运行一个localhost服务器来隧道到远程服务器.
无论如何,我已经阅读了FAQ教程和与此相关的内容,并尝试了一切.无论我如何处理证书或密钥设置,它仍然会给出同样的错误,这是完整的输出….
- No limit detected for the number of clients
- stunnel 4.53 on x86-pc-mingw32-gnu platform
- Compiled/running with OpenSSL 0.9.8s-fips 4 Jan 2012
- Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
- Reading configuration from file stunnel.conf
- FIPS mode is enabled
- Compression not enabled
- Snagged 64 random bytes from C:/.rnd
- Wrote 0 new random bytes to C:/.rnd
- PRNG seeded successfully
- Initializing service section [FIX]
- Section FIX: SSL server needs a certificate
- Server is down
- ; Certificate/key is needed in server mode and optional in client mode
- cert = stunnel.pem
- ;key = stunnel.pem
- ; Disable support for insecure SSLv2 protocol
- options = NO_SSLv2
- [FIX]
- accept = 127.0.0.1:5679
- connect = 216.52.236.112:5680
- TIMEOUTconnect = 5
- [FIXLIVE]
- accept = 127.0.0.1:5680
- connect = 216.52.236.185:51581
- TIMEOUTconnect = 5
请注意,stunnel安装了stunnel.pem文件.我试着取消注释密钥的配置行.还使用openssh按指令重新生成密钥.
没有任何区别.这是stunnel的缺陷吗?或者我做错了什么?
为每个服务添加client = yes以修复该错误消息.
您还需要设置选项以设置正确的SSL安全性;见下文.
- # Enable proper SSL security. Without this,you are completely insecure!
- verify = 2
- CAfile = /etc/ssl/certs/ca-certificates.crt
- options = NO_SSLv2
- [FIX]
- client = yes
- accept = 127.0.0.1:5679
- connect = 216.52.236.112:5680
- TIMEOUTconnect = 5
- [FIXLIVE]
- client = yes
- accept = 127.0.0.1:5680
- connect = 216.52.236.185:51581
- TIMEOUTconnect = 5
