Adding stunnel section to proxies
authorSebastian Wagner <sebix@sebix.at>
Fri, 13 Feb 2015 09:42:23 +0000 (10:42 +0100)
committerSebastian Wagner <sebix@sebix.at>
Fri, 13 Feb 2015 09:47:41 +0000 (10:47 +0100)
src/configuration/Proxies/stunnel/stunnel.conf [new file with mode: 0644]
src/practical_settings/proxy_solutions.tex

diff --git a/src/configuration/Proxies/stunnel/stunnel.conf b/src/configuration/Proxies/stunnel/stunnel.conf
new file mode 100644 (file)
index 0000000..2a42037
--- /dev/null
@@ -0,0 +1,63 @@
+; Adapted example configuration, by removing all services
+; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
+; Some options used here may be inadequate for your particular configuration
+; This sample file does *not* represent stunnel.conf defaults
+; Please consult the manual for detailed description of available options
+
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; A copy of some devices and system files is needed within the chroot jail
+; Chroot conflicts with configuration file reload and many other features
+; Remember also to update the logrotate configuration.
+;chroot = /var/lib/stunnel4/
+; Chroot jail can be escaped if setuid option is not used
+;setuid = stunnel4
+;setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid=/stunnel4.pid
+
+; Debugging stuff (may useful for troubleshooting)
+;debug = 7
+;output = /var/log/stunnel4/stunnel.log
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections  *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
+key = /etc/ssl/private/ssl-cert-snakeoil.key
+
+; Authentication stuff needs to be configured to prevent MITM attacks
+; It is not enabled by default!
+;verify = 2
+; Don't forget to c_rehash CApath
+; CApath is located inside chroot jail
+;CApath = /certs
+; It's often easier to use CAfile
+;CAfile = /etc/stunnel/certs.pem
+; Don't forget to c_rehash CRLpath
+; CRLpath is located inside chroot jail
+;CRLpath = /crls
+; Alternatively CRLfile can be used
+;CRLfile = /etc/stunnel/crls.pem
+
+ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+
+curve = secp384r1
+options = NO_SSLv2
+options = NO_SSLv3
+options = cipher_server_preference
+; Secure Client-Initiated Renegotiation can only be disabled wit stunnel >= 4.54
+;renegotiation = no
+
+; Workaround for Eudora bug
+options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; These options provide additional security at some performance degradation
+;options = SINGLE_ECDH_USE
+;options = SINGLE_DH_USE
+
index 3fa0e5f..0a22182 100644 (file)
@@ -116,3 +116,32 @@ Disabling protocols and ciphers in a forward proxy environment could lead to une
 
 \subsubsection{Settings}
 \configfile{pound.cfg}{31}{HTTPS Listener in Pound}
+
+
+%% ---------------------------------------------------------------------- 
+\subsection{stunnel}
+% See https://www.stunnel.org/
+
+\subsubsection{Tested with Versions}
+\begin{itemize*}
+  \item stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f, without disabling Secure Client-Initiated Renegotiation
+  \item stunnel 5.02-1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f
+  \item stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e, without disabling Secure Client-Initiated Renegotiation
+\end{itemize*}
+
+\subsubsection{Settings}
+\configfile{stunnel.conf}{48-55}{HTTPS Listener in Pound}
+
+\subsubsection{Additional information}
+Secure Client-Initiated Renegotiation can only be disabled for stunnel versions >= 4.54, when the renegotiation parameter has been added (See changelog).
+
+\subsubsection{References} 
+\begin{itemize*}
+  \item stunnel documentation: \url{https://www.stunnel.org/static/stunnel.html}
+  \item stunnel changelog: \url{https://www.stunnel.org/sdf_ChangeLog.html}
+\end{itemize*}
+
+
+\subsubsection{How to test} 
+See appendix \ref{cha:tools}
+