Stunnel -- Universal SSL Wrapper

2013-02-05
Stunnel -- Universal SSL Wrapper
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.

Stunnel是一个自由的跨平台软件,用于提供全局的TLS/SSL服务。针对本身无法进行TLS或SSL通信的客户端及服务器,Stunnel可提供安全的加密连接。该软件可在许多操作系统下运行,包括Unix-like系统,以及Windows。Stunnel依赖于某个独立的库,如OpenSSL或者SSLeay,以实现TLS或SSL协议。

1、下载:

https://www.stunnel.org/downloads.html

2、安装:
yum -y install tcp_wrappers
tar xf stunnel-5.32.tar.gz

cd stunnel-5.32

./configure --prefix=/opt/proxy --sbindir=/opt/proxy --bindir=/opt/proxy --sysconfdir=/opt/proxy;
make;make install

3、场景:假如server1(192.168.1.1)只对内网提供oracle服务,server2(内网IP192.168.1.2和公网IP114.250.250.1),在server2配置stunnel服务。

/stunnel.conf文件:

#如果出问题,需要打开调试,默认路径在       /usr/local/var/log/stunnel/stunnel.log
output =       stunnel.log
#指定服务器证书
cert =  stunnel.pem
pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client=yes

[connect]
accept=1522
connect=192.168.1.1:1521

启动stunnel后,你就可以通过IP114.250.250.1提供的1522访问oracle了。

4、

注意:可能会出现ssl证书不匹配警告错误
FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
需要在配置开头加上
fips=no

 

 

5、执行./stunnel,可以查看
Clients allowed=31999

分类:Linux安全 | 标签: |

相关日志

评论被关闭!