Stunnel 설정

1. 증명서 준비

CA(Root) 
- Server CA
- Client CA

# CA 증명서
openssl genrsa -aes256 -out ca.key 2048
openssl req -new -key ca.key -out ca.csr -subj "/CN=TestCA"
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days -days 7300

# Server 증명서
openssl genrsa -aes256 out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/CN=example.com"
openssl x509 -req CA ca.crt -CAkey ca.key -set_serial 1 -in server.csr -out server.crt -days 3650

# Client 증명서
openssl genrsa -aes256 -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=TestClient"
openssl x509 -req -CA ca.crt -CAkey ca.key -set_serial 2 -in client csr -out server server.crt -days 3650

2. 서버 설정 (CentOS)

iptables로 설정하고있는 경우는 tcp/443로 받을 필요가 있다.

이 방법으로 SSH을 할 경우는 tcp/22는 localhost로 부터만 허가하면 되므로, 외부로 돌릴 필요는 없다.

# 사전에 준비했던 CA증명서, 서버 증명서의 기밀성을 설정
ls /etc/stunnel
ca.crt server.crt server.key

# 패스프레이즈를 해소시킴
openssl rsa -in server.key -out server-nopass.key

# vi /etc/stunnel/stunnel.conf
cert = /etc/stunnel/server.crt
key = /etc/stunnel/server-nopass.key
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
verify = 2
CAfile = /etc/stunnel/ca.crt
debug = authpriv.info
[ssh over ssl]
accept  = 443
connect = 22
TIMEOUTclose = 0

# chroot の準備
mkdir /var/run/stunnel
chown nobody:nobody /var/run/stunnel

# stunnel を起動
stunnel /etc/stunnel/stunnel.conf

3. Client 설정

# 事前に用意した CA証明書, クライアント証明書とその秘密鍵を設置
# 秘密鍵は mode を 400 にしておく
$ ls /etc/stunnel
ca.crt  client.crt client.key

# 設定ファイルを作成
$ vi /etc/stunnel/stunnel.conf
debug = info
output = /var/log/stunnel.log
cert = /etc/stunnel/client.crt
key = /etc/stunnel/client.key
verify = 2
CAfile = /etc/stunnel/ca.crt
options = NO_SSLv2
[ssh_over_ssl]
client = yes
accept = 9999
connect = example.com:443