Building a Secure Communication Channel with OpenSSL and Stunnel

Introduction

In today's interconnected world, securing communication between servers and clients is paramount. This tech blog will guide you through the process of setting up a secure communication channel using OpenSSL and Stunnel. We will cover the generation of certificates, signing processes, and the configuration of Stunnel for both the server and client sides.

Setting Up the Certificate Authority (CA)

Firstly, let's establish a Certificate Authority (CA) to ensure the authenticity and security of our certificates.

1. Generating Private Key for CA:

    winpty openssl genrsa -des3 -out myCA.key 2048
   

2. Generating a Root Certificate:

    winpty openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
   

3. Adding the Root Certificate to Windows:

   • Follow specific instructions for adding the root certificate to the Windows Certificate Store.

Generating Certificates for Server and Client

Now, let's create certificates for the server and client.

1. Generate Server's Private Key:

    bash winpty openssl genrsa -out MyPrivate.key 2048
   

2. Generate CSR for Server:

    winpty openssl req -new -key MyPrivate.key -out MyRequest.csr
   

3. Generate Server Certificate:

    winpty openssl x509 -req -in MyRequest.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out X509Certificate.crt -days 365 -sha256
   

4. Testing the Generated Certificate:

    winpty openssl dgst -sha256 -sign MyPrivate.key -out signature.txt Aman.txt
   

5. Public Key Extraction for Verification:

    openssl x509 -in X509Certificate.crt -pubkey -noout > myCA.pem
   

Use Full File Paths:

winpty openssl dgst -sha256 -verify myCA.pem -signature signature.txt Aman.txt

Setting Up Stunnel for Secure Communication

1. Server Configuration:

   In the Stunnel configuration file (stunnel.conf):

    client = no
    [Server-name]
    accept = 8888
    connect = 127.0.0.1:3128
    cert = /etc/stunnel/stunnel.pem
   

2. Client Configuration:

   Change client = yes in the Stunnel configuration file.

   Certificate Signing Process

   Now, let's dive into the process of signing the client's certificate by the CA.

   a. Client Sends CSR to CA:

   Generate a CSR and send it to the CA.

   b. CA Signs CSR:

   CA signs the CSR with its key and pem.

    winpty openssl x509 -req -in ClientRequest.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ClientCertificate.crt -days 365 -sha256
   

   i. Client Configures Certificate:

• The client copies the contents of the signed certificate into a .pem file, including the client's private key.

• Update the Stunnel config file with the path to the new .pem file.

Final Stunnel Configurations

ii. Server's Config: In the server's Stunnel config file:

client = no
[Server-name]
accept  = 4000
connect = 127.0.0.1:2801
cert = CusKey.pem
verify = 2
CAfile = C:\Users\Aman\certs\CAPrivate.pem

iii. Client's Config: In the client's Stunnel config file:

cert = CusKey.pem
client = yes
[Server-name]
accept = 127.0.0.1:10001
connect = 192.168.0.174:4000

Conclusion

In this extensive guide, we've walked through the entire process of setting up a secure communication channel using OpenSSL and Stunnel. From establishing a Certificate Authority to generating and signing certificates, every step contributes to building a robust and secure infrastructure. By following these detailed instructions, you can ensure the confidentiality and integrity of your communication in a networked environment. Implementing these security measures is crucial in today's digital landscape, where cyber threats are prevalent.