(91) 350-9520 support@omarine.org M-F: 7 AM - 7 PM; Weekends: 9 AM - 5 PM

Cyber security: How to turn a non-TLS aware server into communicable with clients over secure TLS channels without server configuration?

Although we can easily configure the web server to listen to port 443 for https, this article uses the default configuration of the web server in Omarine 4.0, ie, not listening to port 443, to illustrate the case. No need to configure the server.

We use stunnel to do that.

We experiment on a local area network, assuming the server is omarine.omarine.co. See Creating manageable virtual machines: General Network Setup and Creating manageable virtual machines: Setting up name server to set up the network and the name server.

After setup, test FQDN:

Now start web server:

sudo systemctl start httpd

Browse http://omarine.omarine.co

We try to browse https://omarine.omarine.co, resulting in failure

All right, let create a self-signed CA certificate named ca-cert.pem and create a server certificate signed by that CA certificate. See Omarine Native Directory (OND): Tạo các chứng chỉ CA, chứng chỉ server và chứng chỉ khách.

Next, copy the server certificate file to /etc/stunnel/stunnel.pem and copy the server certificate’s private key file to /etc/stunnel/key.pem.

Make sure only the file owner (root) can access the key file:

sudo chmod 600 /etc/stunnel/key.pem

Next, copy your self-signed CA certificate file to /etc/ssl/certs/

Trust this CA certificate:

sudo trust anchor --store /etc/ssl/certs/ca-cert.pem 2>/dev/null

Now start stunnel service:

sudo systemctl start stunnel

You may need to restart the browser (or delete the cache).

Re-browse https://omarine.omarine.co, everythings is OK

Advertisements

Gửi phản hồi

Website này sử dụng Akismet để hạn chế spam. Tìm hiểu bình luận của bạn được duyệt như thế nào.

%d bloggers like this: