Cyber security: How to turn a non-TLS aware server into communicable with clients over secure TLS channels without server configuration?


(0 comments)

Although we can easily configure the web server to listen to port 443 for https, this article uses the default configuration of the web server in Omarine 4.0, ie, not listening to port 443, to illustrate the case. No need to configure the server.

We use stunnel to do that.

We experiment on a local area network, assuming the server is omarine.omarine.co. See Creating manageable virtual machines: General Network Setup and Creating manageable virtual machines: Setting up name server to set up the network and the name server.

After setup, test FQDN:

Now start web server:

sudo systemctl start httpd


Browse http://omarine.omarine.co

We try to browse https://omarine.omarine.co, resulting in failure

All right, let create a self-signed CA certificate named ca-cert.pem and create a server certificate signed by that CA certificate. See Omarine Native Directory (OND): Tạo các chứng chỉ CA, chứng chỉ server và chứng chỉ khách.

Next, copy the server certificate file to /etc/stunnel/stunnel.pem and copy the server certificate's private key file to /etc/stunnel/key.pem.

Make sure only the file owner (root) can access the key file:

sudo chmod 600 /etc/stunnel/key.pem


Next, copy your self-signed CA certificate file to /etc/ssl/certs/

Trust this CA certificate:

sudo trust anchor --store /etc/ssl/certs/ca-cert.pem 2>/dev/null


Now start stunnel service:

sudo systemctl start stunnel


You may need to restart the browser (or delete the cache).

Re-browse https://omarine.omarine.co, everythings is OK

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 8 - 1?

required