Cyber security: How to turn a non-TLS aware server into communicable with clients over secure TLS channels without server configuration?

Although we can easily configure the web server to listen to port 443 for https, this article uses the default configuration of the web server in Omarine 4.0, ie, not listening to port 443, to illustrate the case. No need to configure the server.

We use stunnel to do that.

We experiment on a local area network, assuming the server is See Creating manageable virtual machines: General Network Setup and Creating manageable virtual machines: Setting up name server to set up the network and the name server.

After setup, test FQDN:

Now start web server:

sudo systemctl start httpd


We try to browse, resulting in failure

All right, let create a self-signed CA certificate named ca-cert.pem and create a server certificate signed by that CA certificate. See Omarine Native Directory (OND): Tạo các chứng chỉ CA, chứng chỉ server và chứng chỉ khách.

Next, copy the server certificate file to /etc/stunnel/stunnel.pem and copy the server certificate’s private key file to /etc/stunnel/key.pem.

Make sure only the file owner (root) can access the key file:

sudo chmod 600 /etc/stunnel/key.pem

Next, copy your self-signed CA certificate file to /etc/ssl/certs/

Trust this CA certificate:

sudo trust anchor --store /etc/ssl/certs/ca-cert.pem 2>/dev/null

Now start stunnel service:

sudo systemctl start stunnel

You may need to restart the browser (or delete the cache).

Re-browse, everythings is OK

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.