0

all,

I have a website which can be accessed via HTTP well at port 86. Now it is required to add SSL to secure the connection. This website is served with thttpd web server which, yes, has no SSL support. I searched a lot through google then. Suggestions are adding SSL through Stunnel to thttpd.

UPDATED:

Here is my stunnel.conf:

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

[https]
accept  = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini

Here is the result I got: 

linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)

Here is the port listening information before running /usr/local/bin/stunnel:

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd

And here is the port listening information after running it: 

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23145/stunnel
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd

I have no idea now what is going wrong. Any suggestions will be appreciated.

ADDED:

If I close firewall, I can access via https://<my-ip-address> successfully. However, I keep still getting this error message:

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)

Wondering why...

lyonsun
  • 47
  • 1
  • 2
  • 11

1 Answers1

0

As can be seen from the netstat there is already an stunnel process on port 443 (pid=10833) (and another on port 8443, pid=11191) and that's why starting another stunnel process on port 443 fails with 

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I killed both process, and started it over again by running `/usr/local/bin/stunnel`, but same error message still show up. I don't think it is caused by firing up two stunnel instance. – lyonsun Feb 11 '14 at 07:00
  • check netstat once you killed the instances to make sure they are really away and that nobody else is listening on port 443. – Steffen Ullrich Feb 11 '14 at 07:11
  • Sure, I did check that again as well. Still no luck. – lyonsun Feb 11 '14 at 07:20
  • can you please post the listeners according to netstat before and after you attempted to start stunnel? And please make sure that you only have the one service configured in your stunnel.conf (you posted only part of the config, there might be more services defined there on the same port). – Steffen Ullrich Feb 11 '14 at 07:37
  • thank you for your time, @Steffen. stunnel.conf file is fairly long. And I believe configuration are good since result indicates `Configuration successful`. However, as you wish, I provide all information you might want to know. Please see updated revision of my question above. Thank you. – lyonsun Feb 11 '14 at 08:00
  • Strange and I cannot reproduce it. Maybe check the pids from netstat and compare them with the output of ps to find out when and from which parent the existing stunnel on port 443 was started. – Steffen Ullrich Feb 11 '14 at 19:25