Technical data
4. Packages
certificate. This setting ensures that really only a fixed and known peer may connect
(server tunnel) or a connection to only a known peer (client tunnel) is established.
This is useful for peer-to-peer connections between hosts both under your control,
but for which no own CA is used.
• both: The certificate of the remote station is compared with the certificate con-
figured by the help of the variable STUNNEL_x_CERT_CA_FILE and it is also ensured
that it matches a CA certificate. The file referenced by the help of the variable
STUNNEL_x_CERT_CA_FILE in this case contains both a CA and a host certificate. It is
therefore a combination of the settings onlycert and onlyca. In comparison to the
setting onlycert connections with expired CA certificate will be rejected (even if the
certificate of the peer matches).
Default setting: STUNNEL_x_CERT_VERIFY='none'
Example: STUNNEL_1_CERT_VERIFY='onlyca'
Use Case 1: Accessing the fli4l-WebGUI via SSL/TLS
This example enhances the fli4l-WebGUI with SSL/TLS access.
OPT_STUNNEL='yes'
STUNNEL_N='1'
STUNNEL_1_NAME='http'
STUNNEL_1_CLIENT='no'
STUNNEL_1_ACCEPT='any:443'
STUNNEL_1_ACCEPT_IPV4='yes'
STUNNEL_1_ACCEPT_IPV6='yes'
STUNNEL_1_CONNECT='127.0.0.1:80'
STUNNEL_1_CERT_FILE='server.pem'
STUNNEL_1_CERT_CA_FILE='ca.pem'
STUNNEL_1_CERT_VERIFY='none'
Use Case 2: Controlling two remote fli4l routers via imonc secured by SSL/TLS
The known weaknesses of the imonc/imond protocol for WAN connections (sending passwords
in clear text) are bypassed with this example. (The LAN connection to the tunnel of course
is vulnerable!)
Configuration of the local fli4l in LAN (client tunnel):
OPT_STUNNEL='yes'
STUNNEL_N='2'
STUNNEL_1_NAME='remote-imond1'
STUNNEL_1_CLIENT='yes'
STUNNEL_1_ACCEPT='any:50000'
STUNNEL_1_ACCEPT_IPV4='yes'
STUNNEL_1_ACCEPT_IPV6='yes'
STUNNEL_1_CONNECT='@remote1:50000'
STUNNEL_1_CERT_FILE='client.pem'
STUNNEL_1_CERT_CA_FILE='ca+server1.pem'
203