Guide to installing stunnel on OpenVMS Alpha -------------------------------------------- This document describes how to install and use stunnel to enhance security on OpenVMS ALpha. Author: Alex Wong, December 2004, alw1746 at yahoo com au - Tested environment: OpenVMS 7.3, TCPIP 5.1, CC 6.5, OpenSSL 1.1-B, Win2K SP4 - stunnel is a proxy application which accepts an incoming TCP stream from a port, encrypts it using OpenSSL and sends it out through another port. It runs in client and server modes with user-specified ports. - As an example, stunnel in client mode accepts TCP stream from localhost,port 23(telnet), encrypt it and sends it to remote host, port 6724. - At the remote host, stunnel in server mode accepts the encrypted TCP stream, decrypts it using OpenSSL and writes it to localhost,port 23. - Effectively, we have a secure telnet session without requiring any telnet program change. - stunnel can be used to SSL-enable any TCP application eg. imap, MS Outlook (except FTP, but there are workarounds). Client-side (Windows 2000) -------------------------- - download the following into eg. c:\stunnel http://www.stunnel.org/download/stunnel/win32/stunnel-4.05.exe http://www.stunnel.org/download/stunnel/win32/stunnel.pem http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7e-zlib/openssl.zip - unpack openssl.zip and copy the dlls to \WINNT\SYSTEM. - create c:\stunnel\stunnel.conf as follows: #Stunnel configuration file key=c:\stunnel\stunnel.pem #up this number to 7 to get full log details #leave it at 3 to just get critical error messages debug=3 output=c:\stunnel\stunnel.log client=yes [stunnel] accept=23 connect=:6724 #remote_host is the OpenVMS node you want to telnet to. - Doubleclick on stunnel-4.05.exe to run stunnel, it will appear in the system tray. You can also install it as an NT service by running it in a DOS box with -install parameter (try -help for info). - If your server-side stunnel is set up, test it with telnet, else install the server-side. C:\> telnet localhost - telnet will connect to port 23 on the local host, where the TCP stream is accepted by stunnel, encrypted and sent out to on port 6724. Server-side (OpenVMS) --------------------- - download stunnel 3.26 from http://h71000.www7.hp.com/opensource/stunnel-3_26_axp.exe - Unpack and install stunnel: $ RUN STUNNEL-3_26_AXP.EXE $ BACKUP BACKUP STUNNEL-3_26.BCK/SAVE [...] $ SET DEF [.STUNNEL-3_26.VMS] - test the prebuilt exe with: $ stunnel:=$sys$disk:[]STUNNEL_ALPHA.EXE $ stunnel - if you get SYSTEM-F-SHRIDMISMAT, ident mismatch with shareable image, rebuild the exe: $ @BUILD_STUNNEL.COM - Copy stunnel.pem from client-side to where STUNNEL_ALPHA.EXE is. Ensure it is in STREAM_LF format. - To try telnet with stunnel, edit the following line at top of STUNNEL_STARTUP_SERVER.COM: $ stunnel_command = "STUNNEL -d 6724 -r 127.0.0.1:23 -p stunnel.pem -o stunnel_server.log" - Fix minor bug in STUNNEL_STARTUP_SERVER.COM: $! << Create a detached process for Stunnel >> $ write sys$output "Starting up a Stunnel running at port ''port'" $ run /detach sys$system:loginout /input=SYS$DISK:[]stunnel_detached.com - /process_name='stunnel_proc_name' - /output=nl: $! $!===>> delete SYS$DISK:[]stunnel_detached.com;* <<=== COMMENT OUT THIS LINE or process will fail to detach - Start the stunnel server with: $ @STUNNEL_STARTUP_SERVER.COM Is the private key (in the PEM file) encrypted? [Y/N] N - A detach process STUNNEL6724 will be created. Try to telnet from client-side as described above. - Several limitations with stunnel on OpenVMS currently: 1. Since STUNNEL_STARTUP_SERVER.COM prompts for private key, it cannot be placed into SYSTARTUP_VMS.COM. 2. stunnel.pem is useful for testing but not for production use, you MUST create your own private PEM. *** MORE INFO COMING SOON ON HOW TO GENERATE YOUR OWN PRIVATE PEM AND START STUNNEL DURING REBOOT. ***