
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
166
|
Chapter 5: OpenSSL and Stunnel
On our Stunnel client system skillet, we’ll only need to add one global option, cert
(Example 5-10).
The command on skillet to run the rsync query command is exactly the same as in
Example 5-5. Although in this case, the transaction is more secure; the added secu-
rity is completely transparent to the end user.
To increase elfiero’s level of certificate verification from 2 to 3 (i.e., checking not only
for valid signatures but also for known certificates), there are only two additional
steps:
1. Concatenate a copy of skillet’s signed certificate (skillet_pubcert.pem, the version
without skillet’s key) to the end of /etc/stunnel/cacert.pem on elfiero.
2. In elfiero’s stunnel.conf file, change the value of
verify from 2 to 3.
Although it may be tempting to copy skillet_cert.pem (the combined key/certificate
file) over to elfiero in addition to or instead of skillet_pubcert.pem, please resist this
temptation: unnecessarily copying of private keys is a very bad habit to get into.
Using Stunnel on the Server and Other SSL Applications
on the Clients
Stunnel isn’t the only SSL application capable of establishing a connection to an
Stunnel daemon. For example, it’s possible to run Stunnel on a POP3 server listen-
ing on the standard pop3s port TCP 995 and forwarding ...