TLS (Transport Layer Security ) or earlier known as SSL(Secure Socket Layer) is used to secure the communication between server and client in a network.

Thanks to stunnel which helps in establishing the connection and is open source 🥳 .Before using stunnel let’s take a quick look on how the TLS Handshake works and what certificate contains.

TLS Handshake is the Initial process where the client and the server gains the trust which can be mutual or only the client trusts the server.In this process there is asymmetric encryption in the beginning and then there is symmetric encryption once the trust is gained between the two parties. The steps are described below

1)Client and Server Exchange Hello message

2)Server Sends the Certificate for Verification to the client along with the public key

The certificate is a file which contains details to enable the secure connection between the server and the client. X.509 standard certificate will be discussed here and the certificate will have the following fields. The certificate file can be downloaded and the fields can be viewed by clicking on the lock icon next to the URL field and then click on certificate in chrome browser as i’m unable to add the sample cert due to security restrictions in wordpress. This process might be different in other browsers.

·      Version Number -the subversion of the X.509 standard like V1,V2 and V3.

·      Serial Number – The Unique ID assigned to the certificate provided by the certification authority.

·      Signature Algorithm -The Algorithm used by the certification authority to sign the digital certificate.

·      Signature Hash Algorithm- The Algorithm used to generate the Hash.

·      Issuer -The CA who issues the certification.

·      Validity from and Vaild to – provides info the certificate validity (validation period is not more than 39 months after which
the certificate is revoked i.e it will no longer be valid).

·      Subject Information – Common Name (Domain name),Organization ,Locality , State and Country details.

·      Public Key – Encryption algorithm and the public key.

·      Public key Params – This Holds the elliptic curve algorithm.

·      Enhanced Key usage – Specifies the purpose for which the certificate is used.

·      Subject key Identifier – used in identifying certificates that contain a particular public key.

·      Authority Key Identifier – used in identifying the public key corresponding to private key used to sign the certificate.

·      Authority Information Access – Provides details of the certifying authority and Address of the OCSP(Online Certificate Status Protocol)  from where revocation status can be checked.

·      Subject Alternative Name – Common name contains the domain name and to use same certificate for multiple domains we have Subject alternative name containing the other domains where the certificate is valid.

·      Certificate Policies – This contains the policy details like the roles and duties of the entities taking part in the validation.

·      CRL Distribution Points – contains the URL of the certificates that are revoked.

·      SCT Lists – Signed certificate Timestamp (SCT) gives the log info about when the certificate was added to the server.

·      Key Usage – specifies the role for which the public key must be used.

·      Basic Constraints – specifies the limitations on the usage of the certification like the cert path length which restricts the
length of the Intermediate signing authority.

·      Thumbprint – Hash of the certificate.

The Certificates comes with a cost if used in the public domains and self signed certificates can be used if domain is hosted within the organization.

3)Server Sends Hello done.

4) Client generates a premaster secret and encrypts the key with public key and sends the key to the server and generate the symmetric key based on the premaster secret .

5) Client Finished message is sent .

6)Server Sends change cipher spec to change the encryption method to symmetric and generate the symmetric key based on the premaster secret.

7)Server Sends Finished and then encrypted data exchange happens over using the private keys and the entire process is diagrammatically represented below

Next is installing stunnel in linux using

sudo apt-get install stunnel4

The you can create the config file in /etc/stunnel/stunnel.conf which takes care of establishing a TLS connection

Example stunnel config file .For more configurations refer here

# output of stunnel can be redirected
output=/tmp/stunnel.log
log=overwrite
# debug level, omit in the release version
debug=7

#For Server 
[testserver] // this looks for the testserver.service file in systemd
accept = <server_port>
connect = <ip:port>
cert = path of the cert.pem

#For Client
[testclient] //this looks for the testclient.service file in systemd
client = yes
accept = <ip:src_port>
connect = <server_host:server_port>
CAfile = path of the cert.pem

Enable the stunnel

sudo vi /etc/default/stunnel4 
change ENABLED=0 to ENABLED=1
sudo systemctl restart stunnel4.service