stone使ってみた
- ##### 参考site #####
http://tdtds.jp/tunnel/digbystone.html
http://www.gcd.org/sengoku/docs/NikkeiLinux00-09/SSL.ja.html
- ##### stoneのコンパイル #####
mkdir ~/source/stone cd ~/source/stone wget http://www.gcd.org/sengoku/stone/stone-2.3e.tar.gz tar xzvf stone-2.3e.tar.gz cd stone-2.3d-2.3.2.7 make linux-ssl (or macosx-ssl) cp stone ~/bin
- ##### sslを使わない例 #####
## at stone server ## 443への接続をlocalhost:22に転送する ./stone localhost:22 443 ## at stone client ## 10022への接続をproxy:8080へ転送し、 ## proxyからserver:443(stone)に転送する。 ./stone proxy:8080/http 10022 "CONNECT server:443 HTTP/1.0" # 実際の例 (192.168.1.2:8080にproxyがあり、そのホストのstoneに接続) # ./stone 192.168.1.2:8080/http 10022 "CONNECT localhost:443 HTTP/1.0"
vi /usr/lib/ssl/openssl.conf dir = /usr/lib/ssl/CA vi /usr/lib/ssl/misc/CA.sh CATOP=/usr/lib/ssl/CA /usr/lib/ssl/misc/CA.sh -newca ## ----- inputs ----- CA certificate filename (or enter to create)Enter Enter PEM pass phrase:Pass phase Verifying - Enter PEM pass phrase:Pass phase Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Ibaraki Locality Name (eg, city) :Tsukuba Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :foo.baa.com Email Address : A challenge password : An optional company name : ## ----- end -----
-
- ### 秘密かぎの作成と登録申請書の作成
openssl req -new -nodes -keyout key.pem -out newreq.pem ## ----- inputs ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Ibaraki Locality Name (eg, city) :Tsukuba Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :foo.baa.com Email Address : A challenge password : An optional company name : ## ----- end ----- chmod 600 key.pem mv key.pem /usr/lib/ssl/private/stone.pem
-
- ### 公開かぎ証明書の発行
/usr/lib/ssl/misc/CA.sh -sign ## ----- inputs ----- Enter pass phrase for /usr/lib/ssl/CA/private/cakey.pem:Pass phase Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y ## ----- end ----- mv newcert.pem /usr/lib/ssl/certs/stone.pem
-
- ### stoneの起動
## at stone server ./stone -z key=/usr/lib/ssl/private/stone.pem -z cert=/usr/lib/ssl/certs/stone.pem localhost:22 443/ssl ## at stone client ./stone localhost:10443/ssl 10022 -- proxy:8080/http 10443 "CONNECT server:443 HTTP/1.0" # 実際の例 (192.168.1.2:8080にproxyがあり、そのホストのstoneに接続) # ./stone localhost:10443/ssl 10022 -- 192.168.1.2:8080/http 10443 "CONNECT localhost:443 HTTP/1.0"
-
- ### /etc/init.d/stone
#! /bin/sh ### BEGIN INIT INFO # Provides: stone # Required-Start: $local_fs $network # Required-Stop: $local_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Stone ### END INIT INFO NAME=stone DESC="Stone" DAEMON=/root/bin/stone PIDFILE=/var/run/$NAME.pid ARGS="-z key=/usr/lib/ssl/private/stone.pem -z cert=/usr/lib/ssl/certs/stone.pem localhost:22 443/ssl" . /lib/lsb/init-functions PATH=/bin:/usr/bin:/sbin:/usr/sbin [ -x $DAEMON ] || exit 0 start () { start-stop-daemon --quiet --start \ --background --make-pidfile \ --pidfile $PIDFILE \ --exec $DAEMON -- $ARGS > /dev/null return $? } stop () { PID=`cat $PIDFILE 2>/dev/null` start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" if start ; then log_end_msg $? else log_end_msg $? fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if stop ; then log_end_msg $? else log_end_msg $? fi ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" stop if start ; then log_end_msg $? else log_end_msg $? fi ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|restart}" exit 3 ;; esac exit 0