Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are
spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the
password reset link.
Due to spam on this forum, all posts now need moderator approval.
Entire forum
➜ MUSHclient
➜ General
➜ How to set up an encrypted chat session
|
How to set up an encrypted chat session
|
It is now over 60 days since the last post. This thread is closed.
Refresh page
| Posted by
| Nick Gammon
Australia (23,173 posts) Bio
Forum Administrator |
| Date
| Sat 26 Apr 2003 04:40 AM (UTC) Amended on Sat 26 Apr 2003 10:41 AM (UTC) by Nick Gammon
|
| Message
| One of the reasons for using chat is privacy - your messages do not go through a MUD and thus are reasonably private, however there is still the possibility of someone with a "packet sniffer" being able to see what you are saying to each other.
The technique described here lets you use stunnel (a stand-alone SSL package) to set up a secure session. This will be encrypted in transit, and is thus secure from eavesdropping.
The basic technique is to "tunnel" the chat session through stunnel at both ends, like this:
client A --> stunnel (client) --> Internet (encrypted) --> stunnel (server) --> client B
The basic technique involves setting up stunnel at both ends - this is Open Source so there is no cost - and then doing a bit of configuration to get it all going.
First, set up stunnel as described in:
http://www.gammon.com.au/mushclient/stunnel.htm
What I am going to describe assumes that client A calls client B, because the tunnelling is set up to accept a call on one port and forward it, encrypted, to another.
If you wanted to have the option for client B to also call client A, you would need to set up another instance of stunnel at each end, using different port numbers.
This is the basic message flow - I am going to pick some port numbers out of the hat, you can always vary these to suit your requirements ...
- Client A (MUSHclient) calls stunnel.exe on port 5000
- Stunnel encrypts the session and establishes a call to stunnel at the other end on port 6000
- Stunnel at the other end decrypts the message and calls client B on port 4050 (the chat port)
- The session is now established and can continue as normal
The thing is, once the configuration is done, the rest is all automatic.
Configuration file for Client A's stunnel
client = yes
output = logfile.txt
[chat_my_friend]
accept = localhost:5000
connect = the.other.domain.com:6000
This tells stunnel to accept calls on port 5000, encrypt them and forward them to the.other.domain.com port 6000.
Configuration file for Client B's stunnel
client = no
output = server_logfile.txt
[chatserver]
accept = my.friends.domain.com:6000
connect = localhost:4050
This tells stunnel to accept calls on port 6000, decrypt them and forward them to MUSHclient on port 4050.
Server key generation
Finally, as a once-off, you need to create a "stunnel.pem" certificate file on the server end (client B) so that it has a certificate to use for the secure session. You do this before starting the stunnel program.
You need a certificate configuration file to do that, the example below worked for me. Browse the Internet for more information if you want to know what it does. :)
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
Save the above as "keygen.conf", start up a "command window", navigate to the stunnel directory (eg. C:\stunnel) and type in (as a single line):
openssl req -new -x509 -days 365 -nodes -config keygen.conf -out stunnel.pem -keyout stunnel.pem
This will read in the keygen.conf file and write out a stunnel.pem file which is good for 365 days. Change the "365" in the example above to make it last longer or shorter.
You should see something like this, answer the questions, examples are shown in bold:
Using configuration from keygen.conf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
....................++++++
......++++++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:My Country
Locality Name (eg, city) []:My City
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, YOUR name) []:My Name
Email Address []:My Email Address
Now both ends of the transaction can start up stunnel (if you have used the default configuration file name of stunnel.conf you can just double-click the stunnel.exe) and then you are ready to start your chat session! Easy. ;) |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | | Top |
|
| Posted by
| Nick Gammon
Australia (23,173 posts) Bio
Forum Administrator |
| Date
| Reply #1 on Sat 26 Apr 2003 08:03 AM (UTC) |
| Message
| | Exactly the same technique as described above (well, almost exactly) could be used to set up a MUD server with a secure sockets interface. In other words, if you were running a MUD server on a site where you were worried someone might sniff the packets, then the secure sockets interface would encrypt everything. |
- Nick Gammon
www.gammon.com.au, www.mushclient.com | | Top |
|
The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).
To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.
9,170 views.
It is now over 60 days since the last post. This thread is closed.
Refresh page
![[Go to top]](/images/gototop.gif)
top