使用stunnel进行ssl加密

stunnel是个功能很简单的软件，就是进行ssl加密。可以帮助我们把http加密为https，也可以对普通的tcp链接进行ssl加密。stunnel的安装非常简单，就想详细写了。在centos下是只用用yum安装的，debian下就直接aptitude安装了。使用stunnel的配置如果不对客户端进行证书校验的话那么主要是2方面的配置。

1.配置ssl证书。stunnel配置证书有两种方式。老的方式是使用http://www.stunnel.org/static/stunnel.html介绍的先把key放最前面，然后依次放证书链。类似

-----BEGIN RSA PRIVATE KEY-----
[encoded key]
-----END RSA PRIVATE KEY-----
[empty line]
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
[empty line]

这种形式，如果服务器证书不是由根CA签发的，那么就需要类型nginx配置证书链那样把后面中间证书都逆序依次追加在后面。每个证书之间预留一个空行（不过我自己测试时不需要空行也是可以的）。这时的配置文件如下:

;
Sample stunnel configuration file by Michal Trojnara 2002-2006;
Some options used here may not be adequate for your particular configuration;
Please make sure you understand them (especially the effect of chroot jail)

; Some debugging stuff useful for troubleshooting;debug = 7output = stunnel.log

; Use it for client mode;client = yes

; Service-level configuration

#[pop3s]#accept = 995#connect = 110

#[imaps]#accept = 993#connect = 143

#[ssmtp]#accept = 465#connect = 25

[https]accept = 443connect = 80;TIMEOUTclose = 0

; vim:ft=dosini

2.使用key和cert分成2个文件的形式，这个形式就和现在nginx的配置完全一样了。配置文件如下
;
Sample stunnel configuration file by Michal Trojnara 2002-2006;
Some options used here may not be adequate for your particular configuration;
Please make sure you understand them (especially the effect of chroot jail)

; Some security enhancements for UNIX systems – comment them out on Win32chroot = /var/run/stunnel/setuid = nobodysetgid = nobody; PID is created inside chroot jailpid = /stunnel.pid

;
Some performance tuningssocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1compression = rle