Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 12 of 12
  1. #1
    Join Date
    May 2006
    Location
    US
    Posts
    15

    Talking Successfuly SSL WebAdmin Connection

    If anyone is interested I have successfuly created an ssl connection to the webadmin.

  2. #2
    Join Date
    May 2006
    Location
    US
    Posts
    15
    will post how if there is an interest.

  3. #3
    Bastian Guest
    This thread is absolutely useless without that information.

  4. #4
    Join Date
    May 2006
    Location
    US
    Posts
    15
    Sorry, just didn't want to spend my precious time writing this if no one cared.

    I will have a "How to" up promptly.

  5. #5
    Bastian Guest
    BTW: We already have something like this:

    http://forum.goteamspeak.com/showthread.php?t=18874

  6. #6
    Join Date
    May 2006
    Location
    US
    Posts
    15
    The purpose of this guide is to show how an encrypted connection can be made between a browser and TeamSpeak’s administration interface using OpenSSL and Stunnel. This guide only covers Fedora. However, most linux/unix systems for this purpose will operate about the same.


    Packages Installed?

    First, we need to check to see if the packages are installed. Run the following command:

    Code:
    rpm –qa | grep ‘openssl’
    If OpenSSL is installed the system will reply similar to the following:

    Code:
    rpm –qa | grep ‘openssl’
    openssl-0.(Some version number)
    openssl-devel-0.(Some version number)
    openssl(some version number)
    If the OpenSSL package is not installed download it from here. Follow the install instructions located in the OpenSSL source that was just downloaded.

    Next, lets check to see if Stunnel is installed. Run the following command:

    Code:
    rpm –qa | grep ‘stunnel’
    If Stunnel is installed the system will reply similar to the following:

    Code:
    rpm –qa | grep ‘stunnel’
    stunnel(some version number)
    If Stunnel is not installed download it from here. Follow the instructions located in the Stunnel source that was just downloaded.


    Stunnel Setup

    Login as root, then, create folders using the following commands one line at a time:

    Code:
    mkdir /var/lib/teamspeak/ssl
    mkdir /var/log/teamspeak
    mkdir /var/run/teamspeak
    Now we are going to create the config file for Stunnel. Open a text editor. Below is the minimum configuration options needed to run a Stunnel connection.

    Code:
    debug=7
    cafile=/var/lib/teamspeak/ssl/teamspeak.pem
    cert=/var/lib/teamspeak/ssl/teamspeak.pem
    output=/var/log/teamspeak/stunnel.log
    pid=/var/run/teamspeak/stunnel.pid
    
    TIMEOUTbusy=10
    TIMEOUTclose=1
    TIMEOUTidle=1
    
    [stunnel]
    accept=(some port)
    connect=(some port)
    The “accept” port in this configuration file will be the port TeamSpeak is currently using. The “connect” port is the port you will be connecting to from a browser. The “connect” port must be different than the port being used by TeamSpeak. This configuration file is the basic setup. Use the following command to get a list of other options:

    Code:
    Stunnel --help
    Save this file as "stunnel_config" to the following directory:

    Code:
    /var/lib/teamspeak
    The editor may be closed now.


    OpenSSL Setup

    Our next step is to create a self signed CA (Certificate of Authority). Type the following command:

    Code:
    Openssl req –x509 –nodes –days 365 –newkey rsa:1024 –keyout /var/lib/teamspeak/ssl/teamspeak.pem –out /var/lib/teamspeak/ssl/teamspeak.pem
    This will create a file “teamspeak.pem” in the “/var/lib/teamspeak/ssl” directory. The “-nodes” option used in the above command creates an unencrypted key. If an encrypted key is desired remove the “-nodes” option. Remember, if an encrypted key is used the passphrase protecting the key will be needed every time the service is started. I prefer unencrypted as only someone with root access is able to read the key.


    Permissions

    We need to set the permissions for the files we just created. Type the following commands one line at a time:

    Code:
    chown –R root:root /var/lib/teampspeak
    chown –R root:root /var/log/teamspeak
    chown –R root:root /var/run/teamspeak
    chmod –R 600 /var/lib/teamspeak/ssl/teamspeak.pem

    Starting Stunnel Service

    To start the service type the following command:

    Code:
    stunnel /var/lib/teamspeak/stunnel_config
    Put this command in the “rc.local” file in order for the service to be started at boot. The “rc.local” file is located at “/etc/rc.d/

    If the service needs to be stopped the following command will work:

    Code:
    kill $(cat /var/run/teamspeak/stunnel.pid)

    Connect to the TS Admin

    “https” must be used to connect to the admin. The following is an example:

    Code:
    https://www.yourdomain.com:port
    You will be prompted to accept a CA. Click the option to permanently accept the certificate.

    That is it. Nicely done!


    FYI

    Don’t forget to setup the router to forward the SSL port set in the “stunnel_config” under the “connect” option. The firewall must also be set to accept connections on this port.

    Enjoy!
    Last edited by botulin; May 26th, 2006 at 10:19 AM.

  7. #7
    Join Date
    May 2006
    Location
    US
    Posts
    15
    Quote Originally Posted by Bastian
    BTW: We already have something like this:

    http://forum.goteamspeak.com/showthread.php?t=18874
    Yes, I read this. However, I do not care to use this method as it requires setup on both the host and client. By using SSL only the host needs to be setup as all operating systems, almost all, have browsers built to accept SSL connections.

  8. #8
    Bastian Guest
    Although I am currently not able to test your tutorial:

    Nice work.

  9. #9
    Join Date
    May 2006
    Location
    US
    Posts
    15
    Quote Originally Posted by Bastian
    Although I am currently not able to test your tutorial:

    Nice work.

    Thanks.

    If anyone has trouble with this I will help.

  10. #10
    Join Date
    September 2007
    Location
    US
    Posts
    14

    nice solution for secure remote access

    Nice. Works as it should.

    Thank you.

    Little note:

    If these packages where installed using the source the command above will not show the packages to be installed. Use:

    Code:
    find / | grep openssl
    find / | grep stunnel
    If installed you should get server hits. Keep in mind that this will aslo find the source dir which may not have been installed yet.

    Also, I believe the openssl used in this tutorial was an older version as the command used above to create a CA does not work. Here is the new code The following commands with generate these files in whatever current dir you are in under the shell.

    Code:
    openssl genrsa -des3 -out teamspeak.key 1024
    Enter a pass phrase and don't forget it.

    Code:
    openssl req -new -key teamspeak.key -out teamspeak.csr
    This creates the Certificate Signing Request file (CSR). There are several questions to answer.

    Code:
    cp teamspeak.key teamspeak.key.org
    This is duplicating the key so we can make a new CA when the one made below expires.
    This file is still encrypted as well.

    Code:
    openssl rsa -in teamspeak.key.org -out teamspeak.key
    This removes the pass phrase. If the pass phrase is left in the key whenever the browsers connects to the site with this CA it will prompt the user for the pass phrase.

    Code:
    openssl x509 -req -days 365 -in teamspeak.csr -signkey teamspeak.key -out teamspeak.crt
    This creates the actual CA. This CA is good for 365 days.

    Code:
    debug=7
    key=/usr/local/etc/teamspeak/ssl/teamspeak.key
    cert=/usr/local/etc/teamspeak/ssl/teamspeak.crt
    output=/var/log/teamspeak/stunnel.log
    pid=/var/run/teamspeak/stunnel.pid
    
    TIMEOUTbusy=10
    TIMEOUTclose=1
    TIMEOUTidle=1
    
    [stunnel]
    accept=host:port
    connect=host:port
    The stunnel_config from the guide above should now look like this. Notice I changed the 2nd line to "key" and added the "host" to the "accept" and "connect" sections. The "accept" port is the port you want the SSL connection on and the "connect" is the port the server is currently running on.
    Last edited by paraclete; September 23rd, 2007 at 10:17 AM.

  11. #11
    Join Date
    October 2006
    Location
    Here
    Posts
    37
    Quote Originally Posted by paraclete View Post
    Nice. Works as it should.

    Thank you.
    Indeed, that's great, thanks for sharing.
    I'm going to test it NOW!

  12. #12
    Join Date
    October 2006
    Location
    Here
    Posts
    37
    On debian it was a little different, I had to download the source of stunnel and compile it.
    But now it's working just perfect!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •