emeraldloha.blogg.se - Stunnel creating remote desktop certificate

#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE HOW TO#
#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE INSTALL#
#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE DRIVERS#

The necessary files are placed on the Flash-memory and a small

#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE DRIVERS#

Rutoken EDS Flash is a CCID device that does not require installing drivers on modern OS. Generally speaking, it can be used in conjunction with the Rutoken EDS Flash. sTunnel does not require installation with administrator rights.

set the environment variable OPENSSL_ENGINES = for the userĪn important point.

put the client certificate and CA certificate (client key on the token).

Download and unpack the /5D4sNc9i29MDgdW9KvROZa archive.

put the config (I saved it in the nf file and put it next to c sTunnel.exe)ĭo not forget on the server to close the firewall 3389 port of the IP address sticking out!.

put sTunnel CA certificate, certificate and server key (in accordance with the config).

set the system environment variable OPENSSL_ENGINES =.

we say stunnel -install (while stunnel is registered as a service).

Download and unpack the /4zOP5AR39vKxk0uF6rwxNM archive.

#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE INSTALL#

Install sTunnel as a service on a Windows server with a raised terminal server and configure it: The server key and certificate makes sense in the form of ordinary files. Generation of client keys on the token, the formation of applications for certificates are described in the article /blogs/infosecurity/134725. To do this, it makes sense to use OpenSSL.

In this case, hardware implementation of Russian cryptographic algorithms “on board” Rutoken EDS is used.įirst you need to make a small CA that would issue GOST certificates to the sTunnel server and sTunnel clients. Rutoken EDS is connected to OpenSSL in the manner described on the vendor forum /topic/1639.

#STUNNEL CREATING REMOTE DESKTOP CERTIFICATE HOW TO#

STunnel from the "box" does not know how to work with GOSTs, so I patched it and rebuilt it. As a “cryptographic core”, stunnel uses OpenSSL. STunnel is a compact TLS proxy: it accepts insecure TCP connections as input, TLS calls them and forwards them to a remote server. OpenSSL has a TLS encryption implementation based on Russian algorithms in accordance with draft-chudov-cryptopro-cptls. Thus, we get a two-level TLS - RSA with client authentication will go inside the channel protected by GOST. Rutoken EDS will also be used as a hardware frequency converter.įor the case of authentication on a terminal server about Active Directory using RSA certificates, we will wrap TLS over RSA in TLS according to GOST.

However, the authentication key is non-recoverable and cannot be stolen. In this topic, with the help of open source OpenSSL and sTunnel applications, we will protect RDP connections using the TLS protocol with support for Russian cipher suites (GOST2001-GOST89-GOST89), client authentication according to GOST certificates will be carried out hardware on board the USB token Rutoken EDS with generation key agreement according to the scheme VKO GOST 34-10.2001. RDP is an application layer protocol, and therefore TLS, which works on a transport layer, is ideal for protecting it.