Using stunnel to add SSL/TLS to non-secure services (Foscam Webcam with Audio)


What is stunnel?

The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel.

Why use it?

I originally was using an Apache reverse proxy for a similar result. See this post. Still, turns out some services don’t quite work perfectly. I have a Foscam Webcam – FI8910W – which I would like to be able to securely access. Using the Apache reverse proxy results in the audio portion of the webcam streaming not making it. Over at Warped.org, stunnel was recommended, and it works great. It would work just as easily for any other non-secure service using very similar steps. Here are those steps for Ubuntu.

Step 1 – Install the service

sudo apt-get install stunnel4

This installs the service, creates a separate username and group for security reasons, and makes the default configuration file directory: /etc/stunnel/

Step 2 – Configure the service

My installation did not make a default configuration file, but since the file is so simple, let’s just make one from scratch.
Depending on your SSL certificate needs, the actual certificate lines you may need in your configuration will vary. Based on my setup as outlined in this post, all three cert lines are needed.

sudo nano /etc/stunnel/stunnel.conf

Add the following, customizing it to your service:

client = no

#SSL client cert file
cert = /etc/ssl/certs/server.crt
#SSL private key
key = /etc/ssl/private/server.key
#SSL Certificate Authority file
CAfile = /etc/ssl/certs/StartSSL_Class1.pem

# Service for foscam webcam
[foscam]
#new incoming port
accept = 1666
#target service address and port
connect = 192.168.1.89:80

Step 3 – Activate the service

sudo nano /etc/default/stunnel4

Change the line with “ENABLED=0” to

ENABLED=1

Then start the service:

sudo /etc/init.d/stunnel4 start

Step 4 – Test the service

Pull open your web browser of choice and enter in the address of your server running stunnel and the port you chose. For example, https://192.168.1.2:1666. Make sure you use https. It should redirect to the service you desired to wrap in SSL. Good job!

Leave a Reply

Your email address will not be published.