Author Topic: (Relatively) Easy SSL howto for muds that don't have it natively  (Read 3235 times)

Offline vilentus

  • Acquaintance
  • *
  • Posts: 1
    • View Profile
I always wondered what the point was for an SSL connection to a mud... until I started connecting from work. I figured I didn't want them to figure out what I'm doing with their new IPS devices etc, so rather just encrypt my connection in an SSL tunnel.
*Note that you could do this with SSH tunneling as an alternative, but I'll leave that as an exercise for your imagination. Heck, you could even do both.

  • You need shell access for this (if your mud is hosted).
  • You can do this on Windows too. (Yes, even the SSH alternative - think Putty)
  • This is quick and dirty, but it works. You may not want to do this for the general public as there are some caveats.

SERVER CONFIG
No changes are made to your mud or driver config. What this will do is to tunnel an SSL connection to your mud.
The caveat here (which is why you might not want to use this for the general public), is that the player connections will appear to come from localhost. There is apparently a workaround on certain linux kernels which can show you the 'real' IP

Install the 'stunnel' package on your distro, or download it from http://www.stunnel.org. There is a Windows version, and configuration is basically the same.. You will also need the openssl package. You can also download the windows openssl binaries from the above site.

I did this on Ubuntu, and while the package installs stunnel4, for some reason it defaults the command 'stunnel' to stunnel3, so you will need to call 'stunnel4' instead. You could probably change this, but I didn't bother.

Create a directory somewhere useful to store the certificates, and the stunnel config file.  For convenience, I created a directory called ssl under the mud /bin directory.

Create a self-signed certificate using openssl. For what it's worth, I created a certificate request, and had it signed by CACert, but it's really not necessary. (See the FAQ here for more info: http://www.stunnel.org/faq/certs.html#ToC1)

Switch to the directory where you want to store the certs, and then run the command to generate a self-signed cert:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

It will prompt you for some information. The only thing you really need to change from default, is the Common Name entry, which you should specify the full hostname of your mud, for example:  mud.domain.com

DO NOT ENTER A PASSPHRASE FOR THE CERT, otherwise you will be prompted to enter this passphrase EVERY time you start stunnel.

Run chmod 660 stunnel.pem
Stunnel will fail if the permissions are not correct on the file.

Create the config file for stunnel4. I called mine fluff.conf, and use the following contents, adjusting where necessary:
Code: [Select]
foreground = no
pid=/path/to/ds/bin/ssl/fluff.pid

[fluff]
accept=6667
cert=/path/to/ds/bin/ssl/stunnel.pem
key=/path/to/ds/bin/ssl/stunnel.pem
client=no
connect=localhost:6666

The foreground option - change this to 'yes' to keep stunnel in the foreground initially. Useful to see errors.
Specify the pid to a writable path, or set it to "pid=" for no pid file (If you don't know what a pid file is, set it blank).

The segment headed by [fluff] is the service entry. The name is arbitrary, and there can be multiple entries if you want more tunnels.
"accept=6667" is the port for stunnel to listen for connections.
"client=no" is software default - this specifies a server connection, so stunnel must listen on 6667 for SSL connections.
"connect=localhost:6666" This specifies where stunnel will direct the incoming SSL connection. In this case, to your mud's clear text telnet port.

Now run: stunnel4 fluff.conf

It should disappear into the background, or if you set foreground=yes, you will see the basic log.

Run "ps -aux|grep stunnel" to verify that stunnel is running. There will probably be around 4 processes running (For some odd reason). For Windows, you should have an icon in the system tray.

Now, if you have an SSL client, connect to your mud on port 6667 (or whatever you configured), and you should be able to login. If not, check the logs, verify you opened the port on your firewall, etc.

CLIENT CONFIG
If you don't have an SSL capable client (I use Putty from work, and SSH is not SSL :p) You can set up stunnel in client mode to connect to your new SSL proxy. Since I use Windows, I'll be specific to that, but it's pretty much the same on any supported platform.

Install stunnel for Windows.
Edit the stunnel config from the convenient menu entry.
Leave everything at default, and add a service entry at the bottom of the file:

Code: [Select]
[fluff]
accept = 12345
connect = server.domain.com:6667
client = yes

"accept=12345" is the LOCAL port for stunnel to listen on.
"connect=server.domain.com:6667" is the SSL server to connect to, in this case, your newly configured stunnel on your mud host.
"client=yes" This is important, stunnel will NOT work properly if you do not set client=yes here.

Run stunnel, and you will get a new icon in your systray. You can right-click it and 'View Log' to see what's going on, if you like.
Run your mud client, or in my case, putty, and establish a telnet connection to localhost, port 12345 (or whatever you configured).
You should be momentarily connected to your mud, and you will be able to login.

Hope this helps someone, or at least prods the brain for some ideas.