I need to set up bi-directional communications between a Perforce client and a Perforce server across an untrusted network. How do I secure the Perforce network transport?
In order to secure communication between a Perforce client and Server (p4d), you must use a third-party tool to encrypt network traffic between the two. Network encryption tools include ssh, proprietary VPNs, and Stunnel. This article describes the latter.
Note that the following applies to using stunnel to secure a Perforce connection. For securing P4Web (i.e., setting it up to use https, see: Creating and Optimizing a Secure P4Web Connection With "stunnel".
Stunnel is an open-source encryption package that allows users to set up SSL tunnels between client(s) and server(s). Using stunnel allows you to set up a port that accepts SSL connections from an SSL-enabled client or another stunnel server. Because both the Perforce server (p4d) and its clients (p4, p4v, p4win) do not support SSL, this article demonstrates how to set up two stunnel servers to talk to each other:
One on the client machine, to accept client requests, encrypt them, and forward them on.One on the server machine, which accepts the encrypted connection, decrypts it and passes it on to the Perforce server.The following information is used to demonstrate how to set up Stunnel: The server machine in named foo. It runs Perforce on localhost:1666, and wants to accept incoming SSL connections for Perforce on foo:2666.The client machine is named bar. Stunnel will be set up so that client requests to localhost:1666 are forwarded, encrypted, to foo:2666 (the server machine).Why set up Perforce on localhost:1666? This prevents anyone from contacting the server without first going through the stunnel. However, this is not a requirement - stunnel can forward the connection to any host and port.
Before you can set up stunnel, you need to create a self-signed SSL certificate for the stunnel server to provide to stunnel clients contacting it. While any SSL software should be able to do this, the quickest way to do it is via the OpenSSL package. When you have OpenSSL installed, run the following command to generate your certificate:
When you have the certificate, you are ready to set up Stunnel.
The most recent version of Stunnel, as of this writing, is 4.34. The following information applies to version 4.x of Stunnel. Version 3.x uses a substantially different format, please see the Version 3 section below for information on how to set up version 3 of stunnel.
Stunnel is available as part of the base distribution for a lot of Linuxes and some Unixes. Check the documentation for your particular OS, or go and grab the source.
Windows users should use this package: http://www.stunnel.org/download/binaries.html
Place the following in a file named "stunnel_client.cnf". Place that file somewhere that stunnel can access it.
; stunnel_client.cnfpid=/var/run/stunnel.pid[p4]accept=localhost:1666connect=foo:2666client=yesStart the client-side stunnel on Linux/Unix with: stunnelClient Configuration (Windows)
cert = stunnel.pemsocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1debug = 7output = stunnel.logclient = yes[p4s]accept = 1666connect =Now start the stunnel program.
Any client requests to port 1666 on the local machine are encrypted and forwarded to foo:2666.
Place the following in a file named "stunnel_server.cnf", and place that file somewhere that stunnel can access it.
; stunnel_server.cnfpid=/var/run/stunnel.pid[p4d]cert=/etc/ssl/certs/stunnel.pemaccept=2666connect=localhost:1666Start the server the same way as the client:
stunnelNow the server is set up to listen for incoming SSL requests to port 2666 and forward them on to port 1666 on the localhost.
Edit the service's "stunnel.conf" and place the following within it: cert = stunnel.pemkey = stunnel.pemsocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1debug = 7output = stunnel.logclient = no[p4s]accept = 2666 connect = 1666Now start the stunnel program. Incoming requests to port 2666 will now be decrypted and sent to port 1666.
If you are using version 3 of Stunnel, then you do not need to set up configuration files - you can specify everything on the command line.
stunnel -pThe above command sets up stunnel to listen to port 2666 and pass connections on to localhost:1666.
stunnel -c -d localhost:1666 -r foo:2666The above command sets up stunnel to forward requests to port 1666 on to foo:2666.
No comments:
Post a Comment