Previous: A.3 Installing SSLeayAppendix A
Configuring Samba with SSL
Next: A.5 SSL Configuration Options
 

A.4 Setting Up SSL Proxy

The SSL Proxy program is available as a standalone binary or as source code. You can download it from http://obdev.at/Products/sslproxy.html.

Once it is downloaded, you can configure and compile it like Samba. We will configure it on a Windows NT system. However, setting it up for a Unix system involves a nearly identical series of steps. Be sure that you are the superuser (administrator) for the next series of steps.

If you downloaded the binary for Windows NT, you should have the following files in a directory:

The only one that you will be interested in is the SSL Proxy executable. Copy over the phoenix.pem and phoenix.key files that you generated earlier for the client to the same directory as the SSL proxy executable. Make sure that the directory is secure from the prying eyes of other users.

The next step is to ensure that the Windows NT machine can resolve the NetBIOS name of the Samba server. This means that you should either have a WINS server up and running (the Samba server can perform this task with the wins support = yes option) or have it listed in the appropriate hosts file of the system. See Chapter 7, Printing and Name Resolution, for more information on WINS server.[1]

[1] If you are running SSL Proxy on a Unix server, you should ensure that the DNS name of the Samba server can be resolved.

Finally, start up SSL Proxy with the following command. Here, we assume that hydra is the name of the Samba server:


# C:\SSLProxy>sslproxy -l 139 -R hydra -r 139 -n -c phoenix.pem -k phoenix.key

This tells SSL Proxy to listen for connections to port 139 and relay those requests to port 139 on the NetBIOS machine hydra. It also instructs SSL Proxy to use the phoenix.pem and phoenix.key files to generate the certificate and keys necessary to initiate the SSL connection. SSL Proxy responds with:


Enter PEM pass phrase:

Enter the PEM pass phrase of the client keypair that you generated, not the certificate authority. You should then see the following output:


SSL: No verify locations, trying default
proxy ready, listening for connections

That should take care of the client. You can place this command in a startup sequence on either Unix or Windows NT if you want this functionality available at all times. Be sure to set any clients you have connecting to the NT server (including the NT server itself) to point to this server instead of the Samba server.

After you've completed setting this up, try to connect using clients that proxy through the NT server. You should find that it works almost transparently.


Previous: A.3 Installing SSLeayNext: A.5 SSL Configuration Options
A.3 Installing SSLeayBook IndexA.5 SSL Configuration Options