SERVER CONFIGURATION
--------------------

No changes are made to tintin or script configuration. The plan is to tunnel
an SSL connection to your #port or #chat port.

One problem is that redirected connections will appear to originate from
localhost. Fortunately tintin can handle this if needed.

You'll need to install the 'stunnel' package or download it from the
www.stunnel.org website. There is a Windows version of stunnel with
essentially the same interface.

You'll also need the 'openssl' package.

If you do this on Ubuntu the package might install the command as stunnel4
while stunnel calls stunnel3. Be mindful of that.

Create a directory to store the certificates, and the stunnel config file.

Create a self-signed certificate using openssl. For more info see:
http://www.stunnel.org/faq/certs.html

Switch to the directory where you want to store the certs, and then run the
command to generate a self-signed cert:

openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

It will prompt you for some information. The only thing you really need to
change from default, is the Common Name entry, which you should specify the
full hostname of your server, for example:  server.domain.com

Do not enter a passphrase for the cert, otherwise you will be prompted to
enter this passphrase every single time you start stunnel.

Run chmod 660 stunnel.pem

Stunnel will fail if the permissions are not correct on the file.

Create the config file for stunnel4, for example tinssl.conf, and use the
following contents, adjusting where necessary:

Code: [Select]
foreground = no
pid=/home/user/.tintin/ssl/tinssl.pid

[tinssl]
accept=4051
cert=/home/user/.tintin/ssl/stunnel.pem
key=/home/user/.tintin/ssl/stunnel.pem
client=no
connect=localhost:4050

The foreground option - change this to 'yes' to keep stunnel in the foreground
initially. Useful to see errors. Specify the pid to a writable path, or set it
to "pid=" for no pid file. If you don't know what a pid file is you can leave
it blank.

The segment headed by [tinssl] is the service entry. The name is arbitrary,
and there can be multiple entries if you want more tunnels. "accept=4051" is
the port for stunnel to listen for connections. "client=no" is software
default - this specifies a server connection, so stunnel must listen on 4051
for SSL connections. "connect=localhost:4050" This specifies where stunnel
will direct the incoming SSL connection. In this case, to tintin's default
chat port.

Now run: stunnel4 tinssl.conf

It should disappear into the background, or if you set foreground=yes, you
will see the basic log.

Run "ps -aux|grep stunnel" to verify that stunnel is running. There will
probably be around 4 processes running (For some odd reason). For
Windows, you should have an icon in the system tray.

With tintin you can now connect to the port using the #ssl command. To
connect to a chat port you'd have to run the connection through another
stunnel proxy. If there are problems check the logs and verify you opened
the port on your firewall, etc.

CLIENT CONFIGURATION
--------------------

If you want to use an SSL connection over #chat you can set up stunnel in
client mode to connect to your new SSL proxy. In this case we'll use 
Windows, but it's virtually identical on any supported platform.

Install stunnel for Windows.

Edit the stunnel config from the convenient menu entry. Leave everything as
is, and add a service entry at the bottom of the file:

Code: [Select]
[tinssl]
accept = 12345
connect = server.domain.com:4051
client = yes

"accept=12345" is the LOCAL port for stunnel to listen on.
"connect=server.domain.com:4051" is the SSL server to connect to, in this
case, your newly configured stunnel on your host server.

"client=yes" This is important, stunnel will NOT work properly if you do not
set client=yes here.

Run stunnel, and you will get a new icon in your systray. You can right-click
it and 'View Log' to see what's going on, if you like. Run tintin and create
a chat connection to localhost, port 12345 (or whatever you configured).

You should be momentarily connected to the given ssl server.


Special thanks to Vilentus for the original documentation.
