Advertisement
5.5.3 TLS proxy on the SCADA side
Bausch Datacom does not provide a Windows or Linux proxy to add TLS encryption
functionality to non-TLS applications.
Our engineering is using Stunnel to test the
functionality.
Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any
changes in the programs' code. Its architecture is optimized for security, portability, and scalability
(including load-balancing), making it suitable for large deployments.
Stunnel uses the OpenSSL library for cryptography, so it supports whatever cryptographic algorithms are
compiled into the library. It can benefit from the FIPS 140-2 validation of the OpenSSL FIPS Object
Module, as long as the building process meets its Security Policy. A scanned FIPS 140-2 Validation
Certificate document is available for download on the NIST web page. The Windows binary installer is
compiled with FIPS 140-2 support. The FIPS mode of operation is no longer enabled by default since
stunnel 5.00.
Stunnel is a free software authored by Michał Trojnara. Although distributed under GNU GPL version 2 or
later with OpenSSL exception, stunnel is not a community project. We retain the copyright of the source
code. Please contact us for commercial support or non-GPL licenses. Free, community-based support is
also available via stunnel-users mailing list.
Stunnel can be downloaded from
Run this file as administrator and run trough the usual installation process. In the end
stunnel will ask some questions to generate a certificate, this certificate will not be used
so it is not important what is filled in there.
The Stunnel config file starts with some global parameters, for all connections, in our
example it is output, cafile and verify. Then every connection through the service is
described, starting with [connection name].
The config file should be placed in the installation folder, should be C:\Program
Files(x86)\stunnel\config
globals
•
output
•
cafile
•
verify
connection
•
client
•
Accept
•
connect
•
cert
•
key
•
debug
https://www.stunnel.org/downloads.html
log file for all connections
file containing the root ca certificate used to authenticate all
connections
indicates the level of authentication; level 2 means the service will
authenticate every connection and will not connect when the
authentication fails
yes or no, indicates whether the encrypted side of the service is
client or server, always yes when connection to an RTU
port on which to listen for a client connecting (the SCADA system)
ip:port to which the service will connect (the RTU)
the certificate file of the service
the private key of the service
level of logging, 0 (only emergencies) to 7 (all debug messages)
DinBox RTU M4
TLS Encryption
Advertisement
Need help?
Do you have a question about the DinBox RTU M4 and is the answer not in the manual?